- 20 Jan 2023
- 12 Minutes to read
-
Print
-
DarkLight
The Details Screen
- Updated on 20 Jan 2023
- 12 Minutes to read
-
Print
-
DarkLight
Overview
The Details screen is the main screen where you can view and manage information and metadata for the following ThreatConnect® object types: Indicators, Groups, Tags, Tracks, and Victims. Although data displayed on the Details screen depends on the type of object you are viewing, some of the most commonly displayed information includes Attributes added to the object, Security Labels and Tags applied to the object, a list of objects associated to the object you are viewing, and insights from CAL™. This screen also provides shortcuts to various ThreatConnect features, such as reporting and the Threat Graph visualization tool.
Before You Start
Minimum Role(s) | Organization role of Read Only User (for viewing data on an object’s Details screen); Organization role of Standard User (for editing data on an object’s Details screen and deleting objects) |
---|---|
Prerequisites | A ThreatConnect object (Indicator, Group, Tag, Track, or Victim); CAL enabled on your ThreatConnect instance and for your Organization (to view information retrieved from CAL for Indicators) |
Viewing the Details Screen
- On the top navigation bar, hover the cursor over Browse and select an object category (i.e., Indicators, Groups, Tags, Tracks, Victims, or Victim Assets) or type (e.g., Host, Adversary) to display a results table containing objects of the selected category or type on the Browse screen.
- Hover over an object’s entry in the table on the Browse screen and click one of the following icons displayed in its Summary cell to display the Overview tab of the Details screen for the object:
- View full details
: Click this icon to open the object’s Details screen in the current browser tab.
- View full details in new tab
: Click this icon to open the object’s Details screen in a new browser tab.
- View full details
Alternatively, click on an object’s entry in the table on the Browse screen to display its Details drawer, and then click the View full detailsicon at the upper-right corner of the drawer to display the Overview tab of the Details screen for the object.

New Details Screen View
As of ThreatConnect 7.0, the new Details screen view is available for all Indicator types and the following Group types: Adversary, Attack Pattern, Campaign, Course of Action, Event, Incident, Intrusion Set, Malware, Tactic, Task, Threat, Tool, Vulnerability Groups. It is not available for Document, Email, Report, and Signature Groups; Tags; Tracks; and Victims.
Figure 1 shows the Overview tab of the new Details screen for a Host Indicator (badguy.com), and Figure 2 shows the Overview tab of the new Details screen for an Adversary Group (Bad Guy).
New Details Screen Header
Indicators
The new Details screen for Indicators (Figure 1) includes the following sections and elements in its header:
- Browse /<Object name>: This section is located at the upper-left corner of the screen and includes a link to view all Indicators on the Browse screen. It also displays the name of the Indicator whose Details screen you are viewing.
- Object icon and name: This section displays the Indicator’s name and an icon corresponding to its Indicator type.
- <Object type> | <Owner type: Owner name>: This section displays the Indicator’s type followed by the type and name of the owner to which it belongs. If the Indicator belongs to multiple owners, a dropdown from which you can select the owner in which you want to view the object’s Details screen will be displayed.
- Revert to Legacy View: Click the Revert to Legacy View button to display the Overview tab of the legacy Details screen for the Indicator in the current browser tab.
- Explore in Graph: Click the Explore In Graph button to open the Indicator’s Threat Graph in the current browser tab.
- Options
: Click this button to display a menu with the following options:
- Pivot: Select this option to pivot to a list of all associated intelligence for the Indicator.
- Change Status to Active/Inactive: Select this option to set the Indicator Status to Active (if it is currently set to Inactive) or Inactive (if it is currently set to Active).
- Enable/Disable CAL Status Lock: Select this option to allow (Enable) or prevent (Disable) CAL from changing the Indicator Status.
- Add to Exclusion List: Select this option to add the Indicator to the Indicator Exclusion List corresponding to its Indicator type.
- Delete: Select this option to delete the Indicator.
- Follow Item: Toggle this setting on to receive alerts and updates on changes to the object. After this setting is toggled on, use the bell
icons to set the desired notification priority, where Low is one
icon, Medium is two
icons, and High is three
icons.
