Creating Threat Intelligence Data
  • 26 Apr 2024
  • 7 Minutes to read
  • Dark
    Light

Creating Threat Intelligence Data

  • Dark
    Light

Article summary

Overview

The Create option on the top navigation bar lets you create a single Indicator, Group, Intelligence Requirement, Track, or Victim to ThreatConnect®.

Before You Start

User Roles

  • To create threat intelligence data in an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
  • To create threat intelligence data in a Community or Source, your user account must have a Community role of Contributor, Editor, or Director.
  • To enable Tracks in an Organization, your user account must have an Organization role of Organization Administrator.

Creating an Indicator

Follow these steps to create an Indicator:

  1. Hover over Create on the top navigation bar and select an Indicator type.
  2. On the Create window, select the owner in which to create the Indicator and enter the Indicator’s value(s).
  3. Click SAVE to create the Indicator.

The name and appearance of the Create window depends on the type of Indicator you select from the Create menu. For example, selecting Address from the Create menu will open the Create Address window, which prompts you to enter the IP address for the Address Indicator (Figure 1).

Figure 1_Creating Threat Intelligence Data_7.0.0

 

However, selecting File from the Create menu will open the Create File window, which prompts you to enter one or more file hashes (MD5, SHA1, and SHA256) for the File Indicator.

Creating a Group

Follow these steps to create a Group:

  1. Hover over Create on the top navigation bar and select a Group type.
  2. Proceed through the steps on the Create screen to create the Group. There are three steps in the Group creation process: Details, Associations, and Attachments. Details is a required step, while Associations and Attachments are optional steps.

Step 1: Enter Details About the Group

The Details step of the Create screen (Figure 2) is a required step where you enter basic information about the Group you are creating.

Figure 2_Creating Threat Intelligence Data_7.3.0

 

Follow these steps to fill out the fields on the Details step:

  1. Provide the following details for the Group:
    • Type: The value selected in the dropdown will match the Group type you selected from the Create menu. If you select a new Group type from the Type dropdown, the fields on the Details step will change based on the new Group type.
    • Owner: Select the owner in which to create the Group.
    • Summary: Enter a name for the Group.
    • Description: (Optional) Enter a Description for the Group. To apply the Description to the Indicators provided in the Associations step, select Apply Description To Associations.
    • Tags: (Optional) Enter one or more Tags to apply to the Group. To apply the Tags to the Indicators provided in the Associations step, select Apply Tags To Associations.
      Note
      Depending on the Group type you selected from the Create menu, the Details step may display additional fields.
  2. Click Next to proceed to the optional Associations step, or click Save to create the Group.

Additional Details Step Fields

Depending on the Group type you selected from the Create menu, the Details step may display additional fields:

  • Campaign
    • First Seen: (Optional) Enter the date when the Campaign was first observed.
  • Document 
    • Upload Document: Upload the file that the Document Group will represent. After the file is uploaded, the filename will be displayed below the orange malware warning, along with a checkbox labeled Add to Malware Vault.
    • Add to Malware Vault: (Optional) Select this checkbox if you are uploading a malware file.
  • Event 
    • Status: (Optional) Select the current status of the Event.
    • Event Date: (Optional) Enter the date and time when the Event occurred.
  • Incident
    • Status: (Optional) Select the current status of the Incident.
    • Event Date: (Optional) Enter the date when the Incident occurred.
  • Report
    • Upload Document: (Optional) Upload the file that the Report Group will represent. After the file is uploaded, the filename will be displayed below the orange malware warning.
    • Publish Date: (Optional) Enter the date on which the Report was published.
  • Task
    • Status: (Optional) Select the current status of the Task.
    • Reminder Date: (Optional) Enter the date when a reminder about the Task will be sent.
    • Assign To: (Optional) Select one or more users to whom the Task will be assigned.
    • Due Date: (Optional) Enter the due date for the Task.
    • Escalation Date: (Optional) Enter the escalation date for the Task.
    • Escalate To: (Optional) Select one or more users to whom the Task will be escalated. If the escalation date is met and the Task has not been completed, the system will assign the Task to the selected user(s).
    • Follow: (Optional) Select this checkbox to follow the Task (i.e., receive notifications about changes and updates), and then select a notification level from the Notification Level dropdown.

Step 2: Create Associations for the Group (Optional)

Clicking Next on the Details step will display the optional Associations step (Figure 3). Here, you can enter details about Indicators to create and associate to the Group.

