ThreatConnect Glossary

Last Updated: Jul 09, 2018 11:17AM EDT


Accounts Administrator - A role within Organizations that acts as a limited administrative account in that it has the ability to create accounts, limited ability to edit existing accounts, and no ability to delete accounts. It can approve account requests in the Cloud system and create Organizations for non-Cloud systems.
Activity - The Activity tab, found on the Details screen, shows a timeline of of changes made to an object.
Address - An Address Indicator represents a valid IP Address, either IPv4 or IPv6 (e.g.,
Adversary - The Adversary Group represents a malicious actor or group of actors. An Adversary can be tracked by its assets (e.g., websites, email addresses, hacker handles) to allow for monitoring of activity.
ASN - An ASN (Autonomous System Number) Indicator represents a number that uniquely identifies each network on the Internet (e.g., 204288).
Association - Associations are the mechanism through which the ThreatConnect platform models a relationship between two objects. Associating Indicators to Groups empowers an analyst to pivot to any related Group. Indicators can be associated to other Indicators via custom Associations, and users can associate two Groups of the same type (e.g., Documents to Documents).
Attribute - Attributes are key/value data sets that can be added to any Indicator or Group. This type of metadata provides an excellent way to organize, categorize, and integrate Indicators and Groups into an Organization’s analytic workflow. Attributes and their values are managed in Organization Configuration under Attribute Types and Attribute Validation Rules, respectively.



Banned - Users banned from a Community have no access to the Community.
Browse - The Browse screen provides a central point from which to access and filter content in ThreatConnect. Use the Browse screen to view objects (Indicators, Groups, Tags, Tracks, Victims, or Victim Assets) for an Organization, Community, or Source.



CAL - CAL™ (Collective Analytics Layer) is a service that aggregates anonymized data from multiple instances of ThreatConnect and other sources. Analysts may find it useful to compare information from CAL with information that appears in their local instance of ThreatConnect.
Campaign - The Campaign Group represents a collection of Incidents over time.
Card - A card is a rectangular section of the screen on which information on a particular topic is organized and presented.
CIDR - The CIDR (Classless Inter-Domain Routing) Indicator represents a block of network IP addresses (e.g.,
Commenter - A role within Communities that has post and Attribute creation privileges.
Community - A Community is a tightly administered group of ThreatConnect Owners. A Community may have Organizations or individuals as members. Members can contribute intelligence to the Community, vote on Indicator ratings, and have collaborative discussions. Communities have the option to allow their members to use pseudonyms. A Community will often be formed around a common purpose, such as an industry sector, a current event, or a geopolitical region.
Community Leader - A role within Organizations that acts as a limited administrative account for users with the need to view Community- and Source-related top-level information existing in the system, but without rights to modify, add, or remove accounts or their settings.
Component - See "Playbook Components."
Component Designer - The Component Designer is the configuration screen where a Playbook Component can be created and edited.
Confidence Rating - The Confidence Rating identifies how confident you are in your Threat Rating. It is measured on a scale of 0–100%—the higher the rating, the higher the confidence.
Contextually Aware Spaces - Contextually Aware Spaces are analytic panes that run and display multiple apps for use with a particular Indicator or Group in a single, convenient place. They are a powerful enrichment tool tailored to automate and improve the way users work with specific Indicator or Group types and provide a way to work with favorite third-party tools and products to bring their capabilities directly into ThreatConnect.
Contribute - Contribute refers to the action of adding a copy of a Group to a Community or Source. The functionality is found on the Sharing tab of the Details screen for a Group object.
Contributor - A role within Communities that allows users to create Indicators, Groups, and Tags.
Create - A quick way to add data into ThreatConnect is to use the CREATE option on the navigation bar to create a single Indicator, Group, Track, or Victim.
Custom Indicator - For users with a Dedicated or On Premise subscription, ThreatConnect can be extended to create custom Indicator types to support different use cases. Custom Indicators are treated in the same manner as built-in Indicator types, such as URL and File, and they can be associated with Groups, such as Threats, Incidents, and Emails, as well as with other Indicators via the custom Associations functionality. See the ThreatConnect System Administration Guide for more information about using custom Indicators.



