Details View of an Object's Graph

Details Drawer

When viewing the graph for an Indicator, Group, or Case, select View Details from a node’s contextual menu to display the Details drawer on the right side of the screen for the selected object. If you select View Details for an Indicator or Group that exists in multiple owners, you will be prompted to select the owner in which you want to view details about the object.

Figure 1 shows the Details drawer for the verybadguy.com Host Indicator displayed on an object’s graph.

• If an Indicator or Group exists in multiple owners, a dropdown menu will be displayed at the upper-right corner of the drawer. Use this dropdown menu to select the owner in which you want to view details about the selected object.
• The information displayed on this drawer is identical to the information displayed on an object’s Details drawer that you can access via the Browse screen.
• Click the Details  icon at the upper-right corner of the drawer to open the Details screen for the Indicator in a new browser tab.
• Click the X icon at the upper-right corner of the drawer to close the Details drawer and display the Details table.

Figure 2 shows the Details drawer for the Analyze Suspicious Email and Report Findings Case displayed on an object’s graph.

• At the top of the drawer, the following Case information will be displayed: the Organization to which the Case belongs, the date and time when the Case was created, and the Case’s description, if one has been entered.
• ThreatAssess: This section is displayed when a Case contains at least one Artifact with a ThreatAssess score and shows the highest ThreatAssess score among the Case’s Artifacts with a ThreatAssess score.
• Associated Intel: This section displays Groups associated to the Case.
• Associated Indicators: This section displays Indicators associated to the Case.
• Case # and Name: This section displays the following information about the Case:
  • Description: The Case’s description, if one has been entered.
  • Assignee: The user assigned to the Case.
  • Open Date: The date and time when the Case was opened.
  • Severity: The Case’s severity.
  • Resolution: The Case’s resolution. If a resolution has not been set for a Case, a value of Not Specified will be displayed.
  • Workflow Template: The Workflow applied to the Case. If a Workflow has not been applied to the Case, no value will be displayed.
  • Case Status: The Case’s status.
  • Tags: Expand this section to display Tags applied to the Case.
  • Associations: Expand this section to display Indicators, Groups, and Cases associated to the Case.
  • Potential Associations: Expand this section to display Indicators, Groups, and Cases that are suggested as potential associations to the Case.
  • Artifacts: Expand this section to display the Case’s Artifacts.
  • Notes: Expand this section to display the Case’s Notes.
• Click the View case in new tab icon at the upper-right corner of the drawer to open the Case in a new browser tab.
• Click the X icon at the upper-right corner of the drawer to close the Details drawer and display the Details table.

Details Table

The Details table (Figure 3) displays additional information about each Indicator, Group, and Case on the graph. It also provides the ability to import Indicators into an owner to which you have access and remove individual objects from the graph. You can expand and collapse the Details table by clicking Toggle Details at the upper-right corner of the graph.

The Details table contains five columns:

• Name: This column displays the object’s summary and type.
• Last Modified: This column displays the date when the object was last modified.
• Last Seen: This column displays the date when the object was last seen.
• Status: For Indicators, this column displays its Indicator Status and whether it was set by ThreatConnect or CAL. For Groups, no information is displayed in this column. For Cases, this column indicates whether the Case is opened or closed.
• Score: For Indicators, this column displays its ThreatAssess score (if pivoting in ThreatConnect) or CAL score (if pivoting within a CAL dataset). For Groups and Cases, no information is displayed in this column.

You can sort objects displayed in the table using any of the five column headings. To filter objects by summary, use the search bar at the top of the table. To view an object’s Details drawer, click its summary in the Name column. If an Indicator or Group belongs to a CAL dataset, no Details drawer will be displayed when you click on its summary in the Name column.

Selecting the checkbox to the left of an object’s name will display the Selected dropdown below the search bar. To select all objects listed in the Details table, select the checkbox to the left of the Name column. If you selected only Indicators, Cases, or both, clicking this dropdown will display a menu (Figure 4) with the following options: Add to an owner and Remove from graph.

