The Details Drawer
  • 18 Sep 2024
  • 19 Minutes to read
  • Dark
    Light

The Details Drawer

  • Dark
    Light

Article summary

Overview

The Details drawer for an Indicator, Group, Tag, Track, Victim, or Victim Asset in ThreatConnect® provides a detailed overview of the threat intelligence data object you are investigating, including its metadata and associations. From this drawer, you can gather context about the object and take additional action, such as opening the Details screen to further analyze the object or pivoting from the object to an associated entity.

Note
For information on the Details drawer for Workflow Cases, see The Details Drawer for Workflow Cases.

Before You Start

User Roles

  • To view the Details drawer for a threat intelligence data object in an Organization, your user account can have any Organization role.
  • To view the Details drawer for a threat intelligence data object in a Community or Source, your user account can have any Community role except Banned for that Community or Source.
  • To delete an Indicator in an Organization via the Details drawer, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
  • To delete an Indicator in a Community or Source via the Details drawer, your user account must have a Community role of Editor or Director for that Community or Source.

Prerequisites

  • To view information retrieved from CAL™ for Indicators, turn on CAL for your Organization and ThreatConnect instance (must be a System Administrator to perform this action).
  • To have access to the Tags Across Owners card and Unified View option on the Details drawer for Indicators, turn on the multiSourceViewEnabled system setting (must be a System Administrator to perform this action).

Accessing the Details Drawer for Threat Intelligence Data

Currently, you can access the Details drawer for threat intelligence data objects in the following areas of ThreatConnect:

Details Drawer Layout

A threat intelligence data object’s Details drawer consists of several sections with relevant information about the object. Depending on the type of object whose Details drawer you are viewing, the layout of the drawer and the data the drawer shows will vary.

Note
The Details drawer displays data in a read-only format.

Indicators

Figure 1 shows the Details drawer for a File Indicator. The Details drawer for all other Indicator types has a similar layout.

Note
If accessing the Details drawer for an Indicator via the Search drawer or a Workflow Case, the drawer will have a layout similar to the one shown in Figure 4.

Figure 1_The Details Drawer_7.1.3

 

The Details drawer for Indicators consists of three primary sections:

  • Header: The header of an Indicator’s Details drawer displays the Indicator’s summary, type, and owner, as well as the Indicator’s status and whether it was set locally (i.e., by a user with permission to change an Indicator’s status on your ThreatConnect instance) or by CAL. The header also includes a ⋯ menu , as well as an Explore in Graph button that lets you view the Indicator in Threat Graph.
    Note
    If viewing the Details drawer for an Indicator that exists in multiple owners, the drawer’s header will include an Owners dropdown that you can use to switch between the Indicator’s Details drawer in each of its owners. If the multiSourceViewEnabled system setting is turned on for your ThreatConnect instance, this dropdown will include a Unified View option that lets you view information about the Indicator from all of its owners to which you have access.
    Note
    If CAL Status Lock is turned on for an Indicator, a message stating “CAL Status Lock Enabled” will be displayed in the header of the Indicator’s Details drawer, to the left of the Indicator’s status. Similarly, if an Indicator is on an Indicator Exclusion List, a message stating “⊘ On Exclusion List” will be displayed in the header of the Indicator’s Details drawer, to the left of the Indicator’s status.
  • Details: The top portion of an Indicator’s Details drawer displays the following details about the Indicator:
    • ThreatAssess & CAL: The Indicator’s ThreatAssess score, CAL score, and ThreatAssess and CAL impact factors.
    • Security Labels: The Security Labels applied to the Indicator.
    • Confidence Rating: The Indicator’s Confidence Rating.
    • Threat Rating: The Indicator’s Threat Rating.
    • Date Added: The date and time when the Indicator was created in the owner listed in the Details drawer header.
    • Last Modified: The date and time when the Indicator was last modified in the owner listed in the Details drawer header.
    • Description: The Indicator's default Description Attribute.
    • Source: The Indicator's default Source Attribute.
    • Tags: The Tags applied to the Indicator in the owner listed in the Details drawer header. This section is available only if the multiSourceViewEnabled system setting is turned off. Otherwise, the Tags applied to the Indicator will be displayed on the Tags Across Owners card in the bottom portion of the Details drawer, and they will be the Tags applied to the Indicator across all of the Indicator’s owners to which you have access.
    • CAL™ Classifiers: The CAL Classifiers applied to the Indicator.
  • Cards: The bottom portion of an Indicator’s Details drawer contains cards with relevant information for the Indicator. The cards available in this section depend on the type of Indicator whose Details drawer you are viewing. Click on an individual card to expand and collapse it, or use the Collapse All and Expand All buttons to collapse and expand all cards, respectively.

