Elemendar has recently rolled out a graph editing feature within the READ. platform which allows the user to edit entities within a source document through a graph-based visual representation of the document. We’re now excited to present this deep dive into Graph Editing!

Previously, the only way to edit documents within the READ. interface was via the traditional right/left mouse click that we know and love from a variety of applications. While this approach can work well and is still a firm feature within the document view, many of our analyst users missed the established norm of graph-based editing within other CTI tools.

Now, with the graph editing tool, the user can choose to annotate the graph and tweak the relationships between the entities of the graph in a visual way.

Annotating the document…

Fig 1: Annotating victim organisations of Moonlight Maze

In this blog, we’ll be using this piece about potential links between Turla and the cyberespionage campaign Moonlight Maze from the 1990s. Here, we’re annotating the victim organisations of the campaign that READ. extracted. Since these are analyst-annotated entities, they appear under “Accepted Entities” as shown in the GIF above.

Adding the relationships to the graph

Fig 2: Adding the relationship between the Moonlight Maze campaign and one of its victim organisations

Thanks to the latest graph editing view, it is now possible to toggle into the STIX Graph view and add/modify relationships even before completing the annotation of the entire CTI piece.

With a few minutes of analyst attention to clean up READ.’s extraction from the report, and with additional relationships between the confirmed entities of the report, we can then come up with a rough graphical representation of the article:

Fig 3: An example of usage for the graph editing view

We can now make some quick suggestions from the graph and some additional details from the prose: 

  • There is a campaign called Moonlight Maze, that targets the Department of Energy, Pentagon and NASA
  • There is reason to believe that Turla could be the threat actor behind this as this group too actively targets the USA
  • Some artefacts of the Moonlight Maze campaign indicate the presence of two forms of malware, Penguin Turla and Storm Cloud, both of which the Turla group has used. Furthermore, Penquin Turla’s signature was recently seen in a compromised device from Germany. 

In conclusion, you can see why we are excited to introduce the graph editing tool. Firstly, analysts can immediately see the graph representation of a document and determine how comprehensive the extraction results are. Afterwards, as shown in this blog, they can annotate additional entities and relationships that can make the graph view even more useful. 

Questions? Ideas? Reach out to us regarding this latest update!