Dashboard - The Dashboard is the first screen displayed after a user logs into ThreatConnect. It is the user’s control center for ThreatConnect. Public Cloud users can choose from three dashboards that provide different operational and analytical perspectives on a variety of data and metrics, including recent activity, active Incidents, open Tasks, Indicator trends, query results, and more. TC Manage, TC Analyze, and TC Complete customers can customize their dashboards to display the data they would like to see in the format in which they would like to see it. Each type of information is presented on a card whose location, format, colors, and type of graphic can be set according to the user’s or administrator’s preferences. Users can toggle between multiple dashboards, depending on what type and arrangement of data they would like to see.
Data Store - Data Store is a feature that allows TC Exchange apps to persist data using Elasticsearch®. The app is intentionally decoupled from the data in order to offer a flexible data-sharing environment while still allowing a private database for apps that require it. As such, the information provided by Data Store is essentially "read only." The app interacts with Elasticsearch exclusively through the ThreatConnect API in order to enforce proper security in a multi-tenant environment. See the ThreatConnect System Administration Guide for more details.
Design Mode - When the Playbook Designer is in Design Mode, a Playbook is inactive and can be created and edited.
Director - A role within Communities that enables administration of all data and members.
Document - The Document Group represents an actual file of interest, such as a PDF report that contains valuable intelligence or a malware sample. Documents can have their contents indexed for future searching.



E-mail - The E-mail Group represents an occurrence of a specific suspicious email, such as a phishing attempt.
E-mail Address - The E-mail Address Indicator represents a valid email address (e.g.,
Editor - A role within Communities with full create and delete access.
Elasticsearch - Elasticsearch® is a search engine based on Apache® Lucene®. It provides a distributed, multitenant-capable full-text search engine with an HTTP web interface and schema-free JSON documents. For more information about how ThreatConnect uses Elasticsearch, please visit
Event - The Event Group is an observable occurrence of notable activity in an information system or network that may indicate a security incident. For example, an Event might be created from a SIEM alert that needs to be triaged and investigated.
Execution Mode - When the Playbook Designer is in Execution Mode, a Playbook is active, and details about the Playbook's executions, including execution logs for each app, can be viewed.



False Positive - A false positive is an Indicator that has been erroneously classified as malicious. ThreatConnect allows users to report false positives, although this feature is limited to one report per day per Indicator per user. As such, different users may report the same Indicator once on the same day.
Feeds - ThreatConnect Feeds are a collection of open-source feeds vetted and managed by the ThreatConnect Research team. Each feed may be activated by a System Administrator from the TC Exchange Settings screen. For more information on activating and ingesting ThreatConnect Feeds, see the ThreatConnect System Administration Guide. For more information on the metrics and report card provided for each feed, see Feed Metrics and Report Card.
File - A File Indicator represents a unique file hash or series of hashes (e.g., MD5, SHA-1, and SHA-256).



Group - A Group is a collection of related behavior and intelligence. Groups are currently classified in one of eight categories: Adversary, Campaign, Document, Email, Incident, Signature, Threat, and Task.



Host - The Host Indicator represents a valid hostname, which is also referred to as a domain (e.g.,