Table 1 provides a description of each card that may be displayed in the bottom portion of an Indicator’s Details drawer and the Indicator type(s) for which each card is available.

 

NameDescriptionApplicable Indicator Type(s)
AttributesThe Attributes added to the Indicator.All
Case AssociationsThe Cases associated to the Indicator.All
DNS ResolutionThe DNS resolution history for the Indicator (domain resolutions for Address Indicators; IP address resolutions for Host Indicators), as well as location and count information for computers that attempted to access suspicious domains captured by Quad9® infrastructure within the last 90 days.Address; Host
DomainToolsThe enrichment data retrieved from DomainTools® for the Host Indicator. Click Retrieve Data on the DomainTools card to retrieve the latest enrichment data from DomainTools for the Indicator.Host
Farsight Passive DNSThe enrichment data retrieved from Farsight Security® for the Address or Host Indicator. Click Retrieve Data on the Farsight Passive DNS card to retrieve the latest enrichment data from Farsight Security for the Indicator.Address; Host
File Hash DetailsThe File Indicator’s MD5, SHA1, and SHA256 file hashes and file size, as well as analytics about a file sample’s various hashes derived from CAL.File
GeoLocation DataThe IP address geographic information within ThreatConnect and CAL for the Address Indicator.Address
Group AssociationsThe Groups associated to the Indicator.All
Indicator AssociationsThe Indicators associated to the Indicator.All
Intelligence Requirement AssociationsThe IRs associated to the Indicator.All
Investigation LinksLinks to search results of various third-party lookups and other information services. Each link is a shortcut to query results for the Indicator, which will open in a new browser tab.All
Known File OccurrencesThe Known File Occurrences added to the File Indicator.File
NotesThe posts added to the Indicator.All
Observations, False Positives, & ImpressionsThe number of observations and false positive reports for the Indicator in your ThreatConnect instance, as well as the number of observations, false positive reports, and impressions derived from CAL for the Indicator. Select Report False Positive on the Observations, False Positives, & Impressions card to report the Indicator as a false positive.All
Owners & FeedsThe owners in which the Indicator exists, the Threat Rating and Confidence Rating assigned to the Indicator by those owners, and the feeds that have reported the Indicator.All
Pinned Association AttributesThe association Attributes added to Groups associated to the Indicator.All
PlaybooksThe active Playbooks with a UserAction Trigger configured for the Indicator’s type. Click Run playbookRun playbook icon_Details screenfor a Playbook to execute it.All
RiskIQThe enrichment data retrieved from RiskIQ® for the Host Indicator. Click Retrieve Data on the RiskIQ card to retrieve the latest enrichment data from RiskIQ for the Indicator.Host
ShodanThe enrichment data retrieved from Shodan® for the Address Indicator. Click Retrieve Data on the Shodan card to retrieve the latest enrichment data from Shodan for the Indicator.Address
Tags Across OwnersThe Tags applied to the Indicator across all of the Indicator’s owners to which you have access. This card is available only if your System Administrator turned on the multiSourceViewEnabled system setting. Otherwise, the Tags applied to the Indicator will be displayed in the top portion of the drawer, and they will be the Tags applied to the Indicator only in the owner listed in the Details drawer header.
Important
As of ThreatConnect 7.6, the Tags Across Owners card is a beta feature.
All
URLScanThe enrichment data retrieved from urlscan.io for the URL Indicator. Click Retrieve Data on the URLScan card to retrieve the latest enrichment data from urlscan.io for the Indicator.URL
Victim Asset AssociationsThe Victim Assets associated to the Indicator.All
VirusTotalThe enrichment data retrieved from VirusTotal™ for the Address, File, Host, or URL Indicator. Click Retrieve Data on the VirusTotal card to retrieve the latest enrichment data from VirusTotal for the Indicator.Address; File; Host; URL
WhoisThe WHOIS data for the Host Indicator.Host

Unified View

Important
As of ThreatConnect 7.7, the Unified View option in the Details drawer is a beta feature.

If an Indicator exists in multiple owners and the multiSourceViewEnabled system setting is turned on for your ThreatConnect instance, you can select Unified View in the Owners dropdown in the header of the Indicator’s Details drawer to view information about the Indicator from all of its owners to which you have access (Figure 2).

