Visual Families
Visual families specify the relationship between the entities and protagonists from the third-party applications. You can configure the family's field and relationships.
The family is attached to a specific event / product in the Event Configuration > Visualization screen. The family is then displayed in the Explore Cases screen for each event, product or source so that the analyst can see who did what and when.
To clone or create a visual family:
- Navigate to Settings > Ontology > Visual Families.
- Either select one of the existing visual families and click the Duplicate icon on the top right. (Or select the icon and create a new family from scratch).
- In the Family Rules screen that opens, edit the relevant information by either selecting a row and clicking on the icon. Or click on the icon to add a new family rule.
- Enter the relevant information. Primary to Fourth Source of where to take the Information and the Primary to Fourth Destination in Chronicle SOAR to send it to. Relation Type: Type (action) or Linked (connection). An action is when one entity does something to another entity (user sends an email). A connection simply means the two entities are related (user and the machine’s host name). In the Explore screen, the Type (action) is denoted by an arrow and Linked (connection) is denoted by a dotted line.
- Click Save.
- Make sure to click the Save icon the top right of the screen before exiting this screen!
NOTE: You can both export and import Visual Families. Select by row in order to export.
The format is a zip file containing a JSON file with the visual family details.