Viewing Intelligence Requirement Details

The Details screen for an Intelligence Requirement (IR) serves as a starting point for an analyst who has been assigned to review the IR. Here, you can view the local and global results returned by the IR’s keyword query and determine the appropriate course of action to take for each result: associate the result to the IR object, archive the result, or mark the result as a false result. You can also view and manage the IR’s details and associations.

Viewing the Details Screen

Follow these steps to view the Details screen for an IR in ThreatConnect®.

1. On the top navigation bar, hover over Browse and select Intelligence Requirements (IR). A results table containing all IRs in your Organization will be displayed on the Browse screen.
   Note

   To filter IRs displayed on the Browse screen, you must use an advanced query. To initiate an advanced query on the Browse screen while viewing IRs, click Advanced at the top right of the screen. Intelligence Requirements will be selected from the dropdown to the left of the search bar at the top of the screen, and you can view a list of ThreatConnect Query Language (TQL) keywords that may be used when searching for IRs in the left sidebar.
2. Hover over an IR’s entry in the table on the Browse screen and click one of the following icons displayed in its Requirement cell to display the Overview tab of its Details screen (Figure 1):
   • View full details: Click this icon to open the IR’s Details screen in the current browser tab.
   • View full details in new tab: Click this icon to open the IR’s Details screen in a new browser tab.
   

    

Details Screen Header

The Details screen for IRs (Figure 1) includes the following sections and elements in its header:

• Browse / <ID>: This section, located at the upper-left corner of the screen, includes a link to view all IRs on the Browse screen and displays the IR’s ID.
• IR ID and summary: This section displays the IR’s ID and summary (i.e., the question, topic, or statement on which the IR focuses). It also displays an Editbutton to the right of the IR’s summary that, when clicked, allows you to edit the summary.
  
  Note

  If you edit an IR’s summary, the new summary cannot be the same as the summary for an existing IR on the ThreatConnect instance.
• <IR subtype> | Organization: <Organization name>: This section displays the IR’s subtype followed by the name of the Organization to which it belongs.
• Options: Click this button and then select Delete… to delete the IR.
  
  Note

  When deleting an IR, you may experience a delay of up to two minutes after you select Delete…. During this delay, the Delete window will remain on the screen. If the deletion was successful, you will be returned to the Browse screen. If the deletion has timed out, a notification stating that the delete operation was not successful and that you can try again later will be displayed at the lower-left corner of the screen.
• Follow Item: Toggle this setting on to receive alerts and updates on changes to the IR. After this setting is toggled on, use the bellicons to set the desired notification priority, where Low is oneicon, Medium is twoicons, and High is threeicons.

Overview Tab

The Overview tab of the Details screen for IRs (Figure 1) contains two cards: Keyword Tracking & Results and Details. To collapse or expand all cards on this tab, click the Collapse All or Expand All button, respectively, above the Details card. By default, all cards are expanded.

Keyword Tracking & Results

The Keyword Tracking & Results card consists of three sections: Keyword Tracking, Results, and Archived Results.

Keyword Tracking

When expanded, the Keyword Tracking section displays the keywords defined in the IR’s keyword query (Figure 2). To view best practices for defining IR keyword queries, click the Keyword Best Practices & Help link.

Editing a Keyword Query

Click Editat the top right of the Keyword Tracking section. The IR’s keyword query will now be editable (Figure 3).

• Requirement Suggestions: Click this button to view keyword suggestions based on the IR’s summary. Suggestions will be potential aliases for keywords recognized in the IR's summary based on geolocation, MITRE ATT&CK^® tactics and techniques, intrusion sets, tools, and malware families. To add keywords from this section to the Includes Any of the Following or Excludes All of the Following section, select the keywords and then click the + Add to “Include” or + Add to “Exclude” button, respectively. When a keyword is added to either of these sections, it will be removed from the list of suggested keywords.
  