Figure 2_The Details Drawer_7.7.0

 

When Unified View is selected in the Owners dropdown, the Details drawer will display the following information:

Groups

Adversary, Attack Pattern, Campaign, Course of Action, Document, Event, Incident, Intrusion Set, Malware, Report, Tactic, Threat, Tool, and Vulnerability

Figure 3 shows the Details drawer for a Report Group. The Details drawer for Adversary, Attack Pattern, Campaign, Course of Action, Document, Event, Incident, Intrusion Set, Malware, Tactic, Threat, Tool, and Vulnerability Groups has a similar layout.

Note
If accessing the Details drawer for an Adversary, Attack Pattern, Campaign, Course of Action, Document, Event, Incident, Intrusion Set, Malware, Report, Tactic, Threat, Tool, or Vulnerability Group via the Search drawer or a Workflow Case, the drawer will have a layout similar to the one shown in Figure 4.

Figure 3_The Details Drawer_7.7.0

 

The Details drawer for Adversary, Attack Pattern, Campaign, Course of Action, Document, Event, Incident, Intrusion Set, Malware, Report, Tactic, Threat, Tool, and Vulnerability Groups consists of three primary sections:

  • Header: The header of a Group’s Details drawer displays the Group’s summary, type, and owner. It also includes a menu, a + Create Custom Report button that lets you create a report for the Group from scratch or from a Group report template, and a Visual Analysis button that lets you view and analyze the Group in Threat Graph or the ATT&CK® Visualizer.
    Note
    If viewing the Details drawer for an Adversary, Attack Pattern, Campaign, Course of Action, Document, Event, Incident, Intrusion Set, Malware, Report, Tactic, Threat, Tool, or Vulnerability Group in Threat Graph and the Group exists in multiple owners, the drawer’s header will include an Owners dropdown that you can use to switch between the Group’s Details drawer in each of its owners. However, if there are multiple copies of the Group in a single owner (that is, there is more than one Group with the same name and type in an owner), you cannot choose which copy of the Group the Details drawer will open for in Threat Graph. Also, you cannot toggle between the Details drawer for each copy of the Group in a single owner in Threat Graph.
  • Details: The top portion of a Group’s Details drawer displays the following details about the Group:
    • Security Labels: The Security Labels applied to the Group.
    • First Seen: The date when the Campaign was first seen (Campaign Groups only).
    • Event Date: The date when the Event or Incident took place (Event and Incident Groups only).
    • Event Type: The  Event’s type (Event Groups only).
    • Status: The status of the Event or Incident (Event and Incident Groups only).
    • Publish Date: The date when the Report was published (Report Groups only).
    • Date Added: The date and time when the Group was created in the owner listed in the Details drawer header.
    • Last Modified: The date and time when the Group was last modified in the owner listed in the Details drawer header.
    • Description: The Group's default Description Attribute.
    • Source: The Group's default Source Attribute.
    • Tags: The Tags applied to the Group in the owner listed in the Details drawer header.
  • Cards: The bottom portion of a Group’s Details drawer contains cards with relevant information for the Group. The cards available in this section depend on the type of Group whose Details drawer you are viewing. Click on an individual card to expand and collapse it, or use the Collapse All and Expand All buttons to collapse and expand all cards, respectively.

Table 2 provides a description of each card that may be displayed in the bottom portion of a Group’s Details drawer and the Group type(s) for which each card is available.

Note
In Table 2, a value of All in the Applicable Group Types column means the card is available for all of the following Group types: Adversary, Attack Pattern, Campaign, Course of Action, Document, Event, Incident, Intrusion Set, Malware, Report, Tactic, Threat, Tool, and Vulnerability.

 

NameDescriptionApplicable Group Type(s)
AttributesThe Attributes added to the Group.All
Case AssociationsThe Cases associated to the Group.All
Document FileThe name, type, and size of the file uploaded to the Document Group and the status of the file upload. To preview or download the file, click the thumbnail preview or Download, respectively, on the Document File card.Document
Group AssociationsThe Groups associated to the Group.All
Indicator AssociationsThe Indicators associated to the Group.All
Intelligence Requirement AssociationsThe IRs associated to the Group.All
NotesThe posts added to the Group.All
Pinned Association AttributesThe association Attributes added to Groups associated to the Group.All
PlaybooksThe active Playbooks with a UserAction Trigger configured for the Group’s type. Click Run playbookRun playbook icon_Details screenfor a Playbook to execute it.All
Report FileThe name, type, and size of the file uploaded to the Report Group and the status of the file upload. To preview or download the file, click the thumbnail preview or Download, respectively, on the Report File card.Report
Victim Asset AssociationsThe Victim Assets associated to the Group.All

Email, Signature, and Task

Figure 4 shows the Details drawer for a Signature Group. The Details drawer for Email and Task Groups has a similar layout.