Figure 3_Creating Threat Intelligence Data_7.3.0

 

Follow these steps to fill out the fields on the Associations step:

  1. Select an Indicator type from the dropdown in the Indicator Type card. Available choices include Unknown - (parsed), File, Email Subject, Hashtag, Mutex, Registry Key, and User Agent. After you select an Indicator type, the Indicator Type card will display fields you can use to enter values for Indicators of that type. If you select Unknown - (parsed), the Indicator Type card will display the following options:
    • Upload: Upload a file containing Indicators. To view upload requirements, hover over the InformationInformation icon_Dark blueicon to the right of the Upload heading. To create a Document Group that contains the uploaded file and associate it to the Group you are creating, select Retain Document as attachment.
    • Enter Text: If you are not uploading a file, enter the text to parse for Indicators, and then click AddPlus icon_Gray. Parsable Indicator types include Address, Email Address, Host, URL, ASN, and CIDR.
      Note

      Custom Indicator types may also be parsed if the following conditions are met:

      • a System Administrator selected the Parsable checkbox when configuring the custom Indicator type;
      • the custom Indicator type accepts a single value;
      • a System Administrator created an import rule for the custom Indicator type.

      For more information on custom Indicator types and Indicator import rules, see the “Custom Indicator Types” and “Indicator Import Rules” sections, respectively, of ThreatConnect System Administration Guide.

      Important
      Indicators included on an Indicator Exclusion List will not be imported or associated to the Group.
  2. (Optional) On the Associations card, review the table containing the Indicators that will be created and associated to the Group. To remove an Indicator from the table, click DeleteTrash icon_Blackin the Actions column.
    Note
    The table in the Associations card will include a Private column if your System Administrator turned on private Indicators for your ThreatConnect instance. To mark an Indicator as private, select the corresponding checkbox in the Private column.
    Note
    A checkmark in the Known column indicates that the Indicator already exists in the owner in which the Group will be created.
  3. (Optional) On the Association Details card, provide the following details for allIndicators that will be created and associated to the Group:
    • Description: (Optional) Enter a Description for the Indicators. If you entered a Description for the Group on the Details step and selected Apply Descriptions to Associations, the text box will contain that Description.
    • Tags: (Optional) Enter one or more Tags to apply to the Indicators. If you entered Tags for the Group on the Details step and selected Apply Tags to Associations, the text box will contain those Tags.
    • Threat Rating: (Optional) Set the Threat Rating for the Indicators.
    • Confidence Rating: (Optional) Set the Confidence Rating for the Indicators.
  4. Click Next to proceed to the optional Attachments step, or click Save to create the Group.

Step 3: Upload File Attachments to the Group (Optional)

Clicking Next on the Associations step will display the optional Attachments step (Figure 4). Here, you can upload and attach related files to the Group.

Figure 4_Creating Threat Intelligence Data_7.3.0

 

Follow these steps to fill out the fields on the Attachments step:

  1. Upload one or more files for which Document Groups will be created and associated to the Group being created.
  2. After a file is uploaded, its filename will be displayed below the file upload area, along with a Add to Malware Vault checkbox. Leave this checkbox cleared unless you are uploading a malware file.
  3. Click Save to create the Group.

Creating an Intelligence Requirement

See Creating Intelligence Requirements for instructions on creating Intelligence Requirements.

Creating a Track

Enabling Tracks in an Organization

Before you can create a Track, an Organization Administrator must enable DomainTools® Reverse Whois Tracking.

Note
The number of Tracks you can create is determined by your agreement with DomainTools.
  1. Hover over SettingsSettings iconon the top navigation barn and select Org Settings. Then select the Settings tab (Figure 5).
    Figure 5_Creating Threat Intelligence Data_7.3.0

     

  2. Click ENABLE in the Reverse Whois section on the Settings tab.
  3. On the Setup DomainTools window, enter your DomainTools API username and key. Then click SAVE.

Creating a New Track

Follow these steps to create a Track:

  1. Hover over Create on the top navigation bar and select Track.
  2. On the Create Reverse Whois Track window (Figure 6), select the owner in which to create the Track, enter the Track’s name, and enter the terms that the Track should and should not contain.Figure 6_Creating Threat Intelligence Data_7.3.0

     

  3. (Optional) Click TEST to test the Track.
  4. Click SAVE to create the Track.

Creating a Victim

Follow these steps to create a Victim:

  1. Hover over Create on the top navigation bar and select Victim.
  2. On the Create Victim window (Figure 7), select the owner in which to create the Victim and enter the Victim’s name. You can also enter a Description, organization, sub-organization, nationality, and work location for the Victim, if desired.
    Figure 7_Creating Threat Intelligence Data_7.3.0

     

  3. Click SAVE to create the Victim.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.
DomainTools® is a registered trademark of DomainTools, LLC.

20003-01 v.14.A


Was this article helpful?