  Note

  If there are multiple Includes Any of the Following sections, you will be prompted to select which of these sections (i.e., Section 1, Section 2, etc.) to add the selected keywords to when you click the + Add to “Include” button.
• Get Suggestions for All: Click this button to retrieve a list of keyword suggestions for the Includes Any of the Following and Excludes All of the Following sections. Suggestions will be potential aliases for keywords recognized in each section based on geolocation, MITRE ATT&CK tactics and techniques, intrusion sets, tools, and malware families. At least one keyword must be added to at least one of these sections to use this feature.
• Reset all Archived and False Results on save: If there are results that have been archived or marked as false results, selecting this checkbox will cause those results to be included in the Results section again the next time results are retrieved for the IR.
• Includes Any of the Following: This section displays the keywords that objects must include to be returned as results for the IR. When searching for results, the keyword query uses “OR” logic between each keyword defined in this section (e.g., ["<keyword>" OR "<keyword>"]). This section also provides the following options for managing keywords added to it:
  • Type keyword here…: Enter a keyword into the text box and then click Addto the right of the text box or press Enter on your keyboard to add it to the Includes Any of the Following section. Attempting to add a keyword that is already added to the Includes Any of the Following or Excludes All of the Following section will result in an error.
  • Get Suggestions: When at least one keyword is added to the Includes Any of the Following section, you can click this button to retrieve keyword suggestions for this section. Suggestions will be potential aliases for keywords recognized in the Includes Any of the Following section based on geolocation, MITRE ATT&CK tactics and techniques, intrusion sets, tools, and malware families. If keyword suggestions are returned, a Keyword Suggestions section containing those keywords will be displayed. Here, you can perform the following actions:
    • Select the keywords you want to add to the Includes Any of the Following section and click the + Add Selected button.
    • Click the + Add All button to add all suggested keywords to the Includes Any of the Following section.
  • Remove: Click this icon to the right of a keyword added to the Includes Any of the Following section to remove it.
  • + Add Section: Click this button to add another Includes Any of the Following section. An IR can have up to five Includes Any of the Following sections, each of which is joined by “AND” logic when the keyword query searches for results (e.g., ["<keyword>" OR "<keyword>"] AND ["<keyword>" OR "<keyword>"]). Before you can add a new Includes Any of the Following section, the previous section must have at least one keyword added to it.
  • Delete: When at least two Includes Any of the Following sections are added, this button will be displayed at the top right of each section. Click it to remove the section and its keywords.
• Excludes All of the Following: This section displays the keywords that objects must not include to be returned as results for the IR. When searching for results, the keyword query uses “AND NOT” logic before the set of keywords defined in this section, followed by “OR” logic between each keyword (e.g., AND NOT ["<keyword>" OR "<keyword>"]). This section also provides the following options for managing keywords added to it:
  • Type keyword here…: Enter a keyword into the text box and then click Addto the right of the text box or press Enter on your keyboard to add it to the Excludes All of the Following section. Attempting to add a keyword that is already added to the Includes Any of the Following or Excludes All of the Following section will result in an error.
  • Get Suggestions: When at least one keyword is added to the Excludes All of the Following section, you can click this button to retrieve keyword suggestions for the section. Suggestions will be potential aliases for keywords recognized in the Excludes All of the Following section based on geolocation, MITRE ATT&CK tactics and techniques, intrusion sets, tools, and malware families. If keyword suggestions are returned, a Keyword Suggestions section containing those keywords will be displayed. Here, you can perform the following actions:
    • Select the keywords you want to add to the Excludes All of the Following section and click the + Add Selected button.
    • Click the + Add All button to add all suggested keywords to the Excludes All of the Following section.
  • Remove: Click this icon to the right of a keyword added to the Excludes All of the Following section to remove it.
• Click Confirmat the top right of the section to save your changes.

Results

The Results section displays a table containing the Artifacts, Cases, Groups, Indicators, Tags, and Victims in your owners and the ThreatConnect Global Intelligence Dataset that the keyword query returned, with the total number of results of the selected type (Local or Global) displayed to the right of the Results heading (Figure 4). When searching for local results, the query searches everything you have access to in your ThreatConnect instance, including all Attributes, Tags, names/summaries of objects, and the contents of Report files.

The table displayed in this section contains the following columns:

• Name: This column displays the result’s name.
• Type: This column displays the result’s type.
• Owner: This column displays the Organization, Community, or Source to which the result belongs.
• Matched: This column displays the date when the result was returned by the IR’s keyword query.

