View Investigation Map and Overview
The Investigation Map shows a graphical representation of the searched term. This topic describes the Map and the Overview panel.
The explanation that follows is based on the following example:
In addition to the searched indicator, other first-generation indicators are shown in the Map view. The Overview shows information related to the selected indicator. When you select a different indicator, the Overview information will change.
If an indicator is red, it is malicious, that is, a threat actor, malware, or campaign.
If an indicator is white, it is on a whitelist.
To hide the legend, click Show Legend.
You can toggle whether to show the legend and also the node titles.
You can use the Map view and the Overview to get the following investigation information:
|Map||A||Searched term||The largest circle||The searched term in our example is the domain,nba.com|
|B||Related item||A linked, grey circle||A linked IP address, with an attachment (either a document or a note) and a tag .|
Some IOCs will show how they are related to others, similar to this:
The relationships include: Downloaded from, Contains reference to, Resolved to and others. Click the relationship text for more information.
|C||Related item||A linked, red circle||A malicious malware,testliav.|
|D||Related item||A linked, grey circle||A grouped entity, with over 20 file hashes. 1 of those file hashes is an IOC. For actions you can perform on grouped nodes, see Grouped nodes.|
|Overview||E||Menu bar||- - Display the text-only Overview, described below.- - Display attached tags.|
- - Display the Timeline, that lists all events related to the indicator.- - Display the Attachments & Notes section to add or view attachments and notes to the indicator. | | | F | Overview | Text-only top section | See data from the Threat Intelligence feed and Threat Command enrichment data (if available):- The identification of the searched item, its Threat Command severity, and whether it has been whitelisted. You can change its whitelist status and hover the "?" to see why it was whitelisted.- First date and last date the item was reported.- State: active or retired.- Geolocation (for IP addresses only).- Reporting feeds where the item was found.- The policy (if applicable) that reported the item.- Related items, such as malware, threat actors, or campaigns, as well as Threat Command alerts, if any. You can click any of these to see more information, or to see them in the Threat Command Threat Library | | | G | IntelliFind | Graph | See IntelliFind mentions, over time. Click the number of mentions to go to the IntelliFind. |
Change an IOC severity
IOC default severity is determined by its source. You can manually change the severity.
To manually change the severity of an IOC:
- From theOverview section of the Investigation page, select the IOC Severity.
- From the drop-down arrow, select a new severity.
- The severity is updated.
You can further enhance the Map view with the following actions:
|To perform this action||Do this|
|Rearrange indicators for easier viewing||Drag the indicators to another area in the Map. |
See an example in the screenshot in Grouped nodes.
|Filter the graphic display by specific threat types||Click an indicator icon to hide all of that indicator type in the display. In a busy graph, you can use this feature to focus on one type at a time.|
|Change an indicator's whitelist status||Click an indicator, then click .|
This toggles whether the indicator is on or off the whitelist. The new status is displayed in theOverview.
|Add an IOC to Remediation Blocklist||Click an IOC, then click . This toggles whether the IOC is in or not in the Remediation Blocklist.|
|Reinvestigate a previous search||Click Historyfrom the search bar.|
|Maximize the graphic display||Click the maximize icon.|
|Start a new investigation for any link||Click the link name.|
|Increase or decrease the scaling||Click or roll the mouse wheel.|
You can rearrange indicators for easier viewing. This is described in the following section.
When there is more than one indicator of the same type, they are displayed as one node group, with the amount of grouped links indicated.
When you hover over the node, the separate links are displayed in a group box.
In the group box, IOCs are indicated by a red icon to their left.
The following illustration shows how you can ungroup a single indicator from a grouped node:
You can ungroup some or all of the links, as described in the following table:
Tip: For searched items with many links, it is recommended to expand the linked threats data, and work from that view.
Indicator tags are used to group like tags together. The system generates tags and users can add their own, too.
If an IOC is related to MITRE ATT&CK techniques or Cyber Kill Chain phases, those are shown as system tags.
You can add tags to indicators, for example, to group common indicators and to subsequently search for those groups.
System-generated tags (green) cannot be removed, whereas user-generated (blue) tags can be added or removed.
To view tags:
- The Tags panel displays the user and system tags.
- If there are MITRE ATT&CK or Cyber Kill Chain tags, you can view the exact tags or see them within the full attack framework:
To add (or remove) tags:
- The tag icon is added to the indicator on the map. The tag will remain with the indicator, so it will be there in future investigations.
- The tag is removed from the indicator.
To search for indicators with a shared tag:
- From the main menu, select TIP > Investigation.
- In the search field, select Tag.
- Type a tag name, then press Enter. You can search for system-generated or user-added tags.
- All indicators with the searched tag are displayed. You can investigate an indicator by clicking it, and you can delete existing and add additional tags.
View IOC timeline events
The IOC timeline shows system and user IOC events and related Threat Command threat activity. You can filter to show events within a specified time range or whether they are user or system events.
To see the IOC events:
To filter the IOC events:
- You can filter for events within a date range and events initiated by the system or a user.
- Click the filter buttons and select the events desired.
Attachments and notes
You can attach documents and notes to indicators for your own, internal needs. These attachments, when added to cyberterms, will show in the Threat Library, too, thus turning it into your internal knowledgebase of threat information.
You can attach documents of the following types: PDF, CSV, DOC, DOCX, PNG, TXT, JPEG, JPG, MSG, and EML.
To attach attachments and notes:
- The IOC attachments are displayed in the Attachments & notes panel.
- To add an attachment or a note, click Add Attachment or Note.
- You can type a note and select an attachment.
- Click Save.
Export the Map view
You can export the Map view to a PDF that includes everything displayed in the view.
To export the Map view to a PDF:
- Arrange the map as you want, then click Export Map.
The Overview panel shows historical information from the Threat Command Threat Intelligence feed . If the selected indicator was the searched indicator, and that indicator is also an IOC then Threat Command enrichment data is also shown.
The data presented for the selected indicator differs depending on what was investigated. The following sections are displayed for malware:
Raw and enhanced data about the searched term
The specific type of IOC.
The geographic location where the malware originated.
- Targeted states
In campaigns, which countries were targeted by the campaign.
- Targeted sectors
In campaigns, which sectors were targeted.
What the malware can do.
- Activity (only for a searched IP address or domain)
Last date that the IP address or domain was resolved, and what those resolutions were
- Linked threats
Full list of related IOCs. (The graphical representation is limited to 1000 links per searched item.) The following statistics indicate where there may be any sort of relationship with the searched IOC. Statistics are shown for level I relationships only.
- Related threat actors
- Related campaigns
- Related domains
- Related IP addresses
- Related hashes
- Related URLs
For CVEs, the following relevant data is displayed:
- CVE ID
- Severity and Rapid7 score
- NVD published date
- First and last seen (if the CVE is from Rapid7 feeds)
- Reported feeds
- Product and vendor
- Label (exploit or trending)
- Related cyberterms
For more explanation of these terms, see Manage Vulnerabilities.