scoutTHREAT's dashboard is the landing page users will see after logging in. The page features three customizable columns for quick browsing.
The box icon in the top right corner of the navigation bar, to the immediate left of LookingGlass SUITE) allows users to easily navigate between LookingGlass products. Any product the user is licensed to use will be displayed when box icon is clicked. Click on the name of the product to be redirected to that environment.
The Notification Icon (bell) icon beside the user’s initials in the top right corner of the navigation bar, shows the number of scoutTHREAT notifications. Notifications are generated when a user has been assigned new unprocessed reports or new data from TICE is awaiting approval.
Navigation Bar: Information
The Information section of the navigation contains links to the following:
Here, users can create Identity class objects of organizations (including the users), groups, individuals, and others that would be relevant to your work.
These entries can be categorized by sector (e.g., government, energy, financial services, etc.) and can have contact information and roles added to object's profile entries.
Requests for Information
In this section users can view and create Requests for Information (RFIs) for reports, objects, analysis, or other purposes.
Here, users can view or create threat intelligence reports to inform their work. These reports can be categorized by Type and can include attachments, External References, and more.
This section can help with tracking intelligence or other data from external sources, such as file hashes and links to websites with relevant content.
Navigation Bar: Workflow
The Workflow section of the navigation contains links to the following:
Workbenches help users organize data from various sources for effective workflow management. Users can assign a Checklist to each workbench as well as schedule Threat Queries that can keep users updated about specific threat intelligence they are following.
Here, users can find Threat Queries that they have created and saved from Search, including those from the TICE Environment. When these queries are triggered, users can gather and receive intelligence data from various sources.
Users can use Templates to create new checklists. A checklist can help users organize tasks for projects they are working on, operating procedures, etc.
Click on Published to view checklists that have already been created and are currently in use.
Entity Extraction Rules
This section enables analysts to edit or create rules for pulling or rejecting specific Observables (artifacts) from Information Reports.
Navigation Bar: Intelligence
The Intelligence section of the navigation contains links to the following intelligence objects:
This intelligence object is considered as a type of tactics, techniques, and procedures (TTP) that describes ways that adversaries attempt to compromise targets.
A Campaign is a grouping of adversarial behaviors that describes a set of malicious activities or attacks (sometimes called waves) that occur over a period of time against a specific set of targets.
An Indicator contains a pattern that can be used to detect suspicious or malicious activity.
An Infrastructure object is a system such as a network(s), server(s), workstation(s), or another appliance(s) that is used to conduct a cyber attack.
An Location object is a city, state, or country that can be or has a relationship with other objects.
Malware is a type of tactics, techniques, and procedures (TTP) that denotes malicious code. It generally refers to a software program or script that is deployed into a host or network, usually covertly.
Threat Actors are individuals, groups, or organizations believed to be operating with malicious intent.
Tools are legitimate software used by Threat Actors to attack. Examples can include NMAP, Nikto, RustSCan, etc.
Victim Targets are Identities (e.g., organizations, groups, individuals, etc.) that have been recognized as targets of Threat Actors, Malware, and other Intelligence Objects.
A Vulnerability is defined as a weakness or defect in the requirements, designs, or implementations of the computational logic (e.g., code) found in software and some hardware components (e.g., firmware) that can be directly exploited to negatively impact the confidentiality, integrity, or availability of that system.
Intelligence objects also include:
Navigation Bar: Observables
In this section, users can browse through a list of Observable objects that you have identified or were shared over TICE.
These objects are described as observed raw data collected from any source including analyst reports, sandboxes, and network and host-based detection tools.
Examples of these observable objects include artifacts, domains, files, processes, IP and MAC addresses, URLs, email addresses and messages, etc.
Navigation Bar: Search
The Search function allows users to search and find information from scoutTHREAT's database and TICE. Users have the ability to use Filters to help you sort through the search results more effectively. Users can also save your searches as Threat Queries.