- 25 Oct 2022
- 7 Minutes to read
The Details Screen
- Updated on 25 Oct 2022
- 7 Minutes to read
Minimum Role: Organization role of Read Only User
The Details screen is the main screen where you can view information on any type of object in ThreatConnect®: Indicators, Groups, Tags, Tracks, Victims, or Victim Assets.
Viewing the Details Screen
- On the top navigation bar, hover the cursor over Browse and select an object category (i.e., Indicators, Groups, Tags, Tracks, Victims, or Victim Assets) or type (e.g., Host, Adversary) to display a results table containing objects of the selected category or type on the Browse screen.
- Click on an entry to display its Details drawer (Figure 1).
- Click the Detailsicon at the upper-right corner of the drawer, or hover over the object’s entry in the table and click the Detailsicon displayed on the right side of its Summary cell, to display the Overview tab of the Details screen for the object (Figure 2).
Figure 2 shows the Overview tab of the Details screen for a Host Indicator (badguy.com), whereas Figure 3 shows the Overview tab of the Details screen for an Adversary Group (Bad Guy).
The Overview tab of the Details screen (Figure 2) consists of the following components:
- Explore In Graph: If viewing an Indicator or Group, the Explore In Graph button will be displayed at the top left. Clicking this button will open the object’s graph in a new tab, allowing you to discover, visualize, and explore relationships between Indicators and Groups using a graph-based interface.
- Pivot: The Pivot button at the top left allows you to pivot to a list of all associated intelligence for the object.
- Delete: The Delete button at the top left allows you to delete an object, depending on your permissions.
- Copy To My Org: If viewing a Group that belongs to a Community, the Copy To My Org button will be displayed at the top left (Figure 3). Click this button to copy the Group from the Community to your Organization.
- Download PDF: If viewing an Adversary, Attack Pattern, Campaign, Course of Action, Event, Incident, Intrusion Set, Malware, Report, Tactic, Threat, Tool, or Vulnerability Group, the Download PDF button will be displayed at the top left (Figure 3). Click this button to generate a PDF document of the Group to share with management, customers, or your team members.
- Thumbs Up and Thumbs Down: If viewing a Group, a Thumbs Upand Thumbs Downwill be displayed at the top right of the screen (Figure 3). You can use these icons to vote on whether you found a Group useful.
- Navigation Tab Menu: The Navigation Tab Menu, located below the Pivot and Delete buttons, contains a series of tabs relevant to the particular object type. For example, a Host Indicator, like the one shown in Figure 2, has a DNS tab for DNS resolution and a Whois tab for Whois information. See the “Object-Specific Tabs” section later in this article for descriptions of all object-specific tabs on the Details screen.
- Follow Item: Select the Follow Item checkbox on the right side of the Navigation Tab Menu to receive alerts and updates on changes to the object.
- Owner: The Owner selector, the orange rectangle at the upper-right corner of the screen, allows you to view copies of the object in each owner to which it belongs and to which you have access. You can use this feature to view an Indicator as seen within your Organization, in a Community to which you or your Organization belongs, or from a particular data feed.
- Active: Select the checkbox to set the Indicator Status to active, or clear the checkbox to set the Indicator Status to inactive.
- CAL Status Lock: Select the checkbox to prevent ThreatConnect’s Collective Analytics Layer (CAL™) from changing the Indicator Status.
- Indicator Analytics: The Indicator Analytics card, located at the top left of the screen under the Navigation Tab Menu, provides information from the ThreatAssess and CAL features. ThreatAssess and CAL provide contextual metrics about Indicators, based on data such as page views and false-positive reports. ThreatAssess metrics are derived from data from Indicators in a user’s local instance, whereas CAL metrics are derived from data from Indicators across the ThreatConnect community of users and partners. Depending on your instance’s configuration, two additional options may be displayed in this section:
- Private: If a System Administrator has enabled private Indicators on your ThreatConnect instance, a Private checkbox will be displayed on the Indicator Analytics card. Select this checkbox to mark an Indicator as private.
- Description and Source: This card displays an object’s Description and Source.
