Viewing Intelligence Requirement Details

The Details screen for an Intelligence Requirement (IR) serves as a starting point for an analyst who has been assigned to review the IR. Here, you can view the local and global results returned by the IR’s keyword query and determine the appropriate course of action to take for each result: associate the result to the IR object, archive the result, or mark the result as a false result. You can also view and manage the IR’s details and associations.

Viewing the Details Screen

Follow these steps to view the Details screen for an IR in ThreatConnect®.

1. On the top navigation bar, hover over Browse and select Intelligence Requirements (IR). A results table containing all IRs in your Organization will be displayed on the Browse screen.
   Note

   To filter IRs displayed on the Browse screen, you must use an advanced query. To initiate an advanced query on the Browse screen while viewing IRs, click Advanced at the top right of the screen. Intelligence Requirements will be selected from the dropdown to the left of the search bar at the top of the screen, and you can view a list of ThreatConnect Query Language (TQL) keywords that may be used when searching for IRs in the left sidebar.
2. Hover over an IR’s entry in the table on the Browse screen and click one of the following icons displayed in its Requirement cell to display the Overview tab of its Details screen (Figure 1):
   • View full details: Click this icon to open the IR’s Details screen in the current browser tab.
   • View full details in new tab: Click this icon to open the IR’s Details screen in a new browser tab.
   

    

Details Screen Header

The Details screen for IRs (Figure 1) includes the following sections and elements in its header:

• Browse / <ID>: This section, located at the upper-left corner of the screen, includes a link to view all IRs on the Browse screen and displays the IR’s ID.
• IR ID and summary: This section displays the IR’s ID and summary (i.e., the question, topic, or statement on which the IR focuses). It also displays an Editbutton to the right of the IR’s summary that, when clicked, allows you to edit the summary.
  
  Note

  If you edit an IR’s summary, the new summary cannot be the same as the summary for an existing IR on the ThreatConnect instance.
• <IR subtype> | Organization: <Organization name>: This section displays the IR’s subtype followed by the name of the Organization to which it belongs.
• Options: Click this button and then select Delete… to delete the IR.
• Follow Item: Toggle this setting on to receive alerts and updates on changes to the IR. After this setting is toggled on, use the bellicons to set the desired notification priority, where Low is oneicon, Medium is twoicons, and High is threeicons.

Overview Tab

The Overview tab of the Details screen for IRs (Figure 1) contains three cards: Keyword Tracking & Results, Details, and Playbooks. To collapse or expand all cards on this tab, click the Collapse All or Expand All button, respectively, above the Details card. By default, all cards are expanded.

Keyword Tracking & Results

The Keyword Tracking & Results card consists of three sections: Keyword Tracking, Results, and Archived Results.

Keyword Tracking

When expanded, the Keyword Tracking section displays the keywords defined in the IR’s keyword query (Figure 2). To view best practices for defining IR keyword queries, click the Keyword Best Practices & Help link.

Editing a Keyword Query

Click Editat the top right of the Keyword Tracking section. The IR’s keyword query will now be editable (Figure 3).

• Requirement Suggestions: Click this button to view keyword suggestions based on the IR’s summary. Suggestions will be potential aliases for keywords recognized in the IR's summary based on geolocation, industry, MITRE ATT&CK^® tactics and techniques, intrusion sets, tools, and malware families. To add keywords from this section to the Includes Any of the Following or Excludes Any of the Following section, select the keywords and then click the + Add to “Include” or + Add to “Exclude” button, respectively. When a keyword is added to either of these sections, it will be removed from the list of suggested keywords.
  
