Details View of an Object's Graph

Details Drawer

When you click on a node representing an Indicator, Group, Case, or Tag that exists in ThreatConnect, the View Details option will be displayed in the node’s contextual menu. Select this option to display the Details drawer on the right side of the screen for the selected object. If you select View Details for an Indicator, Group, or Tag that exists in multiple owners, you will be prompted to select the owner in which you want to view details about the object.

Figure 1 shows the Details drawer for the verybadguy.com Host Indicator displayed on an object’s graph.

• If an Indicator, Group, or Tag exists in multiple owners, a dropdown menu will be displayed at the upper-right corner of the drawer. Use this dropdown menu to select the owner in which you want to view details about the selected object.
• The information displayed on this drawer is identical to the information displayed on an object’s Details drawer that you can access via the Browse screen .
• Click View full details  at the upper-right corner of the drawer to open the object's Details screen in a new browser tab.
• Click the X icon at the upper-right corner of the drawer to close the Details drawer and display the Details table.

Figure 2 shows the Details drawer for the Analyze Suspicious Email and Report Findings Case displayed on an object’s graph.

• Case # and Name: This section displays the following information about the Case:
  • Description: The Case’s description, if one has been entered.
  • Assignee: The user assigned to the Case.
  • Open Date: The date and time when the Case was opened.
  • Severity: The Case’s severity.
  • Resolution: The Case’s resolution. If a resolution has not been set for a Case, a value of Not Specified will be displayed.
  • Workflow Template: The Workflow applied to the Case. If a Workflow has not been applied to the Case, no value will be displayed.
  • Case Status: The Case’s status.
  • Tags: Expand this section to display Tags applied to the Case.
  • Associations: Expand this section to display Indicators, Groups, and Cases associated to the Case.
  • Potential Associations: Expand this section to display Indicators, Groups, and Cases that are suggested as potential associations to the Case.
  • Artifacts: Expand this section to display the Case’s Artifacts.
  • Notes: Expand this section to display the Case’s Notes.
• Click the View case in new tabicon at the upper-right corner of the drawer to open the Case in a new browser tab.
• Click the X icon at the upper-right corner of the drawer to close the Details drawer and display the Details table.

Details Table

The Details table (Figure 3) displays additional information about each Indicator, Group, Case, and Tag on the graph. It also provides the ability to import Indicators into an owner to which you have access and remove individual objects from the graph. You can expand and collapse the Details table by clicking Toggle Details at the upper-right corner of the graph.

The Details table contains five columns:

• Name: This column displays the object’s summary and type.
• Last Modified: This column displays the date when the object was last modified.
• Last Seen: This column displays the date when the object was last seen.
• Status: For Indicators, this column displays its Indicator Status and whether it was set by ThreatConnect or CAL™. For Groups and Tags, no information is displayed in this column. For Cases, this column indicates whether the Case is opened or closed.
• Score: For Indicators, this column displays its ThreatAssess score (if pivoting in ThreatConnect) or CAL score (if pivoting within a CAL dataset). For Groups, Cases, and Tags, no information is displayed in this column.

You can sort objects using any of the five column headers. To filter objects by summary, use the search bar at the top of the table. To view an object’s Details drawer, click its summary in the Name column. If an Indicator or Group does not exist in ThreatConnect, no Details drawer will be displayed when you click on its summary in the Name column.

Selecting the checkbox to the left of an object’s name will display the Selected dropdown below the search bar. To select all objects listed in the Details table, select the checkbox to the left of the Name column header. If you selected only Indicators, clicking this dropdown will display a menu (Figure 4) with the following options: Add to an owner, Run Playbook..., and Remove from graph.

If you selected at least one Group, Case, or Tag, only the Remove from graph option will be displayed in the menu, as you cannot import Groups, Cases, or Tags into ThreatConnect or execute Playbooks for these object types while using Threat Graph.

Importing Indicators into an Owner

Select Add to an owner to import Indicators into an owner to which you have access. After selecting this option, you will be prompted to choose whether to associate the imported Indicators to a new or existing Group in ThreatConnect.

