The Details Drawer
- 12 Jun 2024
- 13 Minutes to read
-
Print
-
DarkLight
The Details Drawer
- Updated on 12 Jun 2024
- 13 Minutes to read
-
Print
-
DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Overview
The Details drawer for an Indicator, Group, Tag, Track, Victim, or Victim Asset in ThreatConnect® provides a detailed overview of the threat intelligence data object you are investigating, including its metadata and associations. From this drawer, you can gather context about the object and take additional action, such as opening the Details screen to further analyze the object or pivoting from the object to an associated entity.
Note
For information on the Details drawer for Workflow Cases, see The Details Drawer for Workflow Cases.
Before You Start
User Roles
- To view the Details drawer for a threat intelligence data object in an Organization, your user account can have any Organization role.
- To view the Details drawer for a threat intelligence data object in a Community or Source, your user account can have any Community role except Banned for that Community or Source.
- To delete an Indicator in an Organization via the Details drawer, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
- To delete an Indicator in a Community or Source via the Details drawer, your user account must have a Community role of Editor or Director for that Community or Source.
Prerequisites
- To view information retrieved from CAL™ for Indicators, turn on CAL for your Organization and ThreatConnect instance (must be a System Administrator to perform this action).
- To display the Tags Across Owners card on the Details drawer for Indicators, turn on the multiSourceViewEnabled system setting (must be a System Administrator to perform this action).
Accessing the Details Drawer for Threat Intelligence Data
Currently, you can access the Details drawer for threat intelligence data objects in the following areas of ThreatConnect:
- the Browse screen
- the Search drawer
- the Search screen
- Threat Graph
- the Artifacts, Associations, and Potential Associations cards in Workflow Cases
- the Keyword Tracking & Results card on the Details screen for Intelligence Requirements (IRs)
Accessing the Details Drawer From the Browse Screen
Follow these steps to access the Details drawer from the Browse screen:
- Hover over Browse on the top navigation bar and select Indicators, Groups, Tags, Tracks, Victims, Victim Assets, or a specific Indicator, Group, or Victim Asset type. Alternatively, click Browse to open the Browse screen and view Indicators of all types in the owners selected in the My Intel Sources selector.
- Select an object in the results table on the Browse screen to display the object’s Details drawer.
Details Drawer Layout
Figure 1 shows the Details drawer for an Indicator, and Figure 2 shows the Details drawer for a Group. The Details drawer for Tags, Tracks, Victims, and Victim Assets looks similar to the Details drawer for Groups.
Note
If accessing the Details drawer for an Indicator via the Search drawer or a Workflow Case, the drawer will look similar to the Details drawer for Groups.
The Details drawer consists of several sections with relevant information for the corresponding object. Depending on the type of object whose Details drawer you are viewing, the layout of the drawer will vary.
Note
The Details drawer displays data in a read-only format.
Indicators
The Details drawer for Indicators consists of three primary sections:
- Header: The header of an Indicator’s Details drawer displays the Indicator’s summary, type, and owner, as well as the Indicator’s status and whether it was set locally (i.e., by a user with permission to change an Indicator’s status on your ThreatConnect instance) or by CAL. The header also includes a ⋯ menu , as well as an Explore in Graph button that lets you view the Indicator in Threat Graph.NoteIf CAL Status Lock is turned on for an Indicator, a message stating “CAL Status Lock Enabled” will be displayed in the header of the Indicator’s Details drawer, to the left of the Indicator’s status.
- Details: The top portion of an Indicator’s Details drawer displays the following details about the Indicator:
- ThreatAssess & CAL: The Indicator’s ThreatAssess score, CAL score, and ThreatAssess and CAL impact factors.
- Security Labels: The Security Labels applied to the Indicator.
- Confidence Rating: The Indicator’s Confidence Rating.
- Threat Rating: The Indicator’s Threat Rating.
- Date Added: The date and time when the Indicator was created.
- Last Modified: The date and time when the Indicator was last modified.
- Description: The Indicator's default Description Attribute.
- Source: The Indicator's default Source Attribute.
- Tags: The Tags applied to the Indicator in the owner listed at the top left of the Details drawer. This section is available only if the multiSourceViewEnabled system setting is turned off. Otherwise, the Tags applied to the Indicator will be displayed on the Tags Across Owners card in the bottom portion of the Details drawer, and they will be the Tags applied to the Indicator across all of the Indicator’s owners to which you have access.