  Note

  If there are multiple Includes Any of the Following sections, you will be prompted to select which of these sections (i.e., Section 1, Section 2, etc.) to add the selected keywords to when you click the + Add to “Include” button.
• Get Suggestions for All: Click this button to retrieve a list of keyword suggestions for the Includes Any of the Following and Excludes Any of the Following sections. Suggestions will be potential aliases for keywords recognized in each section based on geolocation, industry, MITRE ATT&CK tactics and techniques, intrusion sets, tools, and malware families. At least one keyword must be added to at least one of these sections to use this feature.
• Reset all Archived and False Results on save: If there are results that have been archived or marked as false results, selecting this checkbox will cause those results to be included in the Results section again the next time results are retrieved for the IR.
• Includes Any of the Following: This section displays the keywords that objects must include to be returned as results for the IR. When searching for results, the keyword query uses “OR” logic between each keyword defined in this section (e.g., ["<keyword>" OR "<keyword>"]). This section also provides the following options for managing keywords added to it:
  • Type keyword here…: Enter a keyword into the text box and then click Addto the right of the text box or press Enter on your keyboard to add it to the Includes Any of the Following section. Attempting to add a keyword that is already added to the Includes Any of the Following or Excludes Any of the Following section will result in an error.
  • Get Suggestions: When at least one keyword is added to the Includes Any of the Following section, you can click this button to retrieve keyword suggestions for this section. Suggestions will be potential aliases for keywords recognized in the Includes Any of the Following section based on geolocation, industry, MITRE ATT&CK tactics and techniques, intrusion sets, tools, and malware families. If keyword suggestions are returned, a Keyword Suggestions section containing those keywords will be displayed. Here, you can perform the following actions:
    • Select the keywords you want to add to the Includes Any of the Following section and click the + Add Selected button.
    • Click the + Add All button to add all suggested keywords to the Includes Any of the Following section.
  • Remove: Click this icon to the right of a keyword added to the Includes Any of the Following section to remove it.
  • + Add Section: Click this button to add another Includes Any of the Following section. An IR can have up to five Includes Any of the Following sections, each of which is joined by “AND” logic when the keyword query searches for results (e.g., ["<keyword>" OR "<keyword>"] AND ["<keyword>" OR "<keyword>"]). Before you can add a new Includes Any of the Following section, the previous section must have at least one keyword added to it.
  • Delete: When at least two Includes Any of the Following sections are added, this button will be displayed at the top right of each section. Click it to remove the section and its keywords.
• Excludes Any of the Following: This section displays one or more keywords that objects must not include to be returned as results for the IR. When searching for results, the keyword query uses “AND NOT” logic before the set of keywords defined in this section, followed by “OR” logic between each keyword (e.g., AND NOT ["<keyword>" OR "<keyword>"]). This section also provides the following options for managing keywords added to it:
  • Type keyword here…: Enter a keyword into the text box and then click Addto the right of the text box or press Enter on your keyboard to add it to the Excludes Any of the Following section. Attempting to add a keyword that is already added to the Includes Any of the Following or Excludes Any of the Following section will result in an error.
  • Get Suggestions: When at least one keyword is added to the Excludes Any of the Following section, you can click this button to retrieve keyword suggestions for the section. Suggestions will be potential aliases for keywords recognized in the Excludes Any of the Following section based on geolocation, industry, MITRE ATT&CK tactics and techniques, intrusion sets, tools, and malware families. If keyword suggestions are returned, a Keyword Suggestions section containing those keywords will be displayed. Here, you can perform the following actions:
    • Select the keywords you want to add to the Excludes Any of the Following section and click the + Add Selected button.
    • Click the + Add All button to add all suggested keywords to the Excludes Any of the Following section.
  • Remove: Click this icon to the right of a keyword added to the Excludes Any of the Following section to remove it.
• Click Confirmat the top right of the section to save your changes.

Results

The Results section displays a table containing the Artifacts, Cases, Groups, Indicators, Tags, and Victims in your owners and the ThreatConnect Global Intelligence Dataset that the keyword query returned, with the total number of results of the selected type (Local or Global) displayed to the right of the Results heading (Figure 4). When searching for local results, the query searches everything you have access to in your ThreatConnect instance, including all Attributes, Tags, names/summaries of objects, and the contents of Report files.

The table displayed in this section contains the following columns:

• Name: This column displays the result’s name.
• Type: This column displays the result’s type.
• Owner: This column displays the Organization, Community, or Source to which the result belongs.
• Matched: This column displays the date when the result was returned by the IR’s keyword query. The date is also a hyperlink to the results Result Details drawer. See the “Viewing Result Details” section for more information.

To control which columns are displayed in the table, click Select columnsto the right of the search bar, select or clear the checkbox for each column you want to display or hide, respectively, and click the Apply button.

Retrieving Results

After you create an IR, local and global results for its keyword query are retrieved immediately. From that point forward, ThreatConnect and the ThreatConnect Global Intelligence Dataset will be polled daily at a scheduled time configured by your System Administrator (the default is midnight) for new local and global results, respectively. When new results are available, they will be retrieved automatically for the IR. The date and time when the results for an IR were last retrieved are displayed at the top left of the Results card.

To manually retrieve the most recent results for the IR, click the Retrieve Results button.

