Viewing Artifact Details

Click the arrow to the left of an Artifact in the table on the Artifacts card to display more details about the Artifact (Figure 1).

Summary

This section provides the full summary (i.e., contents) of the Artifact. Artifacts that are too long to be fully displayed in the table on the Artifacts card may be viewed here in their entirety.

CAL

This section, which is displayed only for Artifacts that are of a ThreatConnect Indicator type, provides the information that ThreatConne Collective Analytics Layer (CAL™) has on the Indicator. When collapsed, it displays the Indicator’s CAL reputation score and status. The status (• Active for the 71.6.135.131 IP Address Artifact in Figure 1) indicates CAL’s assessment of whether the Indicator is an active Indicator of Compromise (IOC) at the current time. Depending on this assessment, one of the following statuses may be displayed below the Indicator’s CAL reputation score:

• • Active: CAL has identified the Indicator as an active IOC at the current time.
• • Inactive: CAL has identified the Indicator as an inactive IOC at the current time.

If CAL did not return data identifying whether the Indicator is active or inactive at the current time, no status will be displayed to the right of the Indicator’s CAL reputation score.

Click the arrow to the left to expand the section and display more information provided by CAL (Figure 2).

Associated Indicators

Expand the Associated Indicators section to display all Indicators that have been manually associated to the Artifact (Figure 3).

Click the link in the Summary column, or select Details from the vertical ellipsis to the right of an Indicator’s table entry, to display the Indicator’s Details drawer.

Adding Indicator Associations

To add a new associated Indicator to the Artifact, click Add Associated Indicatorsat the top right of the Associated Indicators section. The Add Related Intelligence drawer will be displayed, showing all available Indicators that are not associated to the Artifact (Figure 4).

• Select one or more Indicators to associate to the Artifact. If desired, use the FILTERS selector to filter Indicators by type, owner, a range of dates within which Indicators were created, or a range of dates within which Indicators were last modified. You can also enter text in the box to the right of the FILTERS selector to filter Indicators by summary.
  Important

  Cross-owner associations are not supported for Artifacts at this time, which means you can only associate Indicators in your Organization to an Artifact. Therefore, it is recommended that you select only your Organization from the Owners dropdown in the FILTERS selector so that the Add Related Intelligence drawer displays Indicators in your Organization only. If you want to associate an Indicator that is not in your Organization to an Artifact, first add it to your Organization and then create the association.
  Warning

  As of ThreatConnect version 6.7.0, clicking on an Indicator’s summary in the Summary column of the Add Related Intelligence drawer will produce an application error.
• Click the ADD SELECTED button. The selected Indicator(s) will be associated to the Artifact and added to the Associated Indicators table for the Artifact.

Removing Indicator Associations

To dissociate an Indicator from an Artifact, select Dissociate from the vertical ellipsis to the right of the Indicator’s table entry. The dissociation will happen immediately, and you will not be prompted for confirmation.

Associated Groups

Expand the Associated Groups section to display all Groups, categorized by type, that a user has manually associated to the Artifact (Figure 5). When a Group type’s section is expanded, the summary and creation date for each Group of that type will be displayed.

Click the link in the Summary column, or select Details from the vertical ellipsis to the right of a Group’s table entry, to display the Group’s Details drawer.

Adding Group Associations

To add a new associated Group to the Artifact, click Add Associated Groupat the top right of the Associated Groups section. The Add Related Intelligence drawer will be displayed, showing all available Groups that are not associated to the Artifact (Figure 6).

• Select one or more Groups to associate to the Artifact. If desired, use the FILTERS selector to filter Groups by type, owner, a range of dates within which Groups were created, or a range of dates within which Groups were last modified. You can also enter text in the box to the right of the FILTERS selector to filter Groups by summary.
  Important

  Cross-owner associations are not supported for Artifacts at this time, which means you can only associate Groups in your Organization to an Artifact. Therefore, it is recommended that you select only your Organization from the Owners dropdown in the FILTERS selector so that the Add Related Intelligence drawer displays Groups in your Organization only. If you want to associate a Group that is not in your Organization to an Artifact, first add it to your Organization and then create the association.
  Warning

  As of ThreatConnect version 6.7.0, clicking on a Group’s summary in the Summary column of the Add Related Intelligence drawer will produce an application error.
• Click the ADD SELECTED button. The selected Group(s) will be associated to the Artifact and added to the Associated Groups table for the Artifact.

Removing Group Associations

To dissociate a Group from an Artifact, select Dissociate from the vertical ellipsis to the right of the Group’s table entry. Note that the dissociation will happen immediately, and you will not be prompted for confirmation.

Potentially Associated Indicators

Expand the Potentially Associated Indicators section to display all Indicators with the same summary (i.e., the contents of the Indicator) as the Artifact that exist in owners to which you have access (Figure 7). If no such Indicators exist for the selected Artifact, this section will not be displayed.

Click the link in the Owner column to display the Details drawer for the Indicator in that owner.

You can review the Indicators in the Potentially Associated Indicators table to determine whether to associate them with the Artifact (i.e., by adding them to the Associated Indicators section; see the “Associated Indicators” section for more information).

In addition, when viewing a potentially associated Indicator’s Details drawer, you can review the Groups listed in the Associated Intel section and the Indicators listed in the Associated Indicators section to determine whether to add them as associations as well. Creating these associations is one of the primary ways to connect information gathered within a Workflow Case with the threat intelligence in your Organization.

Potentially Associated Groups

Expand the Potentially Associated Groups section to display all Groups, categorized by type, in your Organization that are associated to the Indicators in the Potentially Associated Indicators section (Figure 8). If there are no Indicators suggested as potential associations, or if there are no Groups associated to Indicators suggested as potential associations, this section will not be displayed.

Expand the section for a Group type to view information about each associated Group of that type. To view a Group’s Details drawer, click the link in the Summary column for the Group.

You can review the Groups in the Potentially Associated Groups table to determine whether to associate them with the Artifact (i.e., by adding them to the Associated Groups section; see the “Associated Groups” section for more information).

In addition, when viewing a potentially associated Group’s Details drawer, you can review the Groups listed in the Associated Intel section and the Indicators listed in the Associated Indicators section to determine whether to add them as associations as well. Creating these associations is one of the primary ways to connect information gathered within a Workflow Case with the threat intelligence in your Organization.

Artifact Notes

Expand this section to view Notes that have been added to this Artifact (Figure 9).

To add a new Note to the Artifact, click Add Artifact Notes at the top right of the Artifact Notes section. The Create Note drawer will be displayed.

Hover the cursor over a Note to display the following options:

• : Click the vertical ellipsis and select Remove to remove the Note.
• : Click this icon to preview the Note.
• : Click this icon to edit the Note.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
 CAL™ is a trademark of ThreatConnect, Inc.

20123-05 v.03.A