Reviewing ThreatConnect Intelligence Anywhere Scan Results
  • 28 Aug 2023
  • 4 Minutes to read
  • Dark
    Light

Reviewing ThreatConnect Intelligence Anywhere Scan Results

  • Dark
    Light

Article summary

After ThreatConnect® Intelligence Anywhere finishes scanning an online resource, scan results will be displayed on one of three tabs in the Scan Results window: Known Indicators, Unknown Indicators, or Groups.

Note
CAL™ must be enabled on your ThreatConnect instance and for your Organization to scan online resources for Groups, view CAL data for scan results, and leverage CAL’s natural-language processing (NLP) capabilities when scanning for Groups.
Important
If you did not select the Indicators checkbox on the Objects tab of the Settings menu, the Known Indicators and Unknown Indicators tabs will not be displayed in the Scan Results window, and Intelligence Anywhere will not search for potential Indicators when scanning online resources. Similarly, if you did not select the Groups checkbox on the Objects tab of the Settings menu, the Groups tab will not be displayed in the Scan Results window, and Intelligence Anywhere will not search for potential Groups when scanning online resources.

Known Indicators Tab

Potential Indicators found during the scan that exist in a source (i.e., Organization, Community, and Intelligence Source) you selected on the Intel Sources tab of the Settings menu will be displayed on the Known Indicators tab of the Scan Results window (Figure 1). When searching ThreatConnect to determine whether a potential Indicator is a known Indicator, Intelligence Anywhere maintains case sensitivity for URLs, uses uppercase for file hashes, and uses lowercase for all other Indicator types. It also detects defanged URLs (e.g., hxxps://, badguy[dot]com) and refangs them automatically (e.g., https://, badguy.com) before searching ThreatConnect to determine whether a URL is a known Indicator.

scanning-an-online-resource-image-zz4bvlxu

 

A known Indicator’s ThreatAssess score and corresponding assessment level will be displayed to the right of the Indicator. Available ThreatAssess assessment levels include the following:

  • Low: The Indicator’s ThreatAssess score is between 0 and 200, inclusive
  • Medium: The Indicator’s ThreatAssess score is between 201 and 500, inclusive
  • High: The Indicator’s ThreatAssess score is between 501 and 800, inclusive
  • Critical: The Indicator’s ThreatAssess score is between 801 and 1000, inclusive

Clicking on a known Indicator in the Scan Results window (Figure 2) will display the following:

  • the Indicator’s type and ThreatAssess score
  • the Indicator’s CAL score and CAL Indicator Status
  • the source(s) in which Intelligence Anywhere found the Indicator

Graphical user interface, application  Description automatically generated

 

To view the Details screen for the Indicator in an Organization, Community, or Intelligence Source listed in the Found in the Following Sources section, click View in ThreatConnect.

Unknown Indicators Tab

Potential Indicators found during the scan that do not exist in a source you selected on the Intel Sources tab of the Settings menu will be displayed on the Unknown Indicators tab of the Scan Results window (Figure 3).

 

If no information exists in CAL for an unknown Indicator, the text No information available will be displayed to the right of the Indicator. Otherwise, the Indicator’s CAL score and corresponding assessment level will be displayed to the right of the Indicator. Available assessment levels include the following:

  • Low: The Indicator’s CAL score is between 0 and 200, inclusive.
  • Medium: The Indicator’s CAL score is between 201 and 500, inclusive.
  • High: The Indicator’s CAL score is between 501 and 800, inclusive.
  • Critical: The Indicator’s CAL score is between 801 and 1000, inclusive.

Clicking on an unknown Indicator in the Scan Results window will display the Indicator’s type, CAL score, and CAL Indicator Status (Figure 4).

 

Groups Tab

Potential Groups found during the scan will be displayed on the Groups tab of the Scan Results window (Figure 5). Currently, Intelligence Anywhere will return results for Adversary, Attack Pattern, Intrusion Set, Malware, and Threat Groups only.

Graphical user interface, application  Description automatically generated

 

Clicking on a potential Group in the Scan Results window will display data collected from CAL, including its Group type, known aliases, and description (Figure 6).

Graphical user interface, text, application  Description automatically generated

 

To search for the Group by its name and aliases in the sources you selected on the Intel Sources tab of the Settings menu , click the Search for matches in ThreatConnect button. A ThreatConnect Matches section will be displayed (Figure 7).

Graphical user interface, text, website  Description automatically generated

 

If a Group in ThreatConnect matches the Group’s name or a known alias, it will be displayed in the ThreatConnect Matches section. Click on a Group in the ThreatConnect Matches section to display its Group type and the owner to which it belongs in ThreatConnect. To view the Group’s Details screen in a new browser tab, click View in ThreatConnect.

If no matches to the Group’s name or known aliases were found in the selected sources, a message stating so will be displayed in the ThreatConnect Matches section.

CAL NLP Recognition

When scanning an online resource for Groups, Intelligence Anywhere will leverage CAL’s natural-language processing (NLP) capabilities to search for text that is indicative of a MITRE ATT&CK® technique. If such text is found, a Group will be listed on the Groups tab of the Scan Results window that, when clicked, displays a CAL NLP Recognition button (Figure 8).

Note
Currently, Intelligence Anywhere uses CAL’s NLP capabilities to scan for a limited set of ATT&CK® techniques.

Graphical user interface, text, application  Description automatically generated

 

Click the CAL NLP Recognition button to view the text on the scanned online resource that CAL detected as a match to the specified ATT&CK technique (Figure 9).

 

Viewing Results on the Scanned Resource

To view the location of a potential Indicator or Group on the scanned online resource, click the View on pageicon to the right of the object’s entry on the Scan Results window (Figure 1). The potential Indicator or Group will be highlighted on the scanned online resource, and the Details window for the Indicator (Figure 10) or Group (Figure 11) will be displayed at the top right of the screen.

Note
You can drag the Details window to any position on the screen.
Graphical user interface, application  Description automatically generated

 

Graphical user interface, text  Description automatically generated

 

Potential Indicators will be highlighted in either orange (known) or blue (unknown) on a scanned page; potential Groups will be highlighted in blue. Hovering your cursor over a highlighted object will display its Details window.


ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.

20107-06 v.06.A


Was this article helpful?