The Cross-Intel Sharing App: Sharing Data Across ThreatConnect Instances
  • 19 Mar 2024
  • 5 Minutes to read
  • Dark
    Light

The Cross-Intel Sharing App: Sharing Data Across ThreatConnect Instances

  • Dark
    Light

Article Summary

Overview

The Cross-Intel Sharing App allows ThreatConnect® users to share packaged intelligence in the form of Group data objects with users on other ThreatConnect instances. Groups that are being shared must first be published by a Community Director in the sending instance as a JSON file. If a System Administrator has enabled publishing from Organizations, then the Cross-Intel Sharing App may also be used to share Groups that have been published from an Organization by an Organization Administrator. The Cross-Intel Sharing App must then be installed and configured by an Organization Administrator in the receiving instance, as detailed in this article.

When the Job for the Cross-Intel Sharing App is run, JSON files for all published Groups in the owner (Community, Source, or Organization) in the sending instance will be shared with the target owner in the receiving instance. In addition, the following objects will be shared with the target owner in the receiving instance:

  • Indicators and Groups associated to the published Group(s)
  • Security Labels applied to the published Group(s)
    Note
    If a custom Security Label applied to the published Group, or objects associated to it, in the sending instance does not exist in the receiving instance, it will be created automatically at the owner level in the receiving instance and applied to the shared objects.
  • Attributes added to the published Group(s)
    Note
    If an Attribute added to the published Group was created using a custom Attribute Type created at the owner level in the sending instance, that same custom Attribute Type must be created at the same owner level in the receiving instance before using the Cross-Intel Sharing App in order for the Attribute to be shared. Similarly, if an Attribute added to the published Group was created using a custom Attribute Type created at the System level in the sending instance, that same custom Attribute Type must be created at the System level in the receiving instance before using the Cross-Intel Sharing App in order for the Attribute to be shared.
  • Tags applied to the published Group(s)
    Note
    If a Tag applied to the published Group, or objects associated to it, in the sending instance does not exist in the receiving instance, it will be created automatically in the target owner in the receiving instance and applied to the shared objects.

Before You Start

Minimum Role(s)Organization role of Organization Administrator
Prerequisites
  • A Group that has been published 
  • An API account in the receiving and sending ThreatConnect instances

Installing and Configuring the Cross-Intel Sharing App

  1. Log into ThreatConnect with an Organization Administrator account.
  2. On the top navigation bar, hover the cursor over Settings A picture containing text, light  Description automatically generatedand select Org Settings. The Membership tab of the Organization Settings screen will be displayed.
  3. Click the Apps tab. The Jobs view of the Apps screen will be displayed (Figure 1). Graphical user interface, application  Description automatically generated

     

  4. Click the Plus Icon  Description automatically generated icon at the top right of the table. The Program screen of the Add Job drawer will be displayed (Figure 2). Graphical user interface, application, Word  Description automatically generated

     

    • Job Name: Enter a name (e.g., Cross-Intel Sharing) for the Job.
    • Run Program: Select ThreatConnect Cross Intel Sharing.
    • Click the NEXT button.
  5. The Parameters screen of the Add Job drawer will be displayed (Figure 3). Graphical user interface, text, application, email  Description automatically generated

     

    • Api User: Select an API user in the receiving instance.
    • Target Owner: Select the Organization, Community, or Source that will contain the Group data objects in the receiving instance.
    • Source ThreatConnect API URL: Enter the API URL for the ThreatConnect instance from which the published Group data objects are being sourced.
    • Source ThreatConnect Organization Id: Enter the name or ID of the Community or Source from which the published Group data objects are being sourced.
      Note
      To enter the name or ID of an Organization for this parameter, a System Administrator must have enabled publishing in the Organization from which the Group data objects are being sourced, and an Organization Administrator must have published the Group data objects.
    • Source ThreatConnect API Access ID: Enter the API Access ID for the ThreatConnect instance from which the published Group data objects are being sourced.
    • Source ThreatConnect API Secret Key: Enter the API Secret Key for the ThreatConnect instance from which the Group data objects are being sourced.
    • Logging level: Select a logging level for the Job. WARN is the recommended logging level.
    • Click the NEXT button.
  6. The Schedule screen of the Add Job drawer will be displayed (Figure 4). Graphical user interface, text, application, email  Description automatically generated

     

    • Schedule: Select the frequency of Job runs.
    • At: Select this option to schedule a specific time for Job runs, and use the corresponding field to enter the Job run time.
    • Every: Select this option to schedule Job runs to occur at intervals, and use the corresponding fields to set the specific frequency and interval.
    • Click the NEXT button.
  7. The Output screen of the Add Job drawer will be displayed (Figure 5). Graphical user interface, application, Word  Description automatically generated

     

    • Enable Notifications: Select this checkbox to enable notifications on the results of Job runs. If this checkbox is not selected, none of the other options in this step will be available.
    • Email Address: Enter the email address to which notifications should be sent.
    • Notify on Job Result: Select the checkbox(es) for the type(s) of Job results for which notifications should be sent.
    • Attachments: Select the Include Log Files checkbox to include log files in the notification emails.
    • Click the SAVE button.
  8. The Jobs view on the Apps screen will now show the Job (Cross-Intel Sharing in this example) created for the Cross-Intel Sharing App. Toggle the switch in the Active column for the Job on (orange) to activate the Job (Figure 6). Graphical user interface  Description automatically generated

     

Running the Cross-Intel Sharing Job

  1. On the Jobs view of the Apps screen, click Run Job in the Options column for the Job (Cross-Intel Sharing in this example) to run it immediately (Figure 6).
  2. A window will be displayed prompting you to confirm whether you want to run the Job at this time. Click the YES button.
  3. The Start Time column will display the time that the Job started running, and the Last Execution column will display a status of Running for the Job. After the Job completes, the shared Group data objects will be available for viewing on the Browse screen in the target owner in the receiving instance.
Important
Once published Group data objects have been shared to an instance, they cannot be “unshared.”
Important
Changes that are made to a Group in the sending instance after it has been published will not be reflected in the JSON file. The Group will need to be published again in order to capture any changes that occur after its publication. Once the Group has been published again, the Job for the Cross-Intel Sharing App will share the new JSON file during its next scheduled run.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.

20061-01 v.01.M


Was this article helpful?