Toggling Between Local and Global Results

Results for IRs are categorized as local and global. You can toggle between the two result types by selecting one of the following options above the search bar in the Results section:

• Local: Select this option to view results in your Organization, Communities, and Sources that the keyword query returned. If desired, use the Filtersmenu to filter results by owner, type, and a range of dates within which they were matched. You can also enter text in the search box to filter results by name. To view more details about a result, click on its row or name to view its Details drawer or Details screen, respectively. Click View result detailsto see a result’s Result Details drawer, which displays the date and time that the result matched the query and highlights the text in the result that matched one or more of the query keywords. See the “Viewing Result Details” section for more information.
  Note

  The Result Details drawer is not provided for Tags
• Global: Select this option to view results in the ThreatConnect global intelligence dataset that the keyword query returned. If desired, use the Filtersmenu to filter results by type. You can also enter text in the search box to filter results by name. If you have access to the CAL Automated Threat Library Source and a global result exists in that Source, you can click on its row or name to view its Details drawer or Details screen, respectively. Click View result detailsto see a result’s Result Details drawer, which displays the date and time that the result matched the query and highlights the text in the result that matched one or more of the query keywords. See the “Viewing Result Details” section for more information.
  Note

  The Result Details drawer is not provided for Tags
  Note

  Indicators with a CAL score of 150 or lower will not be included in the global results.

Managing Results

Click Optionsin a result’s row to display a menu with the following options:

• View Result Details: Select this option to see the result’s Result Details drawer, which displays the date and time that the result matched the query and highlights the text in the result that matched one or more of the query keywords. See the “Viewing Result Details” section for more information.
• Convert to Association: Select this option to associate the result to the IR and remove it from the Results section. If associating a global result that does not exist in one of your ThreatConnect owners, a copy of it will be created in your Organization and then associated to the IR.
• Archive Result: Select this option to archive the result (i.e., move the result from the Results section to the Archived Results section). This action is useful when you want to maintain awareness of historical results that may have significance for future investigations.
• Mark as False Result: Select this option to mark the result as a false result (i.e., remove it from the Results section). Results that have been marked as false results are not displayed on the IR's Details screen.
  
  Note

  You can view a false result by resetting the IR's results, which will cause the result that was marked as a false result to be displayed in the Results section again the next time results are retrieved. To reset an IR's results, expand the Keyword Tracking section, click Editat the top right of the section, select the Reset all Archived and False Results on save checkbox, and then click Confirmat the top right of the section to save your changes.

Viewing Result Details

The Result Details drawer highlights the fields or other information in a result that matched one or more query keywords, as well as the date and time that the result was matched. For example, in Figure 5, the highlighted words in the result’s name, the Source Attribute, and Description Attribute are matches to two of the query keywords (uk and great britain). Expand the Keyword Tracking section to view the IR’s query keywords.

Archived Results

When expanded, the Archived Results section displays the IR’s archived results, with the total number of archived results displayed to the right of the Archived Results heading (Figure 6).

The table displayed in this section contains the following columns:

• Name: This column displays the result’s name.
• Type: This column displays the result’s type.
• Owner: This column displays the Organization, Community, or Source to which the result belongs.
• Result Origin: This column specifies whether the result is a local or global result.
• Archived: This column displays the date when the result was archived.
• To control which columns are displayed in the table, click Select columnsto the right of the search bar, select or clear the checkbox for each column you want to display or hide, respectively, and click the Apply button.
  Note

  You cannot hide the Name column.

If desired, use the Filtersmenu to filter archived results by owner, type, result origin type, a range of dates within which they were archived, and a range of dates within which they were matched. You can also enter text in the search box to filter archived results by name. To view more details about an archived result, click on its row or name to view its Details drawer or Details screen, respectively.

Details

The Details card displays the following information about the IR:

• Date Added: The date when the IR was created.
• Last Modified: The date when the IR was last modified.
• Subtype: The IR’s subtype.
• Category: The IR’s category.
• Description: The IR’s default Description.
• Tags: The standard Tags and ATT&CK Tags applied to the IR.

To edit the IR’s subtype, category, or description, click Editat the top right of the card; to edit the IR’s Tags, click Editat the bottom right of the card. After making the desired changes, click the corresponding Confirmbutton to save those changes.

Playbooks

The Playbooks card is where you can view and execute active Playbooks with a UserAction Trigger configured for IRs.

Associations Tab

The Associations tab displays separate cards containing Groups, Indicators, Victim Assets, Artifacts, and Cases associated to the IR, with the total number of associated objects displayed to the right of the tab’s name. It also displays cards containing potentially associated Artifacts and Cases that you can review and consider adding as associations to the IR. For more information on the Associations tab and the various actions you can perform on this tab, see the “New Details Screen View” section of The Associations Tab.

ThreatConnect^® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.

20159-06 v.02.B