- 01 Aug 2023
- 7 Minutes to read
-
Print
-
DarkLight
The Details Drawer
- Updated on 01 Aug 2023
- 7 Minutes to read
-
Print
-
DarkLight
When viewing Indicators, Groups, Tags, Tracks, Victims, or Victim Assets on the Browse screen, you can click on an object to display its Details drawer and view a detailed overview of the object. For example, Figure 1 shows the Details drawer for the badguy.com Host Indicator.
Details Drawer Sections
The Details drawer displays several sections with relevant information for the object you are viewing. Depending on the object’s type, the sections and elements displayed on this drawer will vary.
Indicators
Table 1 provides a description of each section that may be displayed on the Details drawer for an Indicator and the Indicator type(s) for which each section is available.
Name | Description | Applicable Indicator Type(s) |
---|---|---|
Added | The date when the Indicator was created. | All |
Associated Indicators | The Indicator(s) associated to the Indicator. If there are more than 10 associated Indicators, a link labeled all associated indicators... will be displayed at the bottom of this section. Click it to display the Associations tab of the Indicator’s Details screen and view all associated Indicators. | All |
Associated Intel | The Group(s) associated to the Indicator. | All |
Associated Victim Assets | The Victim Asset(s) associated to the Indicator. | All |
Attributes | The Attribute(s) added to the Indicator. | All |
CAL™ Insights | The data retrieved from CAL for the Indicator. To expand and collapse a section under the CAL™ Insights heading, click on the respective section heading. | All |
Confidence Rating | The Indicator’s Confidence Rating. | All |
Description | If a default Description Attribute has been added to the Indicator, it will be displayed above the Type, Owner, Added, and Last Modified sections. | All |
DNS | This section specifies whether the DNS resolution tracking feature is active for the Host Indicator. | Host |
Explore in Graph | Click the Explore in Graph button to view the Indicator in Threat Graph. | All |
False Positives | The number of times the Indicator was reported as a false positive. | All |
Indicator Status | This section, located at the upper-left corner of the drawer, displays the Indicator Status for the Indicator and specifies whether it was set by ThreatConnect or CAL. | All |
Investigation Links | A list of links to search results of various third-party lookup and other information services. Each link is a shortcut to query results for the Indicator, which will open in a new browser tab. | All |
Last Modified | The date when the Indicator was last modified. | All |
Observations | The number of times the Indicator was observed by an API user. | All |
Owner | The Organization, Community, or Source to which the Indicator belongs. | All |
Security Labels | The Security Label(s) applied to the Indicator. | All |
Tags | The Tag(s) applied to the Indicator. | All |
Threat Rating | The Indicator’s Threat Rating. | All |
ThreatAssess | The Indicator’s ThreatAssess score and data related to that score. | All |
Type | The Indicator’s type. | All |
Whois | This section specifies whether the WHOIS feature is active for the Host Indicator. | Host |
Groups
Table 2 provides a description of each section that may be displayed on the Details drawer for a Group and the Group type(s) for which each section is available.
Name | Description | Applicable Group Type(s) |
---|---|---|
Added | The date when the Group was created. | All |
Assignees | The user(s) assigned to the Task. | Task |
Associated Indicators | The Indicator(s) associated to the Group. If there are more than 10 associated Indicators, a link labeled all associated indicators... will be displayed at the bottom of this section. Click it to display the Associations tab of the Group’s Details screen and view all associated Indicators. | All |
Associated Intel | The Group(s) associated to the Group. | All |
Associated Victim Assets | The Victim Asset(s) associated to the Group. | All |
Attributes | The Attribute(s) added to the Group. | All |
Create Custom Report | Click the Create Custom Report button to create a report for the Group. | All |
Description | If a default Description Attribute has been added to the Group, it will be displayed above the Type, Owner, Added, and Last Modified sections. | All |
Due Date | The date when the Task is due. | Task |
Email Information | This section displays the following information for the Email Group: the Threat Score of the Email, the sender’s email address, the date when the Email was sent, and the Email’s subject. | |
Event Date | The date when the Event or Incident took place. | Event; Incident |
File Information | For Document and Report Groups, this section displays the name, type, and size of the file uploaded to the Group; the status of the file upload; and the date when the file was last modified. For Signature Groups, this section displays the name and format of the signature file corresponding to the Group and the date when the file was last modified. | Document; Report; Signature |
First Seen | The date when the Campaign was first seen. | Campaign |
Last Modified | The date when the Group was last modified. | All |
Owner | The Organization, Community, or Source to which the Group belongs. | All |
Security Labels | The Security Label(s) applied to the Group. | All |
Status | The status of the Event, Incident, or Task. | Event; Incident; Task |
Tags | The Tag(s) applied to the Group. | All |
Type | The Group’s type. | All |
Visual Analysis | Click the Visual Analysis button to display a menu with the following options:
| All |
Tags
Table 3 provides a description of each section that may be displayed on the Details drawer for a Tag.
