Associations Overview
  • 30 Jan 2024
  • 1 Minute to read
  • Dark
    Light

Associations Overview

  • Dark
    Light

Article Summary

An association, one of the most powerful features in ThreatConnect®, models a relationship between two objects. Associating data empowers an analyst to pivot to related objects and further investigate their relationships to the primary object in the association. In ThreatConnect, you can

  • associate Groups to Intelligence Requirements (IRs), Indicators, Victim Assets, and other Groups;
  • associate Indicators to IRs, Groups, Victim Assets, and, using custom associations, other Indicators; and
  • associate IRs to Indicators, Groups, and Victim Assets.

In addition, you can associate Groups, Indicators, and IRs to Workflow Cases and their Artifacts and vice versa. Creating these associations is one of the main ways to connect information gathered within a Case to your threat intelligence data. Lastly, you can leverage cross-owner associations to create associations between Groups and Indicators in your Organization and those in your Communities and Sources, allowing for greater visualization and insight into all of your data.

Note
If cross-owner associations are disabled after being enabled previously, you can still view and remove cross-owner associations created while this feature was enabled. However, you will not be able to create new cross-owner associations.

The Associations tab of the Details screen and the Associations card on the legacy Details screen are where you can view, create, and manage associations. You can also use Threat Graph to discover, visualize, and explore associations in a graph-based interface.

Note
Applying a Tag to a Group, Indicator, IR, Victim, or Case creates an association between the Tag and the object to which it is applied.

Before You Start

Minimum Role(s)
  • Organization role of Read Only User (for viewing associations in your Organization)
  • Community role of User (for viewing associations in a Community or Source)
    Note
    To view cross-owner associations, you must have an owner role with at least viewing permissions in both owners.
  • Organization role of Standard User (for creating and modifying associations)
  • Community role of Editor (for creating and modifying associations in a Community or Source)
    Note
    To create and modify cross-owner associations, you must have an owner role with editing permissions one of the owners and an owner role with at least viewing permissions in the other.
  • Users with an Organization role of App Developer cannot view associated and potentially associated Cases and Artifacts, because they do not have access to Workflow
PrerequisitesCross-owner associations enabled by a System Administrator (for creating associations between Groups and Indicators in your Organization and Groups and Indicators in Communities and Sources to which you have access)

ThreatConnect® is a registered trademark of ThreatConnect, Inc.

20076-01 v.10.A


Was this article helpful?