Figure 4_The Details Drawer_7.7.0

 

Table 3 provides a description of each section and element that may be displayed on the Details drawer for Email, Signature, and Task Group and the Group type(s) for which each section is available.

Note
In Table 3, a value of All in the Applicable Group Types column means the card is available for all of the following Group types: Email, Signature, and Task.

 

NameDescriptionApplicable Group Type(s)
AddedThe date when the Group was created.All
AssigneesThe users assigned to the Task.Task
Associated IndicatorsThe Indicators associated to the Group. If there are more than 10 associated Indicators, a link labeled all associated indicators... will be displayed at the bottom of this section. Click it to display the Associations tab of the Group’s Details screen and view all associated Indicators.All
Associated IntelThe Groups associated to the Group.All
Associated Victim AssetsThe Victim Assets associated to the Group.All
AttributesThe Attributes added to the Group.All
+ Create Custom ReportClick Create Custom Report create a report for the Group from scratch or from a Group report template.All
DescriptionIf a default Description Attribute has been added to the Group, it will be displayed above the Type, Owner, Added, and Last Modified sections.All
Due DateThe date when the Task is due.Task
Email InformationThis section displays the following information for the Email Group: the Threat Score of the Email, the sender’s email address, the date when the Email was sent, and the Email’s subject.Email
File InformationThe name and format of the signature file corresponding to the Signature Group and the date when the file was last modified.Signature
Last ModifiedThe date when the Group was last modified.All
OwnerThe Organization, Community, or Source to which the Group belongs.All
Security LabelsThe Security Labels applied to the Group.All
StatusThe status of the Task.Task
TagsThe Tags applied to the Group.All
TypeThe Group’s type.All
Visual AnalysisClick Visual Analysis to display the following options:All

Tags

Table 4 provides a description of each section and element that may be displayed on the Details drawer for a Tag, which has a layout similar to the one shown in Figure 4.

 

NameDescription
Associated IndicatorsThe Indicators to which the Tag is applied. If there are more than 10 Indicators, a link labeled all associated indicators... will be displayed at the bottom of this section. Click it to display the Tag’s legacy Details screen and view all Indicators to which it is applied on the Associations card .
Associated IntelThe Groups to which the Tag is applied.
Associated VictimsThe Victims to which the Tag is applied.
Explore in GraphClick Explore in Graph to view the Tag in Threat Graph.
Last UsedThe date when the Tag was last used. For Tags that have not been used since the Last Used date was introduced in ThreatConnect, this section will display a value of Unknown.
OwnerThe Organization, Community, or Source to which the Tag belongs.
SummaryThe Tag’s summary.
Synonymous TagsThis section is displayed only for main Tags defined in Tag normalization rules (i.e., Tags with theMain Tag icon_Browse Screenicon displayed to the left of their name in the Summary column on the Browse screen) and provides a list of synonymous Tags associated with the main Tag.
TypeThis section will always display a value of “Tag.”

Tracks

Table 5 provides a description of each section that may be displayed on the Details drawer for a Track, which has a layout similar to the one shown in Figure 4.

 

NameDescription
ActiveThis section specifies whether the Track is active.
AddedThe date when the Track was created.
DescriptionIf a description has been added to the Track, it will be displayed above the Type, Owner, Added, and Active sections.
OwnerThe Organization, Community, or Source to which the Track belongs.
ResultsThe number of results for the Track.
TypeThis section will always display a value of “Track.”

Victims

Table 6 provides a description of each section that may be displayed on the Details drawer for a Victim, which has a layout similar to the one shown in Figure 4.

 

NameDescription
AssetsThe Victim Assets added to the Victim. Victim Asset(s) are also displayed in the Associated Victim Assets section.
Associated IndicatorsThe Indicators associated to one or more of the Victim’s Assets. If there are more than 10 associated Indicators, a link labeled all associated indicators... will be displayed at the bottom of this section. Click it to display the Victim’s legacy Details screen and view all associated Indicators on the Associations card .
Associated IntelThe Groups associated to one or more of the Victim’s Assets.
Associated Victim AssetsThe Victim Assets added to the Victim. Victim Asset(s) are also displayed in the Assets section.
AttributesThe Attributes added to the Victim.
DescriptionIf a default Description Attribute has been added to the Victim, it will be displayed above the Type, Owner, Victim Organization, and Sub-Organization sections.
NationalityThe Victim’s nationality.
OwnerThe Organization, Community, or Source to which the Victim belongs.
Security LabelsThe Security Labels applied to the Victim.
Sub-OrganizationThe Victim’s sub-organization.
TagsThe Tags applied to the Victim.
TypeThis section will always display a value of “Victim.”
Victim OrganizationThe Victim’s organization.
Work LocationThe Victim’s work location.