- CAL™ Classifiers: The CAL Classifiers applied to the Indicator.
- Cards: The bottom portion of an Indicator’s Details drawer contains cards with relevant information for the Indicator. The cards available in this section depend on the type of Indicator whose Details drawer you are viewing. Click on an individual card to expand and collapse it, or use the Collapse All and Expand All buttons to collapse and expand all cards, respectively.
Table 1 provides a description of each card that may be displayed in the bottom portion of an Indicator’s Details drawer and the Indicator type(s) for which each card is available.
| Name | Description | Applicable Indicator Type(s) |
|---|---|---|
| Attributes | The Attributes added to the Indicator. | All |
| Case Associations | The Cases associated to the Indicator. | All |
| DNS Resolution | The DNS resolution history for the Indicator (domain resolutions for Address Indicators; IP address resolutions for Host Indicators), as well as location and count information for computers that attempted to access suspicious domains captured by Quad9® infrastructure within the last 90 days. | Address; Host |
| DomainTools | The enrichment data retrieved from DomainTools® for the Host Indicator. Click Retrieve Data on the DomainTools card to retrieve the latest enrichment data from DomainTools for the Indicator. | Host |
| Farsight Passive DNS | The enrichment data retrieved from Farsight Security® for the Address or Host Indicator. Click Retrieve Data on the Farsight Passive DNS card to retrieve the latest enrichment data from Farsight Security for the Indicator. | Address; Host |
| File Hash Details | The File Indicator’s MD5, SHA1, and SHA256 file hashes and file size, as well as analytics about a file sample’s various hashes derived from CAL. | File |
| GeoLocation Data | The IP address geographic information within ThreatConnect and CAL for the Address Indicator. | Address |
| Group Associations | The Groups associated to the Indicator. | All |
| Indicator Associations | The Indicators associated to the Indicator. | All |
| Intelligence Requirement Associations | The IRs associated to the Indicator. | All |
| Investigation Links | Links to search results of various third-party lookups and other information services. Each link is a shortcut to query results for the Indicator, which will open in a new browser tab. | All |
| Known File Occurrences | The Known File Occurrences added to the File Indicator. | File |
| Notes | The posts added to the Indicator. | All |
| Observations, False Positives, & Impressions | The number of observations and false positive reports for the Indicator in your ThreatConnect instance, as well as the number of observations, false positive reports, and impressions derived from CAL for the Indicator. Select Report False Positive on the Observations, False Positives, & Impressions card to report the Indicator as a false positive. | All |
| Owners & Feeds | The owners in which the Indicator exists, the Threat Rating and Confidence Rating assigned to the Indicator by those owners, and the feeds that have reported the Indicator. | All |
| Pinned Association Attributes | The association Attributes added to Groups associated to the Indicator. | All |
| Playbooks | The active Playbooks with a UserAction Trigger configured for the Indicator’s type. Click Run playbook for a Playbook to execute it. | All |
| RiskIQ | The enrichment data retrieved from RiskIQ® for the Host Indicator. Click Retrieve Data on the RiskIQ card to retrieve the latest enrichment data from RiskIQ for the Indicator. | Host |
| Shodan | The enrichment data retrieved from Shodan® for the Address Indicator. Click Retrieve Data on the Shodan card to retrieve the latest enrichment data from Shodan for the Indicator. | Address |
| Tags Across Owners | The Tags applied to the Indicator across all of the Indicator’s owners to which you have access. This card is available only if your System Administrator turned on the multiSourceViewEnabled system setting. Otherwise, the Tags applied to the Indicator will be displayed in the top portion of the drawer, and they will be the Tags applied to the Indicator only in the owner listed at the top left of the Details drawer. Important As of ThreatConnect 7.6, the Tags Across Owners card is a beta feature. | All |
| URLScan | The enrichment data retrieved from urlscan.io for the URL Indicator. Click Retrieve Data on the URLScan card to retrieve the latest enrichment data from urlscan.io for the Indicator. | URL |
| Victim Asset Associations | The Victim Assets associated to the Indicator. | All |
| VirusTotal | The enrichment data retrieved from VirusTotal™ for the Address, File, Host, or URL Indicator. Click Retrieve Data on the VirusTotal card to retrieve the latest enrichment data from VirusTotal for the Indicator. | Address; File; Host; URL |
| Whois | The WHOIS data for the Host Indicator. | Host |
Groups
Table 2 provides a description of each section and element that may be displayed on the Details drawer for a Group and the Group type(s) for which each section is available.