Incident - The Incident Group represents a snapshot of a particular intrusion, breach, or other event of interest.
Indicator - An Indicator represents an atomic piece of information that has some intelligence value, regardless of where it exists on ThreatConnect’s Diamond Model. Indicators are guaranteed to be unique within an Owner. Indicators currently are classified in one of 10 categories: Address, Email Address, File, Host, URL, ASN, CIDR, Mutex, Registry Key, and User Agent.
Indicator Status - Each Indicator in ThreatConnect has a systemwide Indicator Status that provides information on whether the Indicator is active [i.e., an Indicator of Compromise (IOC) at the current time] or inactive (i.e., an Indicataor that is not an IOC at the current time, but is being kept in ThreatConnect for historical accuracy) and whether the status was set by ThreatConnect (i.e., any user in the ThreatConnect instance) or by ThreatConnect’s Collective Analytics Layer (CAL™).
Intrusion Set - The Intrusion Set Group is a set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a common known or unknown Adversary. New activity can be attributed to an Intrusion Set even if the Adversaries behind the attack are not known. Adversaries can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets.
Investigation Links - A card on the Details screen that provides links to search results of various third-party lookup and other information services. Each link is a shortcut to query results for the resource, which will open in a new browser tab.



Metric Card - There are three types of Metrics available for display on dashboard cards: System Metrics, User Metrics, and Playbooks Metrics.

  • System Metrics are predefined by ThreatConnect and divided into three categories: Activities, Indicators, and Intelligence.
    • Activities provides a graphical representation of changes in activity (e.g., Observations, False Positives, Tags, Attributes, Average Indicator Confidence Rating) within the selected Owners over a period of time.
    • Indicators provides a graphical representation of the addition of five types of Indicator (URL, Email Address, File, Host, and Address), as well as enriched Indicators, within the selected Owners over a period of time.
    • Intelligence provides a graphical representation of the addition of Groups within the selected Owners over a period of time.
  • User Metrics are created by Organization Administrators and higher.
  • Playbooks Metrics provide a graphical representation of three metrics calculated by the Playbooks Return on Investment feature for all selected Playbooks: Playbook Dollars Saved, Playbook Execution Count, and Playbook Hours Saved.

Mutex - The Mutex Indicator is a synchronization primitive that can be used to identify malware files and relate malware families (e.g., \Sessions\1\BaseNamedObjects\Globa\CLR_PerfMon_WrapMutex).



Notifications - ThreatConnect allows users to receive push-notification and email updates on changes to Indicators, Groups, Tasks, Tags, Victims, and other items that they want to track.
Notifications Center - The Notifications Center displays push-notification alerts on changes to Indicators, Groups, Tasks, Tags, Victims, and other items users want to track.



Observations - Observations are counts of the number of times an Indicator has been reported by a bidirectional integration with ThreatConnect. They allow users to correlate external intelligence with internal intelligence. For example, if a feed reports the Indicator to ThreatConnect and then your SIEM reports to ThreatConnect that has been noted in your network infrastructure, the Observation tally for the Indicator will increase by 1.
Operations Administrator - A role within Organizations that can perform system administration of accounts. It has access to system-level account settings, but not system settings. It is typically not assigned within operational Organization accounts.
Organization (Org) - An Organization, often referred to as an Org, represents a team of persons with the same levels of access and trust. An Organization is a collaborative space—its members are meant to work on tasks while fully visible to one another.
Organization Administrator - A role within an Organization with control over all aspects of the Organization, including configuration editing privileges, sharing administration privileges, and Community administration privileges for Communities owned by the Organization.
Overall Threat Rating - For an Organization, Overall Threat Rating is the latest assertion of an Indicator's Threat Rating by any member of the Organization, including via the API. For a Community, Overall Threat Rating is the average of all of the Threat Ratings for the Indicator across the Community, based on the latest assertion per Organization across the Community membership. For a Source, Overall Threat Rating is typically the rating for the Indicator that was set upon the Indicator's import.
Owner - Every piece of data in ThreatConnect has an owner. Owners have full control over the data they own, and they fall under one of the following four categories: Individual, Organization, Community, Source.