- Indicator Status: This section displays the Indicator Status and whether it was set by ThreatConnect or CAL. If an Indicator is added to an Exclusion List, the text “⊘ On Exclusion List” will be displayed to the right of the Indicator Status.
Groups
The new Details screen for Groups (Figure 2) includes the following sections and elements in its header:
- Browse /<Object name>: This section is located at the top left of the screen and includes a link to view all Groups on the Browse screen. It also includes the name of the Group whose Details screen you are viewing.
- Object icon and name: This section displays the Group’s name and an icon corresponding to its Group type. In addition, an Edit
button will be displayed to the right of the Group’s name that, when clicked, allows you to edit the name.
- <Object type> | <Owner type: Owner name>: This section displays the Group’s type followed by the type and name of the owner to which it belongs.
- Revert to Legacy View: Click the Revert to Legacy View button to display the Overview tab of the legacy Details screen for the Group in the current browser tab.
- Create Report: Click the Create Report button to create a report for the Group and open the Report Editor in a new browser tab.
- Explore in Graph: Click the Explore In Graph button to open the Group’s Threat Graph in the current browser tab.
- Options
: Click this button to display a menu with the following options:
- Pivot: Select this option to pivot to a list of all associated intelligence for the Group.
- Download PDF: Select this option to generate a PDF document of the Group.
- Delete: Select this option to delete the Group.
- Follow Item: Toggle this setting on to receive alerts and updates on changes to the object. After this setting is toggled on, use the bell
icons to set the desired notification priority, where Low is one
icon, Medium is two
icons, and High is three
icons.
- Intel Rating: This section is where you can view the number of Upvote
and Downvote
Intel Ratings the Group has received and update the Group's Intel Rating.
Overview Tab
The Overview tab of the new Details screen (Figure 1 and Figure 2) features several cards containing relevant information for the object you are viewing. Depending on the type of object you are viewing, the cards displayed on this tab will vary.
To collapse or expand all cards on the Overview tab, click the Collapse All or Expand All button, respectively, above the Details card. By default, all cards are expanded.
Indicators
Table 1 provides a description of each card that may be displayed on the Overview tab of the new Details screen for an Indicator and the Indicator types for which the card is available.
Card Name | Description | Applicable Indicator Types |
---|---|---|
Attributes | The Attributes card is where you can view the Indicator’s Attributes, including those configured as pinned Attributes, create new Attributes, and manage existing Attributes. | All |
Details | The Details card is where you can view the Indicator’s ThreatAssess score, CAL Classifiers, creation date, and last modified date, as well as view and edit its default Description. It is also where you can view and manage the Security Labels and Tags applied to the Indicator, as well as the Indicator’s Threat and Confidence Ratings. To edit the Indicator’s Description, Security Labels, Confidence Rating, or Threat Rating, click Edit Note If a System Administrator has enabled private Indicators on your ThreatConnect instance, a Private checkbox will be displayed at the upper-right corner of the Details card. Select this checkbox to mark the Indicator as private. Note An Indicator’s default Description Attribute is not displayed on the Attributes card; it is displayed on the Details card only. If a second default Description Attribute is added to an Indicator, that Attribute will be displayed on the Details card and the former default Description Attribute will be displayed on the Attributes card. | All |
DNS Resolution | For Address Indicators, the DNS Resolution card displays Hosts that have resolved to the Address, presently or historically. For Host Indicators, the DNS Resolution card displays the Addresses that have resolved to the Host, presently or historically, and geographic information within ThreatConnect and CAL for those Addresses. | Address; Host |
File Hash Details | The File Hash Details card is where you can view and edit the File Indicator’s MD5, SHA1, and SHA256 file hashes and file size. It also displays analytics about a file sample’s various hashes derived from CAL, if such data are available for the Indicator. Note If adding a new file hash to an existing File Indicator and a File Indicator containing that file hash exists in the same owner, you will be prompted to merge the two File Indicators into a single Indicator containing both file hashes and any Attributes, Security Labels, and Tags added to each Indicator. You can merge only File Indicators containing different file hash types. For example, you can merge a File Indicator containing an MD5 file hash with a File Indicator containing a SHA1 file hash, but you cannot merge two File Indicators containing MD5 file hashes. Important As of ThreatConnect version 7.0.0, you can only merge File Indicators using the ThreatConnect v3 API. Attempting to merge File Indicators in the ThreatConnect UI will result in an error. | File |
