Viewing Details in Threat Graph
  • 10 Jan 2024
  • 8 Minutes to read
  • Dark
    Light

Viewing Details in Threat Graph

  • Dark
    Light

Article Summary

Details Drawer

When you click on a node representing an Indicator, Group, Case, or Tag that exists in one of your ThreatConnect owners, the View Details option will be displayed in the node’s contextual menu. Select this option to display the object's Details drawer in Threat Graph. If you select View Details for an Indicator, Group, or Tag that exists in multiple owners, you will be prompted to select the owner in which you want to view details about the object.

Figure 1 shows the Details drawer for the verybadguy.com Host Indicator displayed in Threat Graph.
Graphical user interface, text, application, Teams  Description automatically generated

 

  • If an Indicator, Group, or Tag exists in multiple owners, a dropdown will be displayed at the upper-right corner of the drawer. Use this dropdown to select the owner in which you want to view details about the selected object.
  • The information displayed on this drawer is identical to the information displayed on an object’s Details drawer that you can access via the Browse screen .
  • Click View full details View full details_Details drawer at the upper-right corner of the drawer to open the object's Details screen in a new browser tab.
  • Click CloseRemove iconat the upper-right corner of the drawer to close the Details drawer and display the Details table.
Note
For Indicators, the Associated Indicators section displays Indicators directly and indirectly associated (i.e., Indicators associated via an associated Group) to the Indicator whose Details drawer you are viewing.

Figure 2 shows the Details drawer for the Analyze Suspicious Email and Report Findings Case displayed in Threat Graph.

 

  • Case # and Name: This section displays the following information about the Case:
    • Description: The Case’s description, if one has been entered.
    • Assignee: The user assigned to the Case.
    • Open Date: The date and time when the Case was opened.
    • Severity: The Case’s severity.
    • Resolution: The Case’s resolution. If a resolution has not been set for a Case, a value of Not Specified will be displayed.
    • Workflow Template: The Workflow applied to the Case. If a Workflow has not been applied to the Case, no value will be displayed.
    • Case Status: The Case’s status.
  • Tags: This section displays Tags applied to the Case.
  • Associations: This section displays Indicators, Groups, and Cases associated to the Case.
  • Potential Associations: This section displays Indicators, Groups, and Cases suggested as potential associations to the Case.
  • Artifacts: This section displays the Case’s Artifacts.
  • Notes: This section displays the Case’s Notes.
  • Click the View case in new tabOpen in New Tab iconicon at the upper-right corner of the drawer to open the Case in a new browser tab.
  • Click CloseRemove iconat the upper-right corner of the drawer to close the Details drawer and display the Details table.

Details Table

The Details table (Figure 3) displays additional information about each Indicator, Group, Case, and Tag node displayed in Threat Graph. It also provides the ability to import Indicators into one of your ThreatConnect owners and remove objects from Threat Graph.

Viewing the Details Table

You can expand and collapse the Details table by clicking Toggle Details Icon  Description automatically generatedat the upper-right corner of Threat Graph.

Graphical user interface, application  Description automatically generated

 

The Details table contains five columns:

  • Name: This column displays the object’s summary and type.
  • Last Modified: This column displays the date when the object was last modified.
  • Last Seen: This column displays the date when the object was last seen.
  • Status: For Indicators, this column displays its Indicator Status and whether it was set by ThreatConnect or CAL™. For Groups and Tags, no information is displayed in this column. For Cases, this column indicates whether the Case is opened or closed.
  • Score: For Indicators, this column displays its ThreatAssess score (if pivoting in ThreatConnect) or CAL score (if pivoting within a CAL dataset). For Groups, Cases, and Tags, no information is displayed in this column.

To view an object’s Details drawer, click its summary in the Name column. If an object does not exist in ThreatConnect, no Details drawer will be displayed when you click on its summary in the Name column.

Sorting and Filtering Objects in the Details Table

To sort objects displayed in the Details table, click on one of the five column headers. To filter objects displayed in the Details table by summary, use the search bar at the top of the table.

Selecting Objects in the Details Table

You can select individual objects in the Details table by selecting the checkbox to the left of the object’s name. To select all objects listed in the Details table, select the checkbox to the left of the Name column header.

When you select one or more objects, the Selected button at the top left of the table will update to reflect the current number of selected items. To display only the items currently selected in the Details table, click the Selected button.

Selection Actions

When at least one object is selected in the Details table, you can click the Selection Actions dropdown at the top left of the table to display a menu with some or all of the following options:

Importing Indicators Into an Owner

Select Add to an owner from the Selection Actions dropdown to import Indicators into one of your ThreatConnect owners. After selecting this option, you will be prompted to choose whether to associate the imported Indicators to a new or existing Group in ThreatConnect.

Importing Indicators Into a New Group

  1. To import Indicators into a new Group, select Create New Group from the Add to an owner submenu. The Details section of the Create screen will be displayed (Figure 4).

