Reviewing ThreatConnect Intelligence Anywhere Scan Results

After ThreatConnect^® Intelligence Anywhere finishes scanning an online resource, scan results will be displayed on one of three tabs in the Scan Results window: Known Indicators, Unknown Indicators, or Groups.

Known Indicators Tab

Potential Indicators found during the scan that exist in a source (i.e., Organization, Community, and Intelligence Source) you selected on the Intel Sources tab of the Settings menu will be displayed on the Known Indicators tab of the Scan Results window (Figure 1). When searching ThreatConnect to determine whether a potential Indicator is a known Indicator, Intelligence Anywhere maintains case sensitivity for URLs, uses uppercase for file hashes, and uses lowercase for all other Indicator types. It also detects defanged URLs (e.g., hxxps://, badguy[dot]com) and refangs them automatically (e.g., https://, badguy.com) before searching ThreatConnect to determine whether a URL is a known Indicator.

A known Indicator’s ThreatAssess score and corresponding assessment level will be displayed to the right of the Indicator. Available ThreatAssess assessment levels include the following:

• Low: The Indicator’s ThreatAssess score is between 0 and 200, inclusive
• Medium: The Indicator’s ThreatAssess score is between 201 and 500, inclusive
• High: The Indicator’s ThreatAssess score is between 501 and 800, inclusive
• Critical: The Indicator’s ThreatAssess score is between 801 and 1000, inclusive

Clicking on a known Indicator in the Scan Results window (Figure 2) will display the following:

• the Indicator’s type and ThreatAssess score
• the Indicator’s CAL score and CAL Indicator Status
• the source(s) in which Intelligence Anywhere found the Indicator

To view the Details screen for the Indicator in an Organization, Community, or Intelligence Source listed in the Found in the Following Sources section, click View in ThreatConnect.

Unknown Indicators Tab

Potential Indicators found during the scan that do not exist in a source you selected on the Intel Sources tab of the Settings menu will be displayed on the Unknown Indicators tab of the Scan Results window (Figure 3).

If no information exists in CAL for an unknown Indicator, the text No information available will be displayed to the right of the Indicator. Otherwise, the Indicator’s CAL score and corresponding assessment level will be displayed to the right of the Indicator. Available assessment levels include the following:

• Low: The Indicator’s CAL score is between 0 and 200, inclusive.
• Medium: The Indicator’s CAL score is between 201 and 500, inclusive.
• High: The Indicator’s CAL score is between 501 and 800, inclusive.
• Critical: The Indicator’s CAL score is between 801 and 1000, inclusive.

Clicking on an unknown Indicator in the Scan Results window will display the Indicator’s type, CAL score, and CAL Indicator Status (Figure 4).

Groups Tab

Potential Groups found during the scan will be displayed on the Groups tab of the Scan Results window (Figure 5). Currently, Intelligence Anywhere will return results for Adversary, Attack Pattern, Intrusion Set, Malware, and Threat Groups only.

Clicking on a potential Group in the Scan Results window will display data collected from CAL, including its Group type, known aliases, and description (Figure 6).

To search for the Group by its name and aliases in the sources you selected on the Intel Sources tab of the Settings menu , click the Search for matches in ThreatConnect button. A ThreatConnect Matches section will be displayed (Figure 7).

If a Group in ThreatConnect matches the Group’s name or a known alias, it will be displayed in the ThreatConnect Matches section. Click on a Group in the ThreatConnect Matches section to display its Group type and the owner to which it belongs in ThreatConnect. To view the Group’s Details screen in a new browser tab, click View in ThreatConnect.

If no matches to the Group’s name or known aliases were found in the selected sources, a message stating so will be displayed in the ThreatConnect Matches section.

CAL NLP Recognition

When scanning an online resource for Groups, Intelligence Anywhere will leverage CAL’s natural-language processing (NLP) capabilities to search for text that is indicative of a MITRE ATT&CK^® technique. If such text is found, a Group will be listed on the Groups tab of the Scan Results window that, when clicked, displays a CAL NLP Recognition button (Figure 8).

Click the CAL NLP Recognition button to view the text on the scanned online resource that CAL detected as a match to the specified ATT&CK technique (Figure 9).

Viewing Results on the Scanned Resource

To view the location of a potential Indicator or Group on the scanned online resource, click the View on pageicon to the right of the object’s entry on the Scan Results window (Figure 1). The potential Indicator or Group will be highlighted on the scanned online resource, and the Details window for the Indicator (Figure 10) or Group (Figure 11) will be displayed at the top right of the screen.

Potential Indicators will be highlighted in either orange (known) or blue (unknown) on a scanned page; potential Groups will be highlighted in blue. Hovering your cursor over a highlighted object will display its Details window.

ThreatConnect^® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.

20107-06 v.06.A