Contents x
Artifacts Card
  • 26 Aug 2022
  • 5 Minutes to read
  • Print
  • Dark
    Light
Contents

Artifacts Card

  • Updated on 26 Aug 2022
  • 5 Minutes to read
  • Print
  • Dark
    Light

Figure 1 shows an example of the Artifacts card for a Case, which is located below the Potential Associations card on the right side of the screen displaying the Case.

Note
To collapse or expand the Artifacts card, hover the cursor anywhere in the card and click the arrow displayed at the upper-right corner of the card.
Note
You can use the ThreatConnect Browser Extension to scan a Case for Artifacts and then batch import selected Artifacts into ThreatConnect as Indicators.

Graphical user interface, application Description automatically generated

 

Artifacts Table

Type

The Type column displays the data type for the Artifact. The potential Artifact types include all ThreatConnect Indicator types, as well as a variety of other data types determined by ThreatConnect and your System Administrator. Click the Type heading to sort the table on the Artifacts card by type.

Summary

The Summary column displays the data that the Artifact contains (or, for Artifacts that are files, the name of the file), as well as the source (i.e., the name of the user) who added the Artifact to the Case. Click the Summary heading to sort the table on the Artifacts card in alphanumeric order by summary.

For Artifacts that are ThreatConnect Indicator types, there will be a small down arrow to the right of the summary that, when clicked, will display one of the following options:

  • A Learn more about it link, which is displayed for Indicators that do not exist in an owner to which you have access.
  • One or more links to Organizations, Communities, or Sources where the Indicator exists and to which you have access (Figure 2).

Graphical user interface, application Description automatically generated

 

For Indicators that do not exist in an owner to which you have access (http://www.bardurl.com in this example), click the Learn more about it link to display a drawer with information about the Indicator (Figure 3).

Graphical user interface, text, application Description automatically generated

 

To add the Indicator to one of your owners, click the plus Icon Description automatically generatedicon at the upper-right corner of the drawer and select the desired owner from the ADD TO OWNER dropdown (Figure 4).

Graphical user interface, text, application Description automatically generated with medium confidence

 

To view more information about the Indicator, click the Details A picture containing drawing Description automatically generatedicon at the upper-right corner of the drawer. A screen with more details about the Indicator will be displayed (Figure 5). You can also add the Indicator to an owner from this screen by selecting an owner from the Owner dropdown menu and then clicking the SAVE button.

Graphical user interface, application Description automatically generated

 

For Indicators that already exist in an owner to which you have access, you can display a drawer similar to the one in Figure 3 by selecting an owner from the dropdown menu shown in Figure 2.

Links

If an Artifact exists in multiple Cases in your Organization, a CASES dropdown will be displayed in the Links column for that Artifact. Click this dropdown to select another Case in which the Artifact exists to open the Case in a new browser tab (Figure 6).

Graphical user interface, application Description automatically generated

 

Note
When creating the same Artifact in multiple Cases, you must select the Use to potentially associate cases checkbox in order for each Case to be listed in the CASES dropdown menu for the other Case(s). See Adding Artifacts to a Case for more information about the Use to potentially associate cases checkbox.

CAL

The CAL column displays the Collective Analytics Layer (CAL™) reputation score and status for all Artifacts that are ThreatConnect Indicator types. The status ( Active for the 71.6.135.131 IP Address Artifact in Figure 1) indicates CAL’s assessment of whether the Indicator is an active Indicator of Compromise (IOC) at the current time. Depending on this assessment, one of the following statuses may be displayed below the Indicator’s CAL reputation score:

  • Active: CAL has identified the Indicator as an active IOC at the current time.
  • Inactive: CAL has identified the Indicator as an inactive IOC at the current time.

If CAL did not return data identifying whether the Indicator is active or inactive at the current time, no status will be displayed below the Indicator’s CAL reputation score.

ThreatAssess

The ThreatAssess column displays the ThreatAssess score and assessment for all Artifacts that are ThreatConnect Indicator types. By default, the table on the Artifacts card is sorted from highest to lowest ThreatAssess score, followed by items without a ThreatAssess score (i.e., Artifacts that are not ThreatConnect Indicator types). Click the ThreatAssess heading to reverse the sort order.

Note
You can use the Analytics Score filter in the FILTERS selector to further filter and select Artifacts by ThreatAssess score. See the "Filtering Artifacts" section for more information.

Task

For Artifacts generated by a Task, the Task column displays the name of the Task that generated the Artifact.

Date

The Date column displays the date and time when the Artifact was added to the Case. Click the Date heading to sort the table on the Artifacts card by date.

Status

The Status column displays information on Indicator status for all Artifacts that are ThreatConnect Indicator types:

  • Orange checkmark : For Indicators that already exist in a ThreatConnect owner, this icon indicates that the Indicator corresponding to the Artifact has an active status. All Artifacts corresponding to Indicators that do not exist in a ThreatConnect owner display this icon as well.
  • Gray circle with a horizontal line : This icon indicates that the Indicator corresponding to the Artifact has an inactive status. It is displayed only for Artifacts corresponding to Indicators that already exist in a ThreatConnect owner.

Filtering Artifacts

FILTERS Selector

The FILTERS selector provides options for filtering displayed Artifacts by type, status, ThreatAssess assessment level, and source (Figure 7). Note that you can combine these filters to further customize the display.

Graphical user interface, application Description automatically generated

 

  • Type: Select one or more Artifact types to display on the Artifacts card.
  • Status: Select Active or Inactive to display Indicators with that Indicator status only.
  • Analytics Score: Select one or more ThreatAssess assessment levels to display Indicators with the selected level(s) only.
    Note
    Selecting options from this menu is a way to exclude Artifacts that do not have a ThreatAssess score.
  • Source: Enter the name of a source (i.e., a user name) to display only Artifacts with this user name as a source.
  • Click the APPLY button to apply the selected filters. To reset the filters, click the CLEAR button.

When filters have been applied, an orange circle Logo, icon Description automatically generated will be displayed at the upper-left corner of the FILTERS selector. This element helps alert you to the fact that you might be viewing an “incomplete” set of data.

Filtering Artifacts by Summary

To filter Artifacts by summary, enter the desired Artifact contents or file name in the search bar to the right of the FILTERS selector. The displayed Artifacts will be filtered as text is entered into the search bar. Click the Clear  icon on the right side of the search bar to clear the entered text.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.
CAL™ is a trademark of ThreatConnect, Inc.

20123-02 v.02.A

Was this article helpful?
What's Next
Company
Sales and Support
Follow Us
© 2012–2023 ThreatConnect, Inc. All Rights Reserved.