- 26 Aug 2022
- 5 Minutes to read
- Updated on 26 Aug 2022
- 5 Minutes to read
Figure 1 shows an example of the Artifacts card for a Case, which is located below the Potential Associations card on the right side of the screen displaying the Case.
The Type column displays the data type for the Artifact. The potential Artifact types include all ThreatConnect Indicator types, as well as a variety of other data types determined by ThreatConnect and your System Administrator. Click the Type heading to sort the table on the Artifacts card by type.
The Summary column displays the data that the Artifact contains (or, for Artifacts that are files, the name of the file), as well as the source (i.e., the name of the user) who added the Artifact to the Case. Click the Summary heading to sort the table on the Artifacts card in alphanumeric order by summary.
For Artifacts that are ThreatConnect Indicator types, there will be a small down arrow to the right of the summary that, when clicked, will display one of the following options:
- A Learn more about it link, which is displayed for Indicators that do not exist in an owner to which you have access.
- One or more links to Organizations, Communities, or Sources where the Indicator exists and to which you have access (Figure 2).
For Indicators that do not exist in an owner to which you have access (http://www.bardurl.com in this example), click the Learn more about it link to display a drawer with information about the Indicator (Figure 3).
To add the Indicator to one of your owners, click the plus icon at the upper-right corner of the drawer and select the desired owner from the ADD TO OWNER dropdown (Figure 4).
To view more information about the Indicator, click the Details icon at the upper-right corner of the drawer. A screen with more details about the Indicator will be displayed (Figure 5). You can also add the Indicator to an owner from this screen by selecting an owner from the Owner dropdown menu and then clicking the SAVE button.
For Indicators that already exist in an owner to which you have access, you can display a drawer similar to the one in Figure 3 by selecting an owner from the dropdown menu shown in Figure 2.
If an Artifact exists in multiple Cases in your Organization, a CASES dropdown will be displayed in the Links column for that Artifact. Click this dropdown to select another Case in which the Artifact exists to open the Case in a new browser tab (Figure 6).
The CAL column displays the Collective Analytics Layer (CAL™) reputation score and status for all Artifacts that are ThreatConnect Indicator types. The status (• Active for the 22.214.171.124 IP Address Artifact in Figure 1) indicates CAL’s assessment of whether the Indicator is an active Indicator of Compromise (IOC) at the current time. Depending on this assessment, one of the following statuses may be displayed below the Indicator’s CAL reputation score:
- • Active: CAL has identified the Indicator as an active IOC at the current time.
- • Inactive: CAL has identified the Indicator as an inactive IOC at the current time.
If CAL did not return data identifying whether the Indicator is active or inactive at the current time, no status will be displayed below the Indicator’s CAL reputation score.
The ThreatAssess column displays the ThreatAssess score and assessment for all Artifacts that are ThreatConnect Indicator types. By default, the table on the Artifacts card is sorted from highest to lowest ThreatAssess score, followed by items without a ThreatAssess score (i.e., Artifacts that are not ThreatConnect Indicator types). Click the ThreatAssess heading to reverse the sort order.
For Artifacts generated by a Task, the Task column displays the name of the Task that generated the Artifact.
The Date column displays the date and time when the Artifact was added to the Case. Click the Date heading to sort the table on the Artifacts card by date.
The Status column displays information on Indicator status for all Artifacts that are ThreatConnect Indicator types:
- Orange checkmark : For Indicators that already exist in a ThreatConnect owner, this icon indicates that the Indicator corresponding to the Artifact has an active status. All Artifacts corresponding to Indicators that do not exist in a ThreatConnect owner display this icon as well.
- Gray circle with a horizontal line : This icon indicates that the Indicator corresponding to the Artifact has an inactive status. It is displayed only for Artifacts corresponding to Indicators that already exist in a ThreatConnect owner.
The FILTERS selector provides options for filtering displayed Artifacts by type, status, ThreatAssess assessment level, and source (Figure 7). Note that you can combine these filters to further customize the display.
- Type: Select one or more Artifact types to display on the Artifacts card.
- Status: Select Active or Inactive to display Indicators with that Indicator status only.
- Analytics Score: Select one or more ThreatAssess assessment levels to display Indicators with the selected level(s) only.NoteSelecting options from this menu is a way to exclude Artifacts that do not have a ThreatAssess score.
- Source: Enter the name of a source (i.e., a user name) to display only Artifacts with this user name as a source.
- Click the APPLY button to apply the selected filters. To reset the filters, click the CLEAR button.
When filters have been applied, an orange circle will be displayed at the upper-left corner of the FILTERS selector. This element helps alert you to the fact that you might be viewing an “incomplete” set of data.
Filtering Artifacts by Summary
To filter Artifacts by summary, enter the desired Artifact contents or file name in the search bar to the right of the FILTERS selector. The displayed Artifacts will be filtered as text is entered into the search bar. Click the Clear icon on the right side of the search bar to clear the entered text.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
CAL™ is a trademark of ThreatConnect, Inc.