- Security Labels: In the Security Labels card, you can apply Security Labels to the object.
- GeoLocation Data: The GeoLocation Data card may be displayed on the left side of the screen for an IP Address or Host Indicator. This card contains IP address geographic information within ThreatConnect.
- Attributes: The Attributes card displays the Attributes of the object.
- Playbook Actions: The Playbook Actions card, located at the top right of the screen under the Navigation Tab Menu, displays all active Playbooks with a UserAction Trigger configured for the object’s type. This card will not be displayed if there are no active Playbooks with a UserAction Trigger configured for the object’s type.
- Additional Owners: The Additional Owners displays any additional owners to which the object belongs, along with the Threat Rating and Confidence Rating assigned to the object by those owners.
- Associations: The Associations card displays associations between the object and other Indicators, Groups, and Victim Assets, as well as information on associated Artifacts, Cases, and potential Artifact and Case associations. You can toggle this card between table view and graph view, with the option to display it in a full-screen view when graph view is selected.
- Details: The Details card provides information on the type of object, the date and time it was added to ThreatConnect, and the date and time it was last modified (for Indicators and Groups). In this card, you can enable DNS and Whois lookups and set a Threat Rating and Confidence Rating for the object, as well as view its Overall Threat Rating and Overall Confidence Rating.
- Observations/False Positives: In the Observations/False Positives card, you can view the number of observations and false positives on a particular object and report a false positive on the object.
- Tags: In the Tags card, you can add and delete Tags.
- Investigation Links: The Investigation Links card provides links to search results of various third-party lookup and other information services. Each link is a shortcut to query results for the object, which will open in a new browser tab.
- Add New Comment: You can post comments in the Add New Comment card.
- Posts: You can view posts in the Posts card.
The Tasks tab (Figure 4) displays any Task Groups associated with the object. To view the Details screen for an associated Task, click the Task’s name in the Subject column.
The Activity tab (Figure 5) displays an activity list for the object, including a summary of the activity performed and the date and time the activity occurred.
The Associations tab (Figure 6) displays the object’s first-level associations and provides options for filtering the association objects and adding an association.
The Spaces tab (Figure 7) displays Contextually Aware Spaces Apps configured for the object.
File Indicators can model a special Indicator-to-Indicator association, which is based on their behavior once opened. These associations can be used to model the fact that malware may contain and create additional files or communicate with network devices The Behavior tab (Figure 8) of a File Indicator’s Details screen can be used to model this behavior.
DNS Resolutions Tab
The DNS Resolutions tab (Figure 9), available for Address Indicators, displays Hosts that have resolved to the Address, presently or historically. This allows for the automated creation of associations between the Host and the Address, as well as enables pivoting.
Host Indicators can leverage DNS resolution tracking for ongoing resolution changes. The DNS tab (Figure 10) for Host Indicators displays two sections:
- DNS Resolution History: This section lists the Addresses that have resolved to the Host Indicator, presently or historically.
- Passive DNS: This section, if available, provides the ability to view a list of the subdomain resolutions and historic IP address resolutions for the Host.
The Whois tab (Figure 11) for Host Indicators provides WHOIS information, if available.
The Sharing tab (Figure 12) allows you to contribute a Group to a Community or Source, as well as publish a Group using the Publish feature. This tab is available on the Details screen for the following Group types: Adversary, Attack Pattern, Campaign, Course of Action, Document, E-mail, Event, Incident, Intrusion Set, Malware, Report, Signature, Tactic, Threat, Tool, and Vulnerability.
The Assets tab (Figure 13) allows you to add assets to an Adversary Group or Victim. Assets that can be added to an Adversary include handles (aliases), phone numbers, and website URLs. Assets that can be added to a Victim include email addresses, social network accounts, network accounts, websites, and phone numbers.
The Tracking tab (Figure 14) allows you to perform a Reverse Whois lookup on any assets added to an Adversary Group.
The Results tab (Figure 15), available only for Tracks, allows you to view domains found in a Reverse Whois lookup performed on an Adversary asset.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
CAL™ is a trademark of ThreatConnect, Inc.