Pathways - The various routes between Triggers, Apps, and Operators that a Playbook execution can take.
Pivot - Pivoting is an analytic transition in which a user in ThreatConnect moves from one entity—Indicators and Groups in the ThreatConnect Data Model, as well as Tags and Attributes—to an associated entity in accordance with the methodology defined by the Diamond Model. Through the process of pivoting, users can, in a contiguous manner, explore relationships and find correlations between entities.
Playbook App - A Playbook "App" is an action that is taken by a Playbook in response to a Trigger. There are 12 App categories, which may be viewed by collapsing the menus on the left-hand side of the Playbook Designer after toggling the + APP button.
Playbook Designer - The Playbook Designer is the configuration screen that appears after creating or opening a Playbook. It is the screen where you build and activate a Playbook and where you can view information about the execution of the Playbook.
Playbook Operator - Playbooks Operators are logic-based links between Triggers and Apps.
Playbook ROI - The Playbooks Return on Investment (ROI) feature allows ThreatConnect users to view and visualize the return on investment for the Playbooks executed in their Organization—that is, how much money and time each execution of a given Playbook has saved them (versus doing all of the tasks in the Playbook manually, without orchestration) over various periods of time.
Playbook Trigger - A Playbook Trigger is an event that initiates the actions defined within a Playbook to occur. There are four Trigger categories, which may be viewed by collapsing the menus on the left-hand side of the Playbook Designer.
Playbooks - ThreatConnect Playbooks allows users to automate cyberdefense tasks via a drag-and-drop interface. The interface uses Triggers (e.g., a new IP address Indicator, a phishing email sent to an inbox) to pass data to Apps, which perform a variety of functions, including data enrichment, malware analysis, and blocking actions. Once enabled, Playbooks run in real time and provide users with detailed logs of each run.
Playbook Components - Playbook Components are apps that consist of modules of Playbook elements (Apps and Operators, with a single initial Trigger) that can be called from a Playbook in ThreatConnect. They make Playbook design more convenient when a group of elements is used repeatedly by allowing the elements to be packaged together and called as a single element.
Posts - The Posts page displays comments that were added to Indicators or Groups across your Organization, Communities, and Sources. If an Owner has been selected, there will also be an Add New Comment text box that will allow for commenting directly into that Owner.



Query card - Query cards on the dashboard screen display the results of saved TQL queries.



Registry Key - The Registry Key Indicator represents a node in a hierarchical database that contains data critical for the operation of Windows and the applications and services that run on Windows (e.g., HKEY_CURRENT_USER\Software\MyApp).
Report - The Report Group is a collection of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. It is used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story. PDF and HTML files uploaded to a Report are viewable directly on the Report File card on the Overview tab of that Report’s Details screen.
ROI Metrics - Metrics on Playbook Return on Investment (ROI) are available on dashboard Metric cards.



SAML - Security Assertion Markup Language™ (SAML™, pronounced SAM-el) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular between an identity provider and a service provider.
Search and Analyze - The search mechanism in ThreatConnect uses a combination of direct and indirect search algorithms to find data based on a given input. The ThreatConnect search results also provide information of analytic value, including exact and potential matches in the user’s ThreatConnect instance and the ability to identify, create, and explore new Indicators.
Security Label - Security Labels provide a means to designate information stored within ThreatConnect as sensitive. When sharing data with partners, or when copying data to and from Communities, Security Labels provide control over what is shared and allow the sharer to redact information based on Security Labels that are applicable to Indicators, Attributes, Groups, Tasks, Tracks, and Victims.
Sharing Administrator - A role within Organizations that has the same privileges as a User, but can also share or contribute Groups to other Communities of which the Organization is already a part. It can also export data in bulk from the Organization.
Signature - The Signature Group represents an actual Signature that can be used for detection or prevention in a supported format (i.e., Snort®, YARA, CybOX™, OpenIOC, ClamAV®, Suricata, Bro, and Regex).
Skulls - Skulls are used to represent the scale on which Threat Rating is measured, where 0 skulls is the lowest Threat Rating and 5 skulls is the highest. Sometimes, the word "skulls" is omitted. For example, "a Threat Rating of 5" is equivalent to "a Threat Rating of 5 skulls."
Source - A Source is a one-way feed of information. Like Communities, Sources may have Individuals or Organizations as members. Unlike Communities, Sources are not meant to be a collaborative environment. Members, and their pseudonyms, are not visible to one another and typically do not have any write access within a Source. Oftentimes a Source will represent a feed of Indicators or intelligence, whether premium, open source, or internally produced.
Spaces - ThreatConnect Spaces (System Spaces) create analytic panes that can run and display up to four apps in a single, convenient place. They are a great way to extend the capabilities of the user interface (UI) and to work with favorite third-party tools and products to bring their capabilities directly into ThreatConnect.
Subscriber - A role within Communities that has read-only access only to published data.



