View Threat Data Object Details
Threat data collates details such as the properties, actions, tasks, feed sources, feed enrichment sources, enrichment details, and more for any threat data object in one place.
As an analyst, you can access all the information and decide the further course of action. Read-only users cannot update the details of threat data.
Note
You can view a maximum of 50,000 records in Threat Data.
In threat data object details, you can access the following information:
Overview
Provides an elaborate and complete overview of the threat data objects. You can view the following details of the Threat Data objects:
Field/Widget | Description |
Value | Shows the actual value of the threat data object. |
TLP | Show the Traffic Light Protocol value of the threat data object. You can enter the TLP value here. |
Type | Shows the type of threat data object. |
Analyst Score | Shows the score assigned to the threat data object. |
Reported by Sources | Shows the feed sources that reported this threat data object. |
Modified On | Shows the latest date when any data of the threat data object is updated or modified. |
Analyst Description | Shows the description given by the analyst. You can also generate the analyst description using AI Assist. For more information, see |
CVSS Score Details | Shows the CVSS score assigned to the vulnerability object after enrichment by a CVE tool. A CVSS score ranges between 1 to 10 and can have up to two decimal values. The source for this score appears as CVE. |
Alias | Shows the aliases of Threat Actors, Malware, Attack Patterns, Campaigns, Infrastructures, Intrusion Sets, and Tools reported by the sources or the custom aliases added manually. You can add a maximum of 50 custom aliases for a threat data object. |
Created On | Shows the date when this threat data object is created. |
Published | Shows the date when the threat data object is published. |
Relations | Shows the relations that this object has with any other object. |
Action Taken | Shows any actions that were taken on this threat data object. |
Tasks | Shows any tasks that are created for this threat data object. |
Custom Attributes | Shows any custom attributes that are added to this threat data object. |
Sources | Shows the details of the most recent source that reported the threat data object, such as the source name, source created date, and source confidence. |
Published Collections | Shows the names of the published collections that included this threat data object. |
Basic Details
Basic details provide in-depth information on the threat data object that includes the STIX classification type of the threat data object, CTIX confidence score, analyst score, custom scores, TLP, published collections, object details as reported by various feed sources, generate the analyst description using AI assist, and more.
Note
You can view the latest seven occurrences of each source that reported the threat data object based on the system-created date of the threat data object. After every 12 hours, CTIX will re-analyze and update the latest seven entries in the application.
Generate Analyst Description using AI Assist
AI Assist uses artificial intelligence to analyze the details of an object and generate a summary on-demand to use as the analyst description.
Before you Start
AI Assist must be enabled by the administrator in Administration > Configuration > General Settings.
Steps
To generate the analyst description for a threat data object using AI Assist, follow these steps:
Go to Main Menu and select Threat Data under Collection.
Select an object and go to Basic Details.
In Description of the Correlated View of Sources section, click AI-Powered Analyst Description.
A request is sent to AI Assist to analyze the object details and generate a description. You will receive an in-app notification after AI Assist generates the description.
Click Notifications in the top bar, and then click the notification for the AI-powered description status.
You can view the description generated by AI Assist for the threat data object.
Review and update the description as required.
Note
To regenerate the description, click AI Assist. A new request is sent to AI Assist to generate the description. You will receive a new in-app notification after the description is generated.
Click Save.
The description is added to the threat data object as the analyst description.
Relations
Relations provide comprehensive information on the threat data object's relationship details, including any existing relations to other threat data objects from the threat investigations module in CTIX. You can search for the latest relations for any threat data object using a CQL query. CTIX stores up to 10,000 latest relations for any threat data object.
You can view the last two months of relations of the threat data object based on the system-created date.
Note
You can view a maximum of 500 and 10000 relations in the visualizer and table views respectively.
You can perform the following activities in Table view under Relationship Details:
View Relations: You can view relations of the threat data objects which include object type, sub-type, value, relationship type, source, created date, and modified date.
Show Preview: You can select Show Preview to preview the details of the object which includes analyst score, type, TLP, country, valid from, valid until, reported by sources, relations count, enrichments, and tags associated with the related object.
Search or Filter the relations: You can search based on source, object type, relationship type, TLP, value, sub-type, and created range.
Delete Intel Relation: You can delete an intel relation by clicking on the vertical ellipsis of a relation.
You can perform the following activities in the Visualizer view under Relationship Details:
View Node Details: You can select a node to view the details of the threat data object in Node Details.
Add Relation: You can select a node to add a relation, click Add Relation, and select the object type, value, and relationship type. Intel Exchange supports all the relationship types in compliance with the STIX 2.1 standards.
The data details refresh every 30 minutes in the Overall Relations widget.
Enrichment
Enrichment provides complete information on the threat data object's enrichment status and enrichment details.
You can perform the following activities under Enrichment:
View Enrichment Tool Status: You can view the count of the enrichment tool status which includes not tried, enriched, tried and failed, and quota completed.
View Sources reported malicious: You can view the list of the sources that reported the object as malicious.
Tool Stats: You can view the count status of the enrichment tool Inferred verdict such as, malicious, non-malicious, and not applicable.
Enrichment details: Using third-party enrichment tools, you can enrich the indicators and vulnerabilities. Select the enrichment tool and click Enrich under Enrichment Details. You can click on Re-enrich to enrich anew.
Action Taken
Action taken provides details of the actions that are executed on the threat data object including manual actions and the tools that enacted the action, such as CTIX-specific or third-party actions.
You can perform the following activities under Action Taken:
View Actions Performed: You can view the count of actions and type of actions performed by the CTIX application and third-party applications on the object.
View Action Taken Details: You can view the complete details of the action taken by the CTIX application and third-party applications.
Tasks
Tasks provide information on the various tasks that an analyst has to perform on this threat object.
You can perform the following actions under Tasks:
Add Task: You can add a task that an analyst has to perform on the threat object and assign the task to an analyst or assign it to yourself. You can also add priority to the task and timeline to complete the task.
View Task stages: You can view the stages of the task such as In Progress, Not Started, and Completed.
Notes
Notes provide information on any additional information associated with this threat data object. You can perform the following action under Notes:
Add Note: You can add a note under Notes, select Add Note, and enter the details within 2000 characters.
Edit Note: You can edit the existing note. Click on the horizontal ellipsis and select Edit.
Delete Note: You can delete an existing note. Click on the horizontal ellipsis and select Delete.