Name | Description |
---|---|
Associated Indicators | The Indicator(s) to which the Tag is applied. If there are more than 10 Indicators, a link labeled all associated indicators... will be displayed at the bottom of this section. Click it to display the Tag’s legacy Details screen and view all Indicators to which it is applied on the Associations card . |
Associated Intel | The Group(s) to which the Tag is applied. |
Associated Victims | The Victim(s) to which the Tag is applied. |
Explore in Graph | Click the Explore in Graph button to view the Tag in Threat Graph. |
Last Used | The date when the Tag was last used. For Tags that have not been used since the Last Used date was introduced in ThreatConnect, this section will display a value of Unknown. |
Owner | The Organization, Community, or Source to which the Tag belongs. |
Summary | The Tag’s summary. |
Synonymous Tags | This section is displayed only for main Tags defined in Tag normalization rules (i.e., Tags with anicon displayed to the left of their name in the Summary column on the Browse screen) and provides a list of synonymous Tags associated with the main Tag. |
Type | This section will always display a value of “Tag.” |
Tracks
Table 4 provides a description of each section that may be displayed on the Details drawer for a Track.
Name | Description |
---|---|
Active | This section specifies whether the Track is active. |
Added | The date when the Track was created. |
Description | If a description has been added to the Track, it will be displayed above the Type, Owner, Added, and Active sections. |
Owner | The Organization, Community, or Source to which the Track belongs. |
Results | The number of results for the Track. |
Type | This section will always display a value of “Track.” |
Victims
Table 5 provides a description of each section that may be displayed on the Details drawer for a Victim.
Name | Description |
---|---|
Assets | The Victim Asset(s) added to the Victim. Victim Asset(s) are also displayed in the Associated Victim Assets section. |
Associated Indicators | The Indicator(s) associated to one or more of the Victim’s Assets. If there are more than 10 associated Indicators, a link labeled all associated indicators... will be displayed at the bottom of this section. Click it to display the Victim’s legacy Details screen and view all associated Indicators on the Associations card . |
Associated Intel | The Group(s) associated to one or more of the Victim’s Assets. |
Associated Victim Assets | The Victim Asset(s) added to the Victim. Victim Asset(s) are also displayed in the Assets section. |
Attributes | The Attribute(s) added to the Victim. |
Description | If a default Description Attribute has been added to the Victim, it will be displayed above the Type, Owner, Victim Organization, and Sub-Organization sections. |
Nationality | The Victim’s nationality. |
Owner | The Organization, Community, or Source to which the Victim belongs. |
Security Labels | The Security Label(s) applied to the Victim. |
Sub-Organization | The Victim’s sub-organization. |
Tags | The Tag(s) applied to the Victim. |
Type | This section will always display a value of “Victim.” |
Victim Organization | The Victim’s organization. |
Work Location | The Victim’s work location. |
Victim Assets
Table 6 provides a description of each section that may be displayed on the Details drawer for a Victim Asset.
Name | Description |
---|---|
Asset | For Email Address, Network Account, and Social Network Victim Assets, this section will display the corresponding account type, if one has been provided; for Phone and Website Victim Assets, this section will always display a value of “None,” as you cannot specify an account type for these Victim Asset types. |
Associated Indicators | The Indicator(s) associated to the Victim Asset. If there are more than 10 associated Indicators, a link labeled all associated indicators... will be displayed at the bottom of this section. Click it to display the legacy Details screen for the Victim to which the Victim Asset belongs and view all associated Indicators on the Associations card . |
Associated Intel | The Group(s) associated to the Victim Asset. |
Type | This Victim Asset’s type. |
Victim | The Victim to which the Victim Asset belongs. |
Pivoting From the Details Drawer
If viewing the Details drawer for an Indicator, Group, or Tag, click the vertical ellipsis at the upper-right corner of the drawer and select Pivot to pivot from the object and view its associated objects on the Browse screen.
Accessing the Details Screen From the Details Drawer
To view the Overview tab of the object’s Details screen, click View full detailsat the upper-right corner of the Details drawer. Alternatively, hover over the object’s entry in the table on the Browse screen and click one of the following icons displayed in its Summary cell (Figure 2):
- View full details: Click this icon to open the object’s Details screen in the current browser tab.
- View details in new tab: Click this icon to open the object’s Details screen in a new browser tab.
ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation.
20051-03 v.16.B