🎉 ThreatConnect® 7.12 is now available! We love customer feedback. Write a review of ThreatConnect and we'll give you up to $50 as a thank-you gift!

Custom Security Labels

  • Updated on Apr 24, 2026
  • Published on Aug 15, 2022
  • 6 minute(s) read
Prev Next

Overview

Security labels allow you to designate the sensitivity of data in ThreatConnect®. You can leverage security labels to limit information shared across ThreatConnect owners, as well as filter on and query ThreatConnect data by sensitivity level.

Example
When copying Group data from one ThreatConnect owner to another, you can select security labels to include or exclude when determining which of the Group's attributes, associated Groups, associated Indicators, and attributes of the associated Groups and Indicators to include in the copy operation.
Example
When searching for Groups, Indicators, and Victims, you can filter the results by security label. On dashboard query cards, you can group data by security label. You can also use ThreatConnect Query Language (TQL) to search for and filter on security labels (e.g., on the Search screen, in dashboard query cards).

ThreatConnect provides out-of-the-box security labels on the System level that can be applied to data in all owners on a ThreatConnect instance. These security labels use the Traffic Light Protocol published by the Forum of Incident Response and Security Teams (FIRST®):

  • TLP:AMBER
  • TLP:AMBER+STRICT
  • TLP:CLEAR
  • TLP:GREEN
  • TLP:RED
  • TLP:WHITE
    Note
    TLP:WHITE is a legacy security label that FIRST replaced with TLP:CLEAR. The TLP:WHITE security label has been retained in ThreatConnect to ensure the integrity of data labeled with it prior to its replacement. See “TLP definitions” for FIRST's definitions of each TLP label.

Security labels can be applied to Indicators, Groups, and Victims, as well as individual attributes for those object types, allowing you to differentiate when an attribute's sensitivity is different than that of the object it belongs to.

Example
An Address Indicator may have a TLP:GREEN security label, but one of its attributes may be a sensitive system log identifying a system vulnerability with a TLP:RED security label.

You can create, edit, and delete custom security labels on the System level (available in all owners on a ThreatConnect instance) and on the owner level (available only in a particular Organization, Community, or Source). In addition, you can consolidate an owner-level security label into a System-level security label, which replaces the owner-level security label with the System-level (out-of-the-box or custom) security label on all data objects in the owner and, optionally, deletes the owner-level security label.

Important
Organization Administrators should familiarize their users with their Organization's sharing policies and how to use security labels to maintain them.

Before You Start

User Roles

System-Level Security Labels

  • To view available security labels on the System level on the System Settings screen, your user account must have a System role of Administrator, Operations Administrator, Accounts Administrator, or Community Leader.
  • To view available security labels on the System level on the Organization Config screen for your home Organization, your user account can have any System role and any Organization role.
    Note
    The Security Labels tab of the Organization Config screen displays all System-level security labels in addition to all Organization-level security labels for an Organization. All user accounts have permission to view this tab for their home Organization.
  • To create and manage (edit and delete) custom security labels on the System level, your user account must have a System role of Administrator.

Organization-Level Security Labels

  • To view available security labels in your home Organization, your user account can have any System role and any Organization role.
  • To create and manage (edit, delete, and consolidate) custom security labels in your home Organization, your user account must have an Organization role of Organization Administrator.
  • To view available security labels in any Organization on your ThreatConnect instance, your user account must have a System role of Administrator, Operations Administrator, or Super User.
  • To create and manage (edit, delete, and consolidate) custom security labels in any Organization on your ThreatConnect instance, your user account must have a System role of Administrator, Operations Administrator, or Super User and an Organization role of Organization Administrator.

Community- and Source-Level Security Labels

  • To view available security labels in a Community or Source, your user account must have a Community role of Editor or Director in that Community or Source.
  • To create and manage (edit, delete, and consolidate) custom security labels in a Community or Source, your user account must have a Community role of Editor or Director in that Community or Source.

View Security Labels

View System-Level Security Labels

Follow these steps to view available System-level security labels:

  1. From the SettingsSettings iconmenu on the top navigation bar, select System Settings.
  2. Select the Security Labels tab.
    Note
    If your user account does not have permission to access the System Settings screen, you can view all System-level security labels when viewing the security labels available in an Organization, Community, or Source.

