User and Higher
The Details screen is the main screen in ThreatConnect® on which to view information and content on any type of object—including Indicators, Groups, and Victims.
- On the top navigation bar (Figure 1), hover the cursor over BROWSE and then over one of the options (INDICATORS in this example). Click on an object (HOST Indicator in this example) to display a results table (Figure 2).
- Click on one of the entries, and the Details window for that entry will appear (Figure 3).
- Click the Details icon at the top right corner of the window, and the Details Overview screen will appear (Figure 4).
- The Details Overview screen can be accessed directly from the results table in Figure 2 by hovering the cursor over any part of the entry's row and clicking on the Details icon that appears on the right-hand side of the Summary cell for the entry (Figure 5).
Details Overview Screen: Components
The Details Overview screen (Figure 4) consists of the following components:
- The PIVOT button at the top left allows users to pivot to a list of all associated intelligence for the object. See Pivoting on Data for more information.
- The DELETE button at the top left allows users to delete an object, depending on the user’s permissions.
- The Navigation Tab Menu beneath the object's name contains a series of tabs relevant to the particular object type. For example, a Host Indicator, like the one shown in this example, has a DNS tab for DNS resolution and a Whois tab for Whois information.
- The Follow Item checkbox on the right-hand side of the Navigation Tab Menu allows users to choose to receive alerts and updates on changes to the object. See Notifications and Following for more information.
- The Owner tab, the blue rectangle in the upper right corner of the screen, allows users to view different Owners’ copies of the object, depending on the user’s permissions. This feature provides the ability to view an Indicator as seen within a user's own Organization or from a particular data feed.
- The Indicator Status section below the Owner tab allows users to set the status of the Indicator as active or inactive and to set the CAL Status Lock, which, if checked, prevents CAL from being able to change the Indicator Status. See Indicator Status for more information.
- The Indicator Analytics card, on the top left of the screen, provides information from the ThreatAssess and Collective Analytics Layer (CAL™) features. ThreatAssess and CAL provide contextual metrics about Indicators, based on data such as page views and false-positive reports. ThreatAssess metrics are derived from data from Indicators in a user’s local instance, whereas CAL metrics are derived from data from Indicators across the ThreatConnect community of users and partners. See ThreatAssess and CAL for more information.
- Below the Indicator Analytics card, most objects contain a Description card to explain the object's relevance, as well as its Source. See The Description Attribute and Sourcing Data for more information.
- In the Security Label card, users can choose and view Security Labels for the object. See Creating Security Labels and Applying Security Labels for more information.
- The left side of the screen may contain a GeoLocation Data card for an IP Address or Host Indicator. See Using Automated Data Services for more information.
- The Attributes card displays the Attributes of the resource. See Creating Attributes for more information.
- The Playbook Actions card, on the top right of the screen, displays all active UserAction Trigger Playbooks for the Indicator. See Playbooks and Playbooks: The UserAction Trigger for more information. This card will not be present if there are no active UserAction Trigger Playbooks.
- The next card on the right-hand section displays any Additional Owners the object has, along with the Threat Rating and Confidence Rating assigned to the object by those owners.
- The Associations card displays associations between the object and other Indicators, Groups, and Victim Assets. It can be toggled between Graph and Table view and popped out to full-screen view. See Associations for more information.
- The Details card provides information on the type of object, the date and time it was added to ThreatConnect, and the date and time it was last modified. Users can also choose to enable DNS and Whois lookups and set a Threat Rating and Confidence Rating for the object, as well as view its Overall Threat Rating and Overall Confidence Rating. See Setting Indicator Threat and Confidence Ratings for more information.
- In the Observations/False Positives card, users can view the number of observations and false positives on a particular object and report a false positive on the object. See Reporting False Positives for more information.
- Users can add and delete Tags in the Tags card. See Applying Tags and Best Practices: Tags for more information.
- The Investigation Links card provides links to search results of various third-party lookup and other information services. Each link is a shortcut to query results for the object, which will open in a new browser tab.
- Users can post comments in the Add New Comments card.
- Users can view posts in the Posts card. See Posts for more information.