Tag - Free-form metadata that is pivotable in ThreatConnect.
Task - The Task Group represents an assignment given to a ThreatConnect user.
TC Exchange - TC Exchange™ is the term for ThreatConnect's catalog of resources such as integrations, Communities, training opportunities, and links to our SDK and API documentation.
Technical Blogs and Reports - The Technical Blogs and Reports Source is open to all ThreatConnect users. It is populated with posts from over 55 blogs that have been chosen for their quality by the ThreatConnect Research Team. For more details, visit
Threat - The Threat Group represents a group of related activity, whether or not attribution is known. This relation can be based on technology (e.g., Shellshock) or pertain to a grouping of activity that is presumed to be by the same selection of actors (e.g., Bitterbug).
ThreatAssess - ThreatAssess gives a basic risk assessment of an Indicator through a single, actionable score. The score represents the overall potential impact that an Indicator might have to a security organization. It also provides a breakdown of those factors that went into the calculation of that score, all of which come from data from within the user’s ThreatConnect instance.
Threat Rating - The Threat Rating identifies how much of a threat an Indicator represents. It is measured on a scale of 0–5 skulls—the higher the rating, the higher the threat.
TQL - The advanced search filter allows users to build structured queries using a SQL-like query language called ThreatConnect Query Language (TQL). With this feature, an analyst can specify criteria that cannot be defined using a simple string search. At any time, a query can be saved and revisited later or used in custom dashboards (if enabled).
Tracks - ThreatConnect's Reverse Whois Tracks leverage DomainTools, an external data service that interfaces with ThreatConnect to actively detect and issue alerts about new associations discovered in Whois records between Adversary assets and hosts.



URL - The URL Indicator represents a valid URL, including protocol (e.g.,
User (Community) - A role within Communities that has read-only access to all data.
User (Organization) - A basic user role within an Organization. This role cannot make Organization Configuration changes, and it cannot export Indicators or share Groups with Communities.
User Agent - The User Agent Indicator is a characteristic identification string that a software agent uses when operating in a network protocol [e.g., Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36].



Variable - Variables can be preconfigured and used to populate certain fields, such as the ThreatConnect API Access ID or Secret Key in Playbooks or app configurations.



Widget Card - Widget cards are dashboard cards that are predefined and cannot be configured, other than to adjust their size and position on the dashboard.



TC Exchange™ is a trademark of ThreatConnect, Inc.

Apache® and Lucene®are registered trademarks of The Apache Software Foundation.

CAL™ is a trademark of ThreatConnect, Inc.

ClamAv® and Snort® are registered trademarks of Cisco Systems, Inc.

CybOX is a trademark of the MITRE Corporation.

Elasticsearch® is a registered trademark of Elasticsearch BV.

Security Assertion Markup Language™ and SAML™ are trademarks of OASIS, the open standards consortium where the SAML specification is owned and developed. SAML is a copyrighted © work of OASIS Open. All rights reserved.

Contact Us

  • ThreatConnect, Inc.
    3865 Wilson Blvd.
    Suite 550
    Arlington, VA 22203

    Toll Free:   1.800.965.2708
    Local: +1.703.229.4240
    Fax +1.703.229.4489

    Email Us
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found