To control which columns are displayed in the table, click Select columnsto the right of the search bar, select or clear the checkbox for each column you want to display or hide, respectively, and click the Apply button.

Retrieving Results

After you create an IR, local and global results for its keyword query are retrieved immediately. From that point forward, ThreatConnect and the ThreatConnect Global Intelligence Dataset will be polled daily at a scheduled time configured by your System Administrator (the default is midnight) for new local and global results, respectively. When new results are available, they will be retrieved automatically for the IR. The date and time when the results for an IR were last retrieved are displayed at the top left of the Results card.

To manually retrieve the most recent results for the IR, click the Retrieve Results button.

Toggling Between Local and Global Results

Results for IRs are categorized as local and global. You can toggle between the two result types by selecting one of the following options above the search bar in the Results section:

• Local: Select this option to view results in your Organization, Communities, and Sources that the keyword query returned. If desired, use the Filtersmenu to filter results by owner, type, and a range of dates within which they were matched. You can also enter text in the search box to filter results by name. To view more details about a result, click on its row or name to view its Details drawer or Details screen, respectively.
• Global: Select this option to view results in the ThreatConnect global intelligence dataset that the keyword query returned. If desired, use the Filtersmenu to filter results by type. You can also enter text in the search box to filter results by name. If you have access to the CAL Automated Threat Library Source and a global result exists in that Source, you can click on its row or name to view its Details drawer or Details screen, respectively.
  
  Note

  Indicators with a CAL score of 150 or lower will not be included in the global results.

Managing Results

Click Optionsin a result’s row to display a menu with the following options:

• Convert to Association: Select this option to associate the result to the IR and remove it from the Results section. If associating a global result that does not exist in one of your ThreatConnect owners, a copy of it will be created in your Organization and then associated to the IR.
• Archive Result: Select this option to archive the result (i.e., move the result from the Results section to the Archived Results section). This action is useful when you want to maintain awareness of historical results that may have significance for future investigations.
• Mark as False Result: Select this option to mark the result as a false result (i.e., remove it from the Results section). Results that have been marked as false results are not displayed on the IR's Details screen.
  
  Note

  You can view a false result by resetting the IR's results, which will cause the result that was marked as a false result to be displayed in the Results section again the next time results are retrieved. To reset an IR's results, expand the Keyword Tracking section, click Editat the top right of the section, select the Reset all Archived and False Results on save checkbox, and then click Confirmat the top right of the section to save your changes.

Archived Results

When expanded, the Archived Results section displays the IR’s archived results, with the total number of archived results displayed to the right of the Archived Results heading (Figure 5).

The table displayed in this section contains the following columns:

• Name: This column displays the result’s name.
• Type: This column displays the result’s type.
• Owner: This column displays the Organization, Community, or Source to which the result belongs.
• Result Origin: This column specifies whether the result is a local or global result.
• Archived: This column displays the date when the result was archived.

To control which columns are displayed in the table, click Select columnsto the right of the search bar, select or clear the checkbox for each column you want to display or hide, respectively, and click the Apply button.

If desired, use the Filtersmenu to filter archived results by owner, type, result origin type, a range of dates within which they were archived, and a range of dates within which they were matched. You can also enter text in the search box to filter archived results by name. To view more details about an archived result, click on its row or name to view its Details drawer or Details screen, respectively.

Details

The Details card displays the following information about the IR:

• Date Added: The date when the IR was created.
• Last Modified: The date when the IR was last modified.
• Subtype: The IR’s subtype.
• Category: The IR’s category.
• Description: The IR’s default Description.
• Tags: The standard Tags and ATT&CK Tags applied to the IR.

To edit the IR’s subtype, category, or description, click Editat the top right of the card; to edit the IR’s Tags, click Editat the bottom right of the card. After making the desired changes, click the corresponding Confirmbutton to save those changes.

Associations Tab

The Associations tab displays separate cards containing Groups, Indicators, Victim Assets, Artifacts, and Cases associated to the IR, with the total number of associated objects displayed to the right of the tab’s name. It also displays cards containing potentially associated Artifacts and Cases that you can review and consider adding as associations to the IR. For more information on the Associations tab and the various actions you can perform on this tab, see the “New Details Screen View” section of The Associations Tab.

ThreatConnect^® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.

20159-06 v.01.A