Documentation Index

Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt

Use this file to discover all available pages before exploring further.

🎉 ThreatConnect® 8.0 is now available!

Interpreting Results: Entity Details, Attributes & Scoring

Prev Next

ThreatConnect 101  

Interpreting Results: Entity Details, Attributes & Scoring

This video highlights the process for managing and interpreting findings within the platform by leveraging various features to synthesize intelligence from multiple sources.



Guide: Interpreting Search Results -  Entity Details, Attributes & Scoring

Finding a result is only the first step. The real analysis happens in the details view. This guide covers what ThreatConnect shows you about vulnerabilities and indicators, where that information comes from, and how to read the Threat Assess Score.

Key Steps:

  1. From a search result, click into a vulnerability (CVE) object's preview panel or open its full details page.
  2. Review the auto-populated CVSS score and description. ThreatConnect enriches CVEs automatically (via VulnCheck/VMRay), even if the CVE was reported by only one feed or you uploaded it yourself.
  3. If the CVE is a known exploited vulnerability, review the Known Exploited section, which shows exploit details, the associated vendor, any ransomware campaign linkage, and the recommended remediation action. This section only appears if the CVE is on the Known Exploited Vulnerabilities (KEV) catalog - it won't always be present.
  4. Check the Tags for quick context on industry, geography, or other categorization.
  5. Open the Attributes tab (the full details page gives you more room to view this than the preview panel). Attributes are structured metadata fields; description, source reference, confidence level, analyst notes that are aggregated from every intelligence feed that has reported on this object, so you don't have to check each feed individually.
  6. Now search for an indicator. For example, an IP address and open its full details page.
  7. Locate the Threat Assess (TA) Score, a 0–1000 composite score. It combines what your own instance knows about the indicator, what ThreatConnect's Collective Analytics Layer (CAL) knows globally, and any analyst-applied threat/confidence ratings. This “best of both worlds” approach makes the score more reliable than relying on a single source. TA Scores can be customized per organization, so ask your admin if you want to understand your org's specific weighting.
  8. Review the auto-populated Geolocation data (for IP addresses) and any DNS Resolutions linking the indicator to related domains.
  9. Open the Enrichment tab (available on indicators, not groups) to pull live context from third-party services like VirusTotal, Shodan, or AbuseIPDB. 
  10. Use the Refresh button to pull the latest enrichment data on demand.

Good to know:

  • If the Threat Assess Score looks different across different source rows, that's expected. Each source shows the indicator's score as reported by that source. The aggregated score appears on the full details page.
  • The Enrichment tab only appears on the newer details page UI and requires an admin to configure API keys per service. If you don't see it, check with your admin.
  • Attributes can pile up when many feeds report on the same object. Focus on the description, source URL, and any analyst notes rather than reviewing every field.
  • If an indicator was marked Private during upload, CAL data won't feed back for it, which can limit enrichment and CAL-based scoring.