GeoLocation Data | The GeoLocation Data card displays IP address geographic information within ThreatConnect and CAL for the Address Indicator. | Address |
Investigation Links | The Investigation Links card provides links to search results of various third-party lookup and other information services. Each link is a shortcut to query results for the object, which will open in a new browser tab. | All |
Known File Occurrences | The Known File Occurrences card is where you can create File Occurrences and view the filename, run path, and date of each File Occurrence added to the File Indicator. | File |
Notes | The Notes card is where you can view, create, and manage Notes (i.e., posts) for the Indicator. | All |
Observations, False Positives, & Impressions | The Observations, False Positives, & Impressions card is where you can view the number of observations and false positive reports for the Indicator in your ThreatConnect instance and report the Indicator as a false positive. This card also displays the number of observations, false positive reports, and impressions derived from CAL for the Indicator. | All |
Owners & Feeds | The Owners & Feeds card displays any additional owners to which the Indicator belongs, along with the Threat Rating and Confidence Rating assigned to it by those owners. It also displays any feeds that have reported the Indicator. | All |
Playbooks | The Playbooks card is where you can view and execute active Playbooks with a UserAction Trigger configured for the Indicator’s type. | All |
Whois | The Whois card displays WHOIS information for the Host Indicator. | Host |
Groups
Table 2 provides a description of each card that may be displayed on the Overview tab of the new Details screen for a Group and the Group types for which the card is available.
Card Name | Description | Applicable Group Type(s) |
---|---|---|
Attributes | The Attributes card is where you can view the Group’s Attributes, including those configured as pinned Attributes, create new Attributes, and manage existing Attributes. | All |
Details | The Details card is where you can view the Group’s creation and last modified dates, as well as view and edit its default Description. It is also where you can view and manage Security Labels and Tags applied to the Group. To edit the Group’s Description or Security Labels, click Edit Note A Group’s default Description Attribute is not displayed on the Attributes card; it is displayed on the Details card only. If a second default Description Attribute is added to a Group, that Description Attribute will be displayed on the Details card and the former default Description Attribute will be displayed on the Attributes card. | All |
Notes | The Notes card is where you can view, create, and manage Notes (i.e., posts) for the Group. | All |
Playbooks | The Playbooks card is where you can view and execute active Playbooks with a UserAction Trigger configured for the Group’s type. | All |
Associations Tab
The Associations tab (Figure 3) displays tables of all associated Groups, Indicators, Victim Assets, Artifacts, and Cases, as well as potential associations—Cases and, for primary Group objects, Artifacts—that you can review and consider adding as associations to the object. The total number of associated objects will be displayed next to the tab name.
Activity Tab
The Activity tab (Figure 4) displays an activity list for the object, including a summary of the activity performed and the date and time the activity occurred. If an activity was performed on an object before your ThreatConnect instance was upgrade to version 7.0.0 or newer, the text “Legacy Link: “ will be appended to its summary.
Enrichment Tab
For Indicators, the Enrichment tab (Figure 5) will be available if an enrichment service is available for its Indicator type. This tab displays a card for each available enrichment service (VirusTotal™ in this example) that provides a summary of information retrieved from the enrichment service, if it is enabled. Each card also includes an Open Detailed View link to display a detailed view of the information retrieved from the enrichment service and a Retrieve Data button to retrieve new, instead of cached, data.
Legacy Details Screen View
The legacy Details screen view is available for all Indicator types, Group types, Tags, Tracks, and Victims. As of ThreatConnect version 7.0, it is the only Details screen view available for Document, Email, Report, and Signature Groups; Tags; Tracks; and Victims. For all other object types, the new Details screen view is the default view.
For more information on the legacy Details screen view, see The Details Screen (Legacy).
ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
VirusTotal™ is a trademark of Google, Inc.
20145-01 v.01.A