| Name | Description | Applicable Group Type(s) |
|---|---|---|
| Added | The date when the Group was created. | All |
| Assignees | The users assigned to the Task. | Task |
| Associated Indicators | The Indicators associated to the Group. If there are more than 10 associated Indicators, a link labeled all associated indicators... will be displayed at the bottom of this section. Click it to display the Associations tab of the Group’s Details screen and view all associated Indicators. | All |
| Associated Intel | The Groups associated to the Group. | All |
| Associated Victim Assets | The Victim Assets associated to the Group. | All |
| Attributes | The Attributes added to the Group. | All |
| + Create Custom Report | Click the + Create Custom Report button to display the following options:
| All |
| Description | If a default Description Attribute has been added to the Group, it will be displayed above the Type, Owner, Added, and Last Modified sections. | All |
| Due Date | The date when the Task is due. | Task |
| Email Information | This section displays the following information for the Email Group: the Threat Score of the Email, the sender’s email address, the date when the Email was sent, and the Email’s subject. | |
| Event Date | The date when the Event or Incident took place. | Event; Incident |
| File Information | For Document and Report Groups, this section displays the name, type, and size of the file uploaded to the Group; the status of the file upload; and the date when the file was last modified. For Signature Groups, this section displays the name and format of the signature file corresponding to the Group and the date when the file was last modified. | Document; Report; Signature |
| First Seen | The date when the Campaign was first seen. | Campaign |
| Last Modified | The date when the Group was last modified. | All |
| Owner | The Organization, Community, or Source to which the Group belongs. | All |
| Security Labels | The Security Labels applied to the Group. | All |
| Status | The status of the Event, Incident, or Task. | Event; Incident; Task |
| Tags | The Tags applied to the Group. | All |
| Type | The Group’s type. | All |
| Visual Analysis | Click Visual Analysis to display the following options:
| All |
Tags
Table 3 provides a description of each section and element that may be displayed on the Details drawer for a Tag.
| Name | Description |
|---|---|
| Associated Indicators | The Indicators to which the Tag is applied. If there are more than 10 Indicators, a link labeled all associated indicators... will be displayed at the bottom of this section. Click it to display the Tag’s legacy Details screen and view all Indicators to which it is applied on the Associations card. |
| Associated Intel | The Groups to which the Tag is applied. |
| Associated Victims | The Victims to which the Tag is applied. |
| Explore in Graph | Click Explore in Graph to view the Tag in Threat Graph. |
| Last Used | The date when the Tag was last used. For Tags that have not been used since the Last Used date was introduced in ThreatConnect, this section will display a value of Unknown. |
| Owner | The Organization, Community, or Source to which the Tag belongs. |
| Summary | The Tag’s summary. |
| Synonymous Tags | This section is displayed only for main Tags defined in Tag normalization rules (i.e., Tags with the icon displayed to the left of their name in the Summary column on the Browse screen) and provides a list of synonymous Tags associated with the main Tag. |
| Type | This section will always display a value of “Tag.” |
Tracks
Table 4 provides a description of each section that may be displayed on the Details drawer for a Track.
| Name | Description |
|---|---|
| Active | This section specifies whether the Track is active. |
| Added | The date when the Track was created. |
| Description | If a description has been added to the Track, it will be displayed above the Type, Owner, Added, and Active sections. |
| Owner | The Organization, Community, or Source to which the Track belongs. |
| Results | The number of results for the Track. |
| Type | This section will always display a value of “Track.” |
Victims
Table 5 provides a description of each section that may be displayed on the Details drawer for a Victim.
