Working with Investigation Canvas
The Investigation Canvas is a key significant feature, which provides more valuable information for the Threat Intelligence (TI) analysts. It provides a structured framework by mapping one to one or one to many relationships and visualizing information related to observables, indicators of compromise (IOCs), or entities.
By using the investigation canvas, threat analysts can effectively:
- Map Relationships: Visualize node connections between various entities such as observables, indicators of compromise (IOCs), threat actors, attack patterns, affected assets, and more. Each object on the investigation canvas is represented by a specific color, along with its object type, node type, and status. The status reflects the object's reputation such as Suspicious, Low, or Critical for observables and other object types. Indicators are displayed with their associated threat severity to help prioritize analysis.
- Link cases or canvases: Link a case or canvas to enhance the analysis and provide a more comprehensive view of the threat landscape within the case management.
- The linking feature enables analysts dynamically add or remove nodes. This also populates the existing relationships between the nodes to the canvas.
- Temporary Relationship graphs by saving relationships separately within the context of the Investigation Canvas.
- MITRE technique associations: Associate or remove MITRE techniques with nodes directly on the canvas and provide analysis on the MITRE kill chain card.
Entry Points for the investigation canvas
- First entry point: New Blank Canvas: This entry point should allow the analysts to open a new and blank canvas without any nodes or links.
- Second Entry Point: Open Canvas in Case Investigation:
- This entry point opens an existing investigation case and allows to edit, modify, and rename the canvas.
- A new canvas with existing artifacts as nodes.