View Organization-Level Security Labels

Follow these steps to view available security labels in an Organization:

  1. From the SettingsSettings iconmenu on the top navigation bar, select Organization Configuration.
  2. Select the Security Labels tab.
    Note
    By default, the Security Labels tab displays the security labels in your home Organization, as well as all available System-level security labels. If you have a System role of Administrator, Operations Administrator, or Super User, you can use the selector to the right of the Organization Config header to select any Organization on your ThreatConnect instance.
  3. To view only Organization-level security labels, clear the Include System Labels checkbox.

View Community- and Source-Level Security Labels

Follow the appropriate set of steps for your user account's System role to view available security labels in a Community or Source:

Navigate via Account Settings

Note
These steps apply to user accounts with a System role of Administrator, Operations Administrator, Accounts Administrator, or Community Leader.
  1. From the SettingsSettings iconmenu on the top navigation bar, select Account Settings.
  2. Select the Communities/Sources tab.
  3. Click the name of a Community or Source.
  4. Click COMMUNITY CONFIG or SOURCE CONFIG.
  5. Select the Security Labels tab.
  6. To view only Community- or Source-level security labels, clear the Include System Labels checkbox.

Navigate via Posts

Note
These steps apply to user accounts with a System role of Super User or User. User accounts with a System role of Read Only User cannot view Community- or Source-level security labels because they cannot be assigned a Community role of Editor or Director, which is required for access to the Community Config or Source Config screen.
  1. From the SettingsSettings iconmenu on the top navigation bar, select Posts from the Deprecated Features dropdown.
  2. Click the name of a Community or Source from the My ThreatConnect sidebar.
  3. Click Community ConfigCommunity Source Config iconor Source ConfigCommunity Source Config iconat the upper right of the Community or Source card, respectively.
  4. Select the Security Labels tab.
  5. To view only Community- or Source-level security labels, clear the Include System Labels checkbox.

Create Custom Security Labels

Follow these steps to create custom security labels:

  1. When viewing security labels in an owner, click + NEW SECURITY LABEL.
  2. Fill out the fields on the Create Security Label window as follows:
    • Name: Enter a name for the security label.
    • Color: Click the box to select a color or enter a color code in RGB, HSB, or hexadecimal format.
    • Description: Enter a description for the security label.
      Note
      The Color and Description fields are solely for categorization and informational purposes. No policy enforcement is derived from them.
  3. Click SAVE.

Manage Custom Security Labels

The following actions for managing custom security labels are available in the Options column for a security label:

Note
Out-of-the-box System-level security labels are read only. Custom System-level security labels are read only on the Organization Config, Community Config, and Source Config screens.
  • Edit
  • Delete
  • Consolidate (not available for System-level security labels)

Consolidate Custom Security Labels

Owner-level security labels that are no longer relevant or valued can be consolidated into System-level security label. This procedure replaces the owner-level security label with the System-level (out-of-the-box or custom) security label on all data objects in the owner and, optionally, deletes the owner-level security label.

Follow these steps to consolidate a security label in an Organization, Community, or Source into a System-level security label:

  1. When viewing security labels in an owner, click ConsolidateConsolidate iconin a security label's Options column.
  2. Fill out the fields in the Consolidate Security Label window as follows:
    • New Label: Select the System-level security label to replace the owner-level security label.
      Important
      This dropdown will not be populated if the Include System Labels checkbox on the Security Labels tab is not selected.
    • Delete Upon Completion: Select this checkbox to delete the owner-level security label after consolidation is complete.
  3. Click CONFIRM.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.
FIRST® is a registered trademark of Forum of Incident Response and Security Teams, Inc.

20015-01 v.010.A

Related articles
  • Applying Security Labels
    ThreatConnect Platform > Threat Intelligence > Adding Metadata to ThreatConnect Objects
  • The Details Screen
    ThreatConnect Platform > Threat Intelligence > Viewing Threat Intelligence Data
Company
Sales and Support
Follow Us
© 2012–2024 ThreatConnect, Inc. All Rights Reserved.