Create
  • 18 Oct 2023
  • 7 Minutes to read
  • Dark
    Light

Create

  • Dark
    Light

Article Summary

Overview

When adding data to ThreatConnect®, you can use the Create option on the top navigation bar to create a single Indicator, Group, Intelligence Requirement, Track, or Victim.

Before You Start

Minimum Role(s)
  • Organization role of Standard User (for creating Indicators, Groups, Intelligence Requirements, Tracks, and Victims)
  • Organization role of Organization Administrator (for enabling Tracks in an Organization)
PrerequisitesNone

Creating an Indicator

Hover over Create on the top navigation bar and select an Indicator type (Address in this example). The Create window for the selected Indicator type will be displayed (Figure 1).

Figure 1_Create_7.0.0

 

  • Owner: Select the Organization, Community, or Source that will own the Indicator.
  • Fill out the displayed field(s) for the selected Indicator type. The fields will vary depending on the Indicator type. For example, an Address Indicator will display a field labeled IP Address, whereas a File Indicator will display fields labeled MD5, SHA1, and SHA256.
  • Click the SAVE button to create the Indicator.

Follow these steps for any other Indicators you want to create.

Creating a Group

  1. Hover over Create on the top navigation bar and select a Group type (Adversary in this example). The Details section of the Create screen for that Group type will be displayed (Figure 2). The Details section is where you can enter basic information about the Group being created.

    Figure 2_Create_7.3.0

     

    • Type: By default, this field is set to the selected Group type. If desired, select a different Group type. If a new Group type is selected, the Details section will change to the section for that type automatically.
    • Owner: Select the Organization, Community, or Source that will own the Group.
    • Summary: Enter a name for the Group.
    • Description: Enter a Description for the Group.
    • Apply Description to Associations: Select this checkbox to apply the Description to the associated Indicators provided in the Associations section.
    • Tags: Enter Tags to apply to the Group.
    • Apply Tags to Associations: Select this checkbox to apply the Tags to the associated Indicators provided in the Associations section.
    • Click one of the following buttons to proceed with creating the Group:
      • Next: Click this button to proceed to the optional Associations section. (See Step 2 for further instruction.).
      • Save: Click this button to create the Group.
  2. If you clicked the Next button on the Details section, the Associations section will be displayed (Figure 3). Associations is an optional section where you can create and associate Indicators of relevant types to the Group being created and enter details about the Indicators.

    Figure 3_Create_7.3.0

     

    • Indicator Type: Select an Indicator type. Available choices include Unknown - (parsed), File, Email Subject, Hashtag, Mutex, Registry Key, and User Agent.  After you select an option from the dropdown, the Indicator Type section will display options for entering Indicators of the selected type. If you select Unknown - (parsed), the following options will be displayed:
      • Drop file to attach, or browse: Upload the file containing the Indicators to be imported and associated to the Group. You can view upload requirements by hovering the cursor over theInformation icon_Dark blueicon to the right of the Upload heading.
      • Retain Document as attachment: If uploading a file containing Indicators, select this checkbox to create a Document Group that contains the file and associate it to the Group being created.
      • Enter Text: If you are not uploading a file, enter the text to be parsed, and then click AddPlus icon_Gray.
        Note

        Parsable Indicator types include Address, Email Address, Host, URL, ASN, and CIDR. Custom Indicator types may also be parsed if the following conditions are met:

        • a System Administrator selected the Parsable checkbox when configuring the custom Indicator type;
        • the custom Indicator type accepts a single value;
        • a System Administrator created an import rule for the custom Indicator type.

        For more information on custom Indicator types and Indicator import rules, see the “Custom Indicator Types” and “Indicator Import Rules” sections, respectively, of ThreatConnect System Administration Guide.

        Important
        Indicators included on an Indicator Exclusion List will not be imported or associated to the Group.
    • Associations: This section displays the Indicators that will be created and associated to the Group in a table with the following columns:
      • Type: This column displays the Indicator’s type.
      • Summary: This column displays the Indicator’s summary.
      • Private: This column will be displayed only if your System Administrator has enabled private Indicators. To mark an Indicator as private, select the corresponding checkbox in the Private column. 
      • Known: This column indicates whether the Indicator exists in the owner selected in the Details section (Figure 2).
      • Actions: To remove an Indicator from the table, click DeleteTrash icon_Blackin this column.
    • Association Details: In this section, you can fill out the following information for all Indicators being associated to the Group:
      • Description: Enter a Description for the Indicator(s). If you entered a Description for the Group in the Details section (Figure 2) and selected the Apply Descriptions to Associations checkbox, that Description will be displayed in the text box automatically.
      • Tags: Enter Tags to apply to the associated Indicator(s). If you entered Tags for the Group in the Details section (Figure 2) and selected the Apply Tags to Associations checkbox, those Tags will be displayed in the text box automatically.
      • Threat Rating: Use the skull icons to set the Threat Rating for the Indicator(s).
      • Confidence Rating: Use the slider to set the Confidence Rating for the Indicator(s).
    • Click one of the following buttons to proceed with creating the Group:
      • Next: Click this button to proceed to the optional Associations section. (See Step 3 for further instruction.)
      • Save: Click this button to create the Group.
  3. If you clicked the Next button on the Associations section, the Attachments section will be displayed (Figure 4). Attachments is an optional section where you can attach related files to the Group.
    Figure 4_Create_7.3.0