Importing Indicators into a New Group

1. To import Indicators into a new Group, select Create New Group. The Details section of the Create screen will be displayed (Figure 5).

   

    

   • Type: By default, Event is selected. If desired, select another Group type from the dropdown.
   • Fill out all remaining fields on the Details section. For descriptions of each field available on this screen, see the “Creating a Group” section of Create.
   • Click the Next button.
     Note

     The Save button is available only on the Associations and Attachments sections.
2. The Associations section will be displayed (Figure 6).

   

    

   Note

   A checkmark in the Known column indicates that the corresponding Indicator exists in at least one owner to which you have access.
   • Associations: The selected Indicators will be displayed in the Associations card. In this card, you can complete the following actions:
     • Private: To mark an Indicator as private, select the corresponding checkbox in the Private column. This column will be displayed only if your System Administrator has enabled private Indicators.
     • Actions: To remove an Indicator from the list of Indicators being imported, click Delete .
   • Association Details: In the Associations Details card, you can fill out the following information, which will be applied to all Indicators being imported and associated to the Group:
     • Description: Enter a Description for the Indicator(s).
     • Tags: Enter any Tags that should be applied to the Indicator(s).
     • Threat Rating: Use the skull icons to set the Threat Rating for the Indicator(s).
     • Confidence Rating: Use the slider to set the Confidence Rating for the Indicator(s).
   • Click the Next button.
3. The Attachments section will be displayed (Figure 7). Attachments is an optional section where you can attach related files to the Group.

   

    

   • Upload files for which Document Groups will be created and associated to the Group being created, if desired. After each file is uploaded, the filename will be displayed below the upload area, along with a checkbox labeled Add to Malware Vault. Leave this checkbox cleared unless you are uploading a malware file.
   • Click the Save button.

The selected Indicators will be imported and associated to the newly created Group, and the Group’s Details screen will be displayed. Indicators imported into ThreatConnect will be displayed on the Indicators card of the Group’s Associations tab. You may also view these associations on the Associations card of Group’s legacy Details screen, under the Associated Indicators section when the card is in table view.

Importing Indicators into an Existing Group

1. To import Indicators into ThreatConnect and associate them to an existing Group, select Add to Existing Group. The Details section of the Import to Existing Group screen will be displayed (Figure 8).

   

    

   • Select the Group to which the selected Indicator(s) will be associated. To search for a Group, enter its name in the search bar above the table containing all Groups.
   • To view a Group’s Details screen , click the Open in New Tabicon to the right of the Owner column.
   • Click the Next button.
2. The Associations section will be displayed (Figure 9).

   

    

   Note

   A checkmark in the Known column indicates that the corresponding Indicator exists in at least one owner to which you have access.
   • Associations: The selected Indicator(s) will be displayed in the Associations card. In this card, you can complete the following actions:
     • Private: To mark an Indicator as private, select the corresponding checkbox in the Private column. This column will be displayed only if your System Administrator has enabled private Indicators.
     • Actions: To remove an Indicator from the list of Indicators being imported, click Delete .
   • Association Details: In the Associations Details card, you can fill out the following information, which will be applied to all Indicators being imported and associated to the Group:
     • Description: Enter a Description for the Indicator(s).
     • Tags: Enter any Tags that should be applied to the Indicator(s).
     • Threat Rating: Use the skull icons to set the Threat Rating for the Indicator(s).
     • Confidence Rating: Use the slider to set the Confidence Rating for the Indicator(s).
   • Click the Save button.

The selected Indicators will be imported and associated to the existing Group, and the Group’s Details screen will be displayed. Indicators imported into ThreatConnect will be displayed on the Indicators card of the Group’s Associations tab. You may also view these associations on the Associations card of Group’s legacy Details screen, under the Associated Indicators section when the card is in table view.

Removing Objects from the Graph

Select Remove from graph to remove the selected object(s) from the graph. Removing an Indicator, Group, Case, or Tag from the graph will neither remove objects associated to it from the graph nor dissociate the removed Indicator, Group, Case, or Tag from its associated object(s).

ThreatConnect^® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.

20117-06 v.06.A