Creating Groups
  • 08 Nov 2024
  • 5 Minutes to read
  • Dark
    Light

Creating Groups

  • Dark
    Light

Article summary

Overview

A Group represents a collection of related behavior and intelligence. You can use the Create option on the top navigation bar in ThreatConnect® to create individual Groups in your owners.

Before You Start

User Roles

  • To create Groups in an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
  • To create Groups in a Community or Source, your user account must have a Community role of Contributor, Editor, or Director for that Community or Source.

Creating a Group

Follow these steps to create a Group:

  1. Hover over Create on the top navigation bar and select a Group type.
  2. Proceed through the steps on the Create screen to create the Group. There are three steps in the Group creation process: Details (required), Associations (optional), and Attachments (optional).

Step 1: Enter Details About the Group

The Details step of the Create screen (Figure 1) is a required step where you enter basic information about the Group you are creating.

Figure 1_Creating Groups_7.3.0

 

Follow these steps to fill out the fields on the Details step:

  1. Provide the following details for the Group:
    • Type: The value selected in the dropdown will match the Group type you selected from the Create menu. If you select a new Group type from the Type dropdown, the fields on the Details step will change based on the new Group type.
    • Owner: Select the owner in which to create the Group.
    • Summary: Enter a name for the Group.
    • Description: (Optional) Enter a Description for the Group. To apply the Description to the Indicators provided in the Associations step, select Apply Description To Associations.
    • Tags: (Optional) Enter one or more Tags to apply to the Group. To apply the Tags to the Indicators provided in the Associations step, select Apply Tags To Associations.
      Note
      Depending on the Group type you selected from the Create menu, the Details step may display additional fields.
  2. Click Next to proceed to the optional Associations step, or click Save to create the Group.

Additional Details Step Fields

Depending on the Group type you selected from the Create menu, the Details step may display additional fields:

  • Campaign
    • First Seen: (Optional) Enter the date when the Campaign was first observed.
  • Document 
    • Upload Document: Upload the file that the Document Group will represent. After the file is uploaded, the filename will be displayed below the orange malware warning, along with a checkbox labeled Add to Malware Vault.
    • Add to Malware Vault: (Optional) Select this checkbox if you are uploading a malware file.
  • Event 
    • Status: (Optional) Select the current status of the Event.
    • Event Date: (Optional) Enter the date and time when the Event occurred.
  • Incident
    • Status: (Optional) Select the current status of the Incident.
    • Event Date: (Optional) Enter the date when the Incident occurred.
  • Report
    • Upload Document: (Optional) Upload the file that the Report Group will represent. After the file is uploaded, the filename will be displayed below the orange malware warning.
    • Publish Date: (Optional) Enter the date on which the Report was published.
  • Task
    • Status: (Optional) Select the current status of the Task.
    • Reminder Date: (Optional) Enter the date when a reminder about the Task will be sent.
    • Assign To: (Optional) Select one or more users to whom the Task will be assigned.
    • Due Date: (Optional) Enter the due date for the Task.
    • Escalation Date: (Optional) Enter the escalation date for the Task.
    • Escalate To: (Optional) Select one or more users to whom the Task will be escalated. If the escalation date is met and the Task has not been completed, the system will assign the Task to the selected user(s).
    • Follow: (Optional) Select this checkbox to follow the Task (i.e., receive notifications about changes and updates), and then select a notification level from the Notification Level dropdown.

Step 2: Create Associations for the Group (Optional)

Clicking Next on the Details step will display the optional Associations step (Figure 2). Here, you can enter details about Indicators to create and associate to the Group.

Figure 2_Creating Groups_7.3.0

 

Follow these steps to fill out the fields on the Associations step:

  1. Select an Indicator type from the dropdown in the Indicator Type card. Available choices include Unknown - (parsed), File, Email Subject, Hashtag, Mutex, Registry Key, and User Agent. After you select an Indicator type, the Indicator Type card will display fields you can use to enter values for Indicators of that type. If you select Unknown - (parsed), the Indicator Type card will display the following options:
    • Upload: Upload a file containing Indicators. To view upload requirements, hover over the InformationInformation icon_Dark blueicon to the right of the Upload heading. To create a Document Group that contains the uploaded file and associate it to the Group you are creating, select Retain Document as attachment.
    • Enter Text: If you are not uploading a file, enter the text to parse for Indicators, and then click AddPlus icon_Gray. Parsable Indicator types include Address, Email Address, Host, URL, ASN, and CIDR.
      Note

      Custom Indicator types may also be parsed if the following conditions are met:

      • a System Administrator selected the Parsable checkbox when configuring the custom Indicator type;
      • the custom Indicator type accepts a single value;
      • a System Administrator created an import rule for the custom Indicator type.

      For more information on custom Indicator types and Indicator import rules, see the “Custom Indicator Types” and “Indicator Import Rules” sections, respectively, of ThreatConnect System Administration Guide.

      Important
      Indicators included on an Indicator Exclusion List will not be imported or associated to the Group.
  2. (Optional) On the Associations card, review the table containing the Indicators that will be created and associated to the Group. To remove an Indicator from the table, click DeleteTrash icon_Blackin the Actions column.
    Note
    The table in the Associations card will include a Private column if your System Administrator turned on private Indicators for your ThreatConnect instance. To mark an Indicator as private, select the corresponding checkbox in the Private column.
    Note
    A checkmark in the Known column indicates that the Indicator already exists in the owner in which the Group will be created.
  3. (Optional) On the Association Details card, provide the following details for allIndicators that will be created and associated to the Group:
    • Description: (Optional) Enter a Description for the Indicators. If you entered a Description for the Group on the Details step and selected Apply Descriptions to Associations, the text box will contain that Description.
    • Tags: (Optional) Enter one or more Tags to apply to the Indicators. If you entered Tags for the Group on the Details step and selected Apply Tags to Associations, the text box will contain those Tags.
    • Threat Rating: (Optional) Set the Threat Rating for the Indicators.
    • Confidence Rating: (Optional) Set the Confidence Rating for the Indicators.
  4. Click Next to proceed to the optional Attachments step, or click Save to create the Group.

Step 3: Upload File Attachments to the Group (Optional)

Clicking Next on the Associations step will display the optional Attachments step (Figure 3). Here, you can upload and attach related files to the Group.

Figure 3_Creating Groups_7.3.0

 

Follow these steps to fill out the fields on the Attachments step:

  1. Upload one or more files for which Document Groups will be created and associated to the Group being created.
  2. After a file is uploaded, its filename will be displayed below the file upload area, along with a Add to Malware Vault checkbox. Leave this checkbox cleared unless you are uploading a malware file.
  3. Click Save to create the Group.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.

20003-03 v.01.B


Was this article helpful?

What's Next