     

    • Upload files for which Document Groups will be created and associated to the Group being created, if desired. After each file is uploaded, the filename will be displayed below the upload area, along with a checkbox labeled Add to Malware Vault. Leave this checkbox cleared unless you are uploading a malware file.
    • Click the Save button to create the Group.

Follow Steps 1–3 for any other Groups you want to create. The Associations section (Figure 3) and Attachments section (Figure 4) are the same for all Groups, except that the type of Group and Group icon at the upper-left corner of the screen change based on the type of Group being created. Depending on the Group type selected in Step 1, the Details section may prompt you for additional information:

  • Campaign
    • First Seen: Enter the date when the Campaign was first observed.
  • Document 
    • Upload Document: Use this section to upload the file that the Document Group will represent. After the file is uploaded, the filename will be displayed below the orange malware warning, along with a checkbox labeled Add to Malware Vault.
    • Add to Malware Vault: Leave this checkbox cleared unless you are uploading a malware file.
  • Event
    • Status: Select the current status of the Event.
    • Event Date: Enter the date and time when the Event occurred.
  • Incident
    • Status: Select the current status of the Incident.
    • Event Date: Enter the date when the Incident occurred.
  • Report
    • Upload Document: Use this section to upload the file that the Report Group will represent. After the file is uploaded, the filename will be displayed below the orange malware warning.
    • Publish Date: Enter the date on which the Report was published.
  • Task
    • Status: Select the current status of the Task.
    • Reminder Date: Select a date when a reminder about the Task will be sent.
    • Assign To: Select one or more users to whom the Task will be assigned.
    • Due Date: Select a due date for the Task.
    • Escalation Date: Select an escalation date, if desired.
    • Escalate To: Select one or more users to whom the Task will be escalated. If the escalation date is met and the Task has not been completed, the system will assign the Task to the selected user(s).
    • Follow: Select this checkbox to follow the Task (i.e., receive notifications about changes and updates), and then select a Notification Level from the dropdown menu that is displayed.

Creating an Intelligence Requirement

See Creating Intelligence Requirements for more information.

Creating a Track

Enabling Tracks in an Organization

Before you can create a Track, an Organization Administrator must enable DomainTools™ Reverse Whois Tracking.

Note
The number of Tracks you can create is determined by your agreement with DomainTools.
  1. On the top navigation bar, hover over SettingsSettings iconand select Org Settings. The Organizations Settings screen will be displayed.
  2. Click the Settings tab. The Settings screen will be displayed (Figure 5).
    Figure 5_Create_7.3.0

     

  3. Click the ENABLE button in the Reverse Whois section at the top right of the screen. The Setup DomainTools window will be displayed (Figure 6).
    Figure 6_Create_7.3.0

     

    •  User Name: Enter the username associated with the DomainTools API key.
    • API Key: Enter the DomainTools API key.
    • Click the SAVE button.

Creating a New Track

Hover over Create on the top navigation bar and select Track. The Create Reverse Whois Track window will be displayed (Figure 7).

Figure 7_Create_7.3.0

 

  • Owner: Select the Organization, Community, or Source that will own the Track.
  • Name: Enter a name for the Track.
  • Contains/Does Not Contain: Enter terms that the Track should and should not contain.
  • TEST: Use the TEST button to test the Track.
  • Click the SAVE button to create the Track.

Creating a Victim

Hover over Create on the top navigation bar and select Victim. The Create Victim window will be displayed (Figure 8).

Figure 8_Create_7.3.0

 

  • Owner: Select the Organization, Community, or Source that will own the Victim.
  • Name: Enter a name for the Victim.
  • Description: Provide a general description of the Victim, such as why they are a Victim, details about the circumstances that contributed to their being a Victim, or any other noteworthy information.
  • Victim Organization: Enter the name of the Victim’s organization. The default value is the ThreatConnect Organization of the user creating the Victim, but should be changed to the name of the Victim’s organization, which is not necessarily an Organization in ThreatConnect.
  • Sub-Organization: Enter the name of the Victim’s sub-organization (e.g., “IT Department”).
  • Nationality: Enter the nationality of the Victim.
  • Work Location: Enter the work location of the Victim.
  • Click the SAVE button to create the Victim.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.
DomainTools® is a registered trademark of DomainTools, LLC.

20003-01 v.13.E


Was this article helpful?