If you selected at least one Group, only the Remove from graph option will be displayed in the menu, as you cannot import Groups on the graph into ThreatConnect.

Importing Indicators into an Owner

Select Add to an owner to import Indicators into an owner to which you have access. After selecting this option, you will be prompted to choose whether to import the selected Indicators into a new or existing Group in ThreatConnect.

Importing Indicators into a New Group

1. To import Indicators into a new Group, select Create New Group. The Details section of the Create screen will be displayed (Figure 5). By default, the Event Group type is selected. For more information about this screen, see the “Creating a Group” section of Create.

   

    

   Note

   When importing Indicators via the Explore In Graph feature, the SAVE button is available only in the Associations and Attachments sections.
2. After filling out the Details section, click the Next button. The Associations section will be displayed (Figure 6).

   

    

   Note

   A checkmark in the Known column indicates that the corresponding Indicator exists in at least one owner to which you have access.
   • Associations: The selected Indicators will be displayed in the Associations card. In this card, you can complete the following actions:
     • Private: To mark an Indicator as private, select the corresponding checkbox in the Private column. This column will be displayed only if your System Administrator has enabled private Indicators.
     • Actions: To remove an Indicator from the list of Indicators being imported, click Delete .
   • Association Details: In the Associations Details card, you can fill out the following information, which will be applied to all Indicators being imported and added to the Group:
     • Description: Enter a description for the Indicator(s).
     • Tags: Enter any Tags that should be applied to the Indicator(s).
     • Threat Rating: Use the skull icons to set the Threat Rating for the Indicator(s).
     • Confidence Rating: Use the slider to set the Confidence Rating for the Indicator(s).
   • Click the NEXT button.
3. The Attachments section will be displayed (Figure 7).

   

    

   • Upload files for which Document Groups will be created and associated to the Group being created, if desired. After each file is uploaded, the filename will be displayed below the upload area, along with a checkbox labeled Add to Malware Vault. Leave this checkbox cleared unless you are uploading a malware file.
   • Click the SAVE button.

The selected Indicators will be imported into the newly created Group, and the Group’s Details screen will be displayed. Indicators that were imported into the Group will be displayed on the Associations card under the Associated Indicators section when the card is in table view.

Importing Indicators into an Existing Group

1. To import Indicators into an existing Group, select Add to Existing Group. The Details section of the Import to Existing Group screen will be displayed (Figure 8).

   

    

   • Select the Group into which the selected Indicators will be imported. To search for a Group, enter its name in the search bar above the table containing all Groups.
   • Click the NEXT button.
2. The Associations section (Figure 9) will be displayed.

   

    

   Note

   A checkmark in the Known column indicates that the corresponding Indicator exists in at least one owner to which you have access.
   • Associations: The selected Indicators will be displayed in the Associations card. In this card, you can complete the following actions:
     • Private: To mark an Indicator as private, select the corresponding checkbox in the Private column. This column will be displayed only if your System Administrator has enabled private Indicators.
     • Actions: To remove an Indicator from the list of Indicators being imported, click Delete .
   • Association Details: In the Associations Details card, you can fill out the following information, which will be applied to all Indicators being imported and added to the Group:
     • Description: Enter a description for the Indicator(s).
     • Tags: Enter any Tags that should be applied to the Indicator(s).
     • Threat Rating: Use the skull icons to set the Threat Rating for the Indicator(s).
     • Confidence Rating: Use the slider to set the Confidence Rating for the Indicator(s).
   • Click the SAVE button.

The selected Indicators will be imported into the selected Group, and the Group’s Details screen will be displayed. Indicators that were imported into the Group will be displayed on the Associations card under the Associated Indicators section when the card is in table view.

Removing Objects from the Graph

Select Remove from graph to remove the selected object(s) from the graph. Removing an Indicator, Group, or Case from the graph will neither remove objects associated to it from the graph nor dissociate the removed Indicator or Group from its associated object(s).

ThreatConnect^® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.

20117-06 v.05.A