Victim Assets

Table 7 provides a description of each section that may be displayed on the Details drawer for a Victim Asset, which has a layout similar to the one shown in Figure 4.

 

NameDescription
AssetFor Email Address, Network Account, and Social Network Victim Assets, this section will display the corresponding account type, if one has been provided; for Phone and Website Victim Assets, this section will always display a value of “None,” as you cannot specify an account type for these Victim Asset types.
Associated IndicatorsThe Indicators associated to the Victim Asset. If there are more than 10 associated Indicators, a link labeled all associated indicators... will be displayed at the bottom of this section. Click it to display the legacy Details screen for the Victim to which the Victim Asset belongs and view all associated Indicators on the Associations card .
Associated IntelThe Groups associated to the Victim Asset.
TypeThis Victim Asset’s type.
VictimThe Victim to which the Victim Asset belongs.

Details Drawer Options Menu

The Details drawer options menu, available for Indicators, Groups, and Tags only, lets you perform additional actions while investigating objects of these types.

Indicators

If you are viewing the Details drawer for an Indicator, click the menu in the drawer’s header to display the following options:

  • Pivot: Select Pivot to pivot from the Indicator and view its associated objects on the Browse screen.
  • Follow: If you are not following the Indicator, the menu will display the Follow option. Select Follow to follow the Indicator. By default, the notification priority level for the followed Indicator will be set to Medium.
  • Unfollow: If you are already following the Indicator, the menu will display the Unfollow option. Select Unfollow to unfollow the Indicator.
  • Delete: If your user account has permissions to delete Indicators in the Indicator’s owner, the menu will display the Delete option. Select Delete to delete the Indicator.
Note
If viewing the Details drawer for an Indicator that exists in multiple owners and the Unified View is selected in the Owners dropdown, the menu will not be available in the drawer’s header.

Groups

If you are viewing the Details drawer for an Adversary, Attack Pattern, Campaign, Course of Action, Document, Event, Incident, Intrusion Set, Malware, Report, Tactic, Threat, Tool, or Vulnerability Group (Figure 3), click the menu in the drawer’s header to display the following options:

  • Pivot: Select Pivot to pivot from the Group and view its associated objects on the Browse screen.
  • Follow: If you are not following the Group, the menu will display the Follow option. Select Follow to follow the Group. By default, the notification priority level for the followed Group will be set to Medium.
  • Unfollow: If you are already following the Group, the menu will display the Unfollow option. Select Unfollow to unfollow the Group.
  • Delete: If your user account has permissions to delete Groups in the Group’s owner, the menu will display the Delete option. Select Delete to delete the Group.

If you are viewing the Details drawer for an Email, Signature, or Task Group (Figure 4) , click the menu in the drawer’s header to display the following options:

  • Download: If the Details drawer is for a Signature Group with a file attachment, the Download option will be available. Select Download to download the Signature Group’s file attachment.
  • Pivot: Select Pivot to pivot from the Group and view its associated objects on the Browse screen.
Note
If the Email, Signature, or Task Group whose Details drawer you are viewing does not have any Indicator associations or, for Signature Groups only, a file attachment, the menu will not be available in the drawer’s header.

Tags

If you are viewing the Details drawer for a Tag, click the menu in the drawer’s header to display the following option:

  • Pivot: Select Pivot to pivot from the Tag and view its associated objects on the Browse screen.
Note
If the Tag whose Details drawer you are viewing does not have any associations, the menu will not be available in the drawer’s header.

Accessing the Details Screen From the Details Drawer

If you are viewing the Details drawer for an Email, Signature, or Task Group; Tag; Track; Victim; or Victim Asset, click View full detailsView full details_Details drawerat the upper-right corner of the drawer to open the object’s legacy Details screen. If you are viewing the Details drawer for an Indicator or an Adversary, Attack Pattern, Campaign, Course of Action, Document, Event, Incident, Intrusion Set, Malware, Report, Tactic, Threat, Tool, or Vulnerability Group, click the object’s summary in the drawer’s header to open the object’s Details screen.


ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
DomainTools® and Farsight Security® are registered trademarks of DomainTools, LLC.
VirusTotal™ is a trademark of Google, Inc.
RiskIQ® is a registered trademark of Microsoft Corporation.
Quad9® is a registered trademark of Quad9 Foundation.
Shodan® is a registered trademark of Shodan.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.

20051-03 v.18.A


Was this article helpful?