Creating Intelligence Requirements

An Intelligence Requirement (IR) is a collection of topics or a research question reflecting an organization’s cyber threat–related priorities that guides a security or threat intelligence team’s research and analysis efforts. Follow these steps to create an IR in ThreatConnect^®.

1. On the top navigation bar, hover over Create and select Intelligence Requirement (IR). The Details step of the Create Intelligence Requirement (IR) screen will be displayed (Figure 1). This step is where you enter basic information about the IR. To view best practices for creating IRs, click the Intelligence Requirement Help link.
   

    

   • Requirement: Enter a unique summary of the IR (i.e., the question, topic, or statement on which the IR focuses). The summary entered cannot be the same as the summary for an existing IR on the ThreatConnect instance.
   • ID: Enter a unique ID for the IR. The ID entered cannot be the same as the ID for an existing IR on the ThreatConnect instance.
     Note

     If your organization does not have an existing ID naming convention in place for IRs, it is recommended to identify the IR’s subtype in the ID. For example, if creating a Priority Intelligence Requirement (PIR), then its ID would look like PIR-001.
     Important

     You cannot change an IR’s ID after it has been created.
   • Owner: The name of the Organization in which the IR will be created. This value cannot be changed, and IRs cannot be created in Communities or Sources.
   • Subtype: Select a subtype for the IR. Available subtypes include the following:
     • Intelligence Requirement (IR): This subtype corresponds to threats of overall concern to an organization (e.g., cyber threats, fraud, geopolitical/physical threats).
     • Priority Intelligence Requirement (PIR): This subtype corresponds to threat actor motives; tactics, techniques, and procedures (TTPs); targets; impacts; or attributions in association with IRs.
     • Specific Intelligence Requirement (SIR): This subtype corresponds to facts associated with threat activity, such as indicators of compromise (IOCs).
     • Request for Information (RFI): This subtype corresponds to one-off requests for information related to topics of interest to particular stakeholders.
     • Research Requirement (RR): This subtype corresponds to a topic or area of investigation that is of interest to an individual or group and does not merit a full IR, but does require tracking of relevant information.
   • Category: Select a category for the IR. If your System Administrator has not created any IR categories on the Categories tab of the System Settings screen, the only option displayed in the dropdown will be None.
   • Description: Enter a default Description for the IR.
   • Tags: Enter one or more Tags to apply to the IR.
   • Click the Next button.
2. The Keyword Tracking step of the Create Intelligence Requirement (IR) screen will be displayed (Figure 2). This step is where you define a logic-based keyword query for the IR. To view best practices for defining IR keyword queries, click the Keyword Best Practices & Help link.
   Important

   When defining a keyword query for an IR, it is recommended to use no more than 200 keywords in the query.

   

    

   • Requirement Keyword Suggestions: This section displays keyword suggestions based on the text entered in the Requirement field on the Details step (“What threats are targeting financial institutions based in the United Kingdom?” In this example). Suggestions will be potential aliases for keywords recognized in the Requirement field based on geolocation, industry, MITRE ATT&CK^® tactics and techniques, intrusion sets, tools, and malware families. To add keywords from this section to the Includes Any of the Following or Excludes Any of the Following section, select the keywords and then click the + Add to “Include” or + Add to “Exclude” button, respectively. When a keyword is added to either of these sections, it will be removed from the Requirement Keyword Suggestions section.
     Note