    Graphical user interface, application  Description automatically generated

     

    • Type: By default, Event is selected. If desired, select another Group type from the dropdown.
    • Fill out all remaining fields on the Details section. For descriptions of each field available on this screen, see the “Creating a Group” section of Create.
    • Click the Next button.
      Note
      The Save button is available only on the Associations and Attachments sections.
  2. The Associations section will be displayed (Figure 5).

    Graphical user interface  Description automatically generated

     

    Note
    A checkmark in the Known column indicates that the corresponding Indicator exists in at least one owner to which you have access.
    • Associations: The selected Indicators will be displayed in the Associations card. In this card, you can complete the following actions:
      • Private: To mark an Indicator as private, select the corresponding checkbox in the Private column. This column will be displayed only if your System Administrator has enabled private Indicators.
      • Actions: To remove an Indicator from the list of Indicators being imported, click DeleteTrash icon_Black.
    • Association Details: In the Associations Details card, you can fill out the following information for all Indicators being associated to the Group:
      Important
      If an Indicator selected for import already exists in the ThreatConnect owner into which you are importing data, that copy of the Indicator will be updated based on the information entered in this section. In this scenario, the values for the existing Indicator’s default Description, Threat Rating, and Confidence Rating will be replaced with the values entered for those options in this section, and Tags entered in this section will be applied in addition to existing Tags applied to the existing Indicator.
      • Description: Enter a default Description for the Indicator(s).
      • Tags: Enter one or more Tags to apply to the Indicator(s).
      • Threat Rating: Use the skull icons to set the Threat Rating for the Indicator(s).
      • Confidence Rating: Use the slider to set the Confidence Rating for the Indicator(s).
    • Click the Next button.
  3. The Attachments section will be displayed (Figure 6). Attachments is an optional section where you can attach related files to the Group.

    Graphical user interface, text, application, email  Description automatically generated

     

    • Upload files for which Document Groups will be created and associated to the Group being created, if desired. After each file is uploaded, the filename will be displayed below the upload area, along with a checkbox labeled Add to Malware Vault. Leave this checkbox cleared unless you are uploading a malware file.
    • Click the Save button.

The selected Indicators will be imported and associated to the newly created Group, and the Group’s Details screen will be displayed. Indicators imported into ThreatConnect will be displayed on the Indicators card of the Group’s Associations tab. You may also view these associations on the Associations card of the Group’s legacy Details screen, under the Associated Indicators section when the card is in table view.

Importing Indicators Into an Existing Group

  1. To import Indicators into ThreatConnect and associate them to an existing Group, select Add to Existing Group from the Add to an owner submenu. The Details section of the Import to Existing Group screen will be displayed (Figure 7).

    Graphical user interface, application  Description automatically generated

     

    • Select the Group to which the selected Indicator(s) will be associated. To search for a Group, enter its name in the search bar above the table containing all Groups.
    • To view a Group’s Details screen , click the Open in New TabOpen in New Tab iconicon to the right of the Owner column.
    • Click the Next button.
  2. The Associations section will be displayed (Figure 8).

    Graphical user interface, application  Description automatically generated

     

    Note
    A checkmark in the Known column indicates that the corresponding Indicator exists in at least one owner to which you have access.
    • Associations: The selected Indicator(s) will be displayed in the Associations card. In this card, you can complete the following actions:
      • Private: To mark an Indicator as private, select the corresponding checkbox in the Private column. This column will be displayed only if your System Administrator has enabled private Indicators.
      • Actions: To remove an Indicator from the list of Indicators being imported, click DeleteIcon  Description automatically generated.
    • Association Details: In the Associations Details card, you can fill out the following information for all Indicators being associated to the Group:
      Important
      If an Indicator selected for import already exists in the ThreatConnect owner into which you are importing data, that copy of the Indicator will be updated based on the information entered in this section. In this scenario, the values for the existing Indicator’s default Description, Threat Rating, and Confidence Rating will be replaced with the values entered for those options in this section, and Tags entered in this section will be applied in addition to existing Tags applied to the existing Indicator.
      • Description: Enter a default Description for the Indicator(s).
      • Tags: Enter one or more Tags to apply to the Indicator(s).
      • Threat Rating: Use the skull icons to set the Threat Rating for the Indicator(s).
      • Confidence Rating: Use the slider to set the Confidence Rating for the Indicator(s).
    • Click the Save button.

The selected Indicators will be imported and associated to the existing Group, and the Group’s Details screen will be displayed. Indicators imported into ThreatConnect will be displayed on the Indicators card of the Group’s Associations tab. You may also view these associations on the Associations card of the Group’s legacy Details screen, under the Associated Indicators section when the card is in table view.

Removing Objects From Threat Graph

Select Remove from graph from the Selection Actions dropdown to remove the selected object(s) from Threat Graph. Removing an Indicator, Group, Case, or Tag from Threat Graph will neither remove objects associated to it from Threat Graph nor dissociate the removed Indicator, Group, Case, or Tag from its associated object(s).

Important
You cannot remove the origin node from Threat Graph.

ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.

20117-06 v.07.A


Was this article helpful?