| Name | Description |
|---|---|
| Assets | The Victim Assets added to the Victim. Victim Asset(s) are also displayed in the Associated Victim Assets section. |
| Associated Indicators | The Indicators associated to one or more of the Victim’s Assets. If there are more than 10 associated Indicators, a link labeled all associated indicators... will be displayed at the bottom of this section. Click it to display the Victim’s legacy Details screen and view all associated Indicators on the Associations card. |
| Associated Intel | The Groups associated to one or more of the Victim’s Assets. |
| Associated Victim Assets | The Victim Assets added to the Victim. Victim Asset(s) are also displayed in the Assets section. |
| Attributes | The Attributes added to the Victim. |
| Description | If a default Description Attribute has been added to the Victim, it will be displayed above the Type, Owner, Victim Organization, and Sub-Organization sections. |
| Nationality | The Victim’s nationality. |
| Owner | The Organization, Community, or Source to which the Victim belongs. |
| Security Labels | The Security Labels applied to the Victim. |
| Sub-Organization | The Victim’s sub-organization. |
| Tags | The Tags applied to the Victim. |
| Type | This section will always display a value of “Victim.” |
| Victim Organization | The Victim’s organization. |
| Work Location | The Victim’s work location. |
Victim Assets
Table 6 provides a description of each section that may be displayed on the Details drawer for a Victim Asset.
| Name | Description |
|---|---|
| Asset | For Email Address, Network Account, and Social Network Victim Assets, this section will display the corresponding account type, if one has been provided; for Phone and Website Victim Assets, this section will always display a value of “None,” as you cannot specify an account type for these Victim Asset types. |
| Associated Indicators | The Indicators associated to the Victim Asset. If there are more than 10 associated Indicators, a link labeled all associated indicators... will be displayed at the bottom of this section. Click it to display the legacy Details screen for the Victim to which the Victim Asset belongs and view all associated Indicators on the Associations card. |
| Associated Intel | The Groups associated to the Victim Asset. |
| Type | This Victim Asset’s type. |
| Victim | The Victim to which the Victim Asset belongs. |
Details Drawer Options Menu
The Details drawer options menu, available for Indicators, Groups, and Tags only, lets you perform additional actions while investigating objects of these types.
Indicators
If you are viewing the Details drawer for an Indicator, click the ⋯ menu at the upper-right corner of the drawer to display the following options:
- Pivot: Select Pivot to pivot from the Indicator and view its associated objects on the Browse screen.
- Follow: If you are not following the Indicator, the ⋯ menu will display the Follow option. Select Follow to follow the Indicator. By default, the notification priority level for the followed Indicator will be set to Medium.
- Unfollow: If you are already following the Indicator, the ⋯ menu will display the Unfollow option. Select Unfollow to unfollow the Indicator.
- Delete: If your user account has permissions to delete Indicators in the Indicator’s owner, the ⋯ menu will display the Delete option. Select Delete to delete the Indicator.
Groups
If you are viewing the Details drawer for a Group , click the ⋮ menu at the upper-right corner of the drawer to display one or more of the following options:
- Download: If the Details drawer is for a Document, Signature, or Report Group with a file attachment, the Download option will be available. Select Download to download the Group’s file attachment.
- Pivot: Select Pivot to pivot from the Group and view its associated objects on the Browse screen.
Note
If the Group whose Details drawer you are viewing does not have any Indicator associations or a file attachment, the Details drawer will not display the ⋮ menu.
Tags
If you are viewing the Details drawer for a Tag, click the ⋮ menu at the upper-right corner of the drawer to display the following option:
- Pivot: Select Pivot to pivot from the Tag and view its associated objects on the Browse screen.
Note
If the Tag whose Details drawer you are viewing does not have any associations, the Details drawer will not display the ⋮ menu.
Accessing the Details Screen From the Details Drawer
If you are viewing the Details drawer for a Group, Tag, Track, Victim, or Victim Asset, click View full details
at the upper-right corner of the drawer to open the object’s Details screen. If you are viewing the Details drawer for an Indicator, click the Indicator’s summary at the upper-left corner of the drawer to open the Indicator’s Details screen.
ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
DomainTools® and Farsight Security® are registered trademarks of DomainTools, LLC.
VirusTotal™ is a trademark of Google, Inc.
RiskIQ® is a registered trademark of Microsoft Corporation.
Quad9® is a registered trademark of Quad9 Foundation.
Shodan® is a registered trademark of Shodan.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.
20051-03 v.17.A
Was this article helpful?