     If there are multiple Includes Any of the Following sections, you will be prompted to select which of these sections (i.e., Section 1, Section 2, etc.) to add the selected keywords to when you click the + Add to “Include” button.
   • Get Suggestions for All: Click this button to retrieve keyword suggestions for the Includes Any of the Following and Excludes Any of the Following sections. Suggestions will be potential aliases for keywords recognized in each section based on geolocation, industry, MITRE ATT&CK tactics and techniques, intrusion sets, tools, and malware families. At least one keyword must be added to at least one of these sections to use this feature.
   • Includes Any of the Following: This section displays the keywords that objects must include to be returned as results for the IR. When searching for results, the keyword query uses “OR” logic between each keyword defined in this section (e.g., ["<keyword>" OR "<keyword>"]). This section also provides the following options for managing keywords added to it:
     • Type keyword here…: Enter a keyword into the text box and then click Addto the right of the text box or press Enter on your keyboard to add it to the Includes Any of the Following section. Attempting to add a keyword that is already added to the Includes Any of the Following or Excludes Any of the Following section will result in an error.
     • Get Suggestions: When at least one keyword is added to the Includes Any of the Following section, you can click this button to retrieve keyword suggestions for this section. Suggestions will be potential aliases for keywords recognized in the Includes Any of the Following section based on geolocation, industry, MITRE ATT&CK tactics and techniques, intrusion sets, tools, and malware families. If keyword suggestions are returned, a Keyword Suggestions section containing those keywords will be displayed. Here, you can perform the following actions:
       • Select the keywords you want to add to the Includes Any of the Following section and click the + Add Selected button.
       • Click the + Add All button to add all suggested keywords to the Includes Any of the Following section.
     • Remove: Click this icon to the right of a keyword added to the Includes Any of the Following section to remove it.
     • + Add Section: Click this button to add another Includes Any of the Following section. An IR can have up to five Includes Any of the Following sections, each of which is joined by “AND” logic when the keyword query searches for results (e.g., ["<keyword>" OR "<keyword>"] AND ["<keyword>" OR "<keyword>"]). Before you can add a new Includes Any of the Following section, the previous section must have at least one keyword added to it.
     • Delete: When at least two Includes Any of the Following sections are added, this button will be displayed at the top right of each section. Click it to remove the section and its keywords.
   • Excludes Any of the Following: This section displays one or more keywords that objects must not include to be returned as results for the IR. When searching for results, the keyword query uses “AND NOT” logic before the set of keywords defined in this section, followed by “OR” logic between each keyword (e.g., AND NOT ["<keyword>" OR "<keyword>"]). This section also provides the following options for managing keywords added to it:
     • Type keyword here…: Enter a keyword into the text box and then click Addto the right of the text box or press Enter on your keyboard to add it to the Excludes Any of the Following section. Attempting to add a keyword that is already added to the Includes Any of the Following or Excludes Any of the Following section will result in an error.
     • Get Suggestions: When at least one keyword is added to the Excludes Any of the Following section, you can click this button to retrieve keyword suggestions for this section. Suggestions will be potential aliases for keywords recognized in the Excludes Any of the Following section based on geolocation, industry, MITRE ATT&CK tactics and techniques, intrusion sets, tools, and malware families If keyword suggestions are returned, a Keyword Suggestions section containing those keywords will be displayed. Here, you can perform the following actions:
       • Select the keywords you want to add to the Excludes Any of the Following section and click the + Add Selected button.
       • Click the + Add All button to add all suggested keywords to the Excludes Any of the Following section.
     • Remove: Click this icon to the right of a keyword added to the Excludes Any of the Following section to remove it.
   • Click one of the following buttons to proceed with creating the IR:
     • Next: Click this button to proceed to the optional View Results step. (See Step 3 for further instructions.)
     • Save: Click this button to create the IR and view its Details screen.
3. If you clicked the Next button on the Keyword Tracking step, the View Results step will be displayed (Figure 3). This step is where you can view a preliminary set of Artifacts, Cases, Groups, Indicators, Tags, and Victims in your owners and the ThreatConnect Global Intelligence Dataset that the keyword query returned, with the total number of results of the selected type (Local or Global) displayed to the right of the Results heading. When searching for local results, the query searches everything you have access to in your ThreatConnect instance, including all Attributes, Tags, names/summaries of objects, and the contents of Report files.
   Important

   If there are more than 500 results of the selected type (Local or Global) available, the table will display only the most recent 500 results of the selected type.
   

    

   • Local: Select this option to view results in your Organization, Communities, and Sources that the keyword query returned. If desired, use the Filtersmenu to filter results by owner and type. You can also enter text in the search box to filter results by name. To view more details about a result, click its name to view its Details screen. Click a result’s row to see its Result Details drawer, which displays the date and time that the result matched the query and highlights the text in the result that matched one or more of the query keywords. See the “Viewing Result Details” section for more information.
     Note

     The Result Details drawer is not provided for Tags.
   • Global: Select this option to view results in the ThreatConnect Global Intelligence Dataset that the keyword query returned. If desired, use the Filtersmenu to filter results by type. You can also enter text in the search box to filter results by name. If you have access to the CAL Automated Threat Library Source and a global result exists in that Source, you can click its name to view its Details screen. Click a result’s row to see its Result Details drawer, which displays the date and time that the result matched the query and highlights the text in the result that matched one or more of the query keywords. See the “Viewing Result Details” section for more information.
     Note

     The Result Details drawer is not provided for Tags.
     Note

     Indicators with a CAL score of 150 or lower will not be included in the global results.
   • Retrieve Results: Click this button to retrieve the most recent results of the selected type (Local or Global) for the IR’s keyword query.
   • Click the Save button to create the IR and view its Details screen.

Viewing Result Details

The Result Details drawer highlights the fields or other information in a result that matched one or more query keywords, as well as the date and time that the result was matched. For example, in Figure 4, the highlighted words in the result’s name, the Source Attribute, and Description Attribute are matches to two of the query keywords (uk and great britain). Expand the Keyword Tracking section to view the IR’s query keywords.

ThreatConnect^® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
MITRE ATT&CK^® and ATT&CK^® are registered trademarks of The MITRE Corporation.

20159-05 v.02.A