Ownership in ThreatConnect

Overview

Each threat intelligence data object in ThreatConnect^® has an owner. Owners have full control over the data they own, and they fall under one of the following three categories:

• Organization: An Organization, often referred to as an Org, represents a team of persons with the same levels of access and trust. An Organization is a collaborative space—its members are meant to work on tasks while fully visible to one another.
• Community: A Community is a tightly administered group of ThreatConnect owners. A Community may have Organizations or individual users as members. Members can contribute intelligence to the Community, rate Indicators, and have collaborative discussions. Communities have the option to allow their members to use pseudonyms. Oftentimes, a Community will be created around a common purpose, such as an industry sector, a current event, or a geopolitical region.
• Source: A Source is a one-way feed of information. Like Communities, Sources may have Organizations or individual users as members. Unlike Communities, Sources are not intended to be a collaborative environment. Members, and their pseudonyms, are not visible to one another and typically do not have any write access within a Source. Oftentimes, a Source will represent a feed of Indicators or intelligence, whether premium, open source, or internally produced.

Before You Start

User Roles

• To view the owner of a threat intelligence data object in an Organization, your user account can have any Organization role.
• To view the owner of a threat intelligence data object in a Community or Source, your user account can have any Community role except Banned for that Community or Source.

Prerequisites

• To display the Tags Across Owners card on the Details drawer and Details screen for Indicators, turn on the multiSourceViewEnabled system setting (must be a System Administrator to perform this action).

Viewing an Object's Owner

There are multiple areas in ThreatConnect where you can view the owner of a threat intelligence data object (i.e., an Indicator, Group, Tag, Track, Victim, or Intelligence Requirement), the most convenient of which is the Details screen.

New Details Screen

On the Details screen for a threat intelligence data object, you can view the object’s owner type and name in the screen’s header (Figure 1).

Legacy Details Screen

On the legacy Details screen for a threat intelligence data object, you can view the object’s owner type at the top left of the screen, and you can view the object’s owner name in the orange block at the top right of the screen (Figure 2).

Copies of Indicators Across Multiple Owners

The same Indicator in ThreatConnect can reside in multiple owners, because different parties may have different levels of information that they possess, or are willing to share, about that Indicator. Indicators with matching summaries in different owners (e.g., the badguy.com Host Indicator in Demo Organization and the badguy.com Host Indicator in Demo Community) are considered to be copies of the same Indicator that exist in different owners. 

Changes made to an Indicator in one owner do not affect copies of that Indicator in other owners. The copies are maintained separately to respect the idea that different owners will have different insights. In other words, there is value in viewing an Indicator through the lens of your Organization, as well as seeing intelligence on the Indicator from your Communities and Sources.

You can view all of an Indicator’s owners you have access to in ThreatConnect in multiple places on the Details drawer and Details screen.

Details Drawer

On an Indicator’s Details drawer, you can view the Indicator’s owner at the top left of the drawer. If the Indicator exists in at least one other owner, then the area where its owner type and name are displayed will be a dropdown that you can use to view all owner types and names for the Indicator (Figure 3). Select an owner to open the Details drawer for that version of the Indicator.

You can also view all other owners of an Indicator, along with the Threat and Confidence Ratings for each version of the Indicator, on the Owners & Feeds card (Figure 4). Click on an owner in the Owner & Feeds card to open the Details screen for that version of the Indicator.

If your System Administrator turned on the multiSourceViewEnabled system setting, you can view all of the Indicator’s owners and the Tags applied to the Indicator in each of those owners on the Tags Across Owners card (Figure 5).

New Details Screen

On an Indicator’s Details screen, the owner name and type displayed in the header will be a dropdown that you can use to view all owner types and names for the Indicator if the Indicator exists in at least one other owner (Figure 6). Select an owner to open the Details screen for that version of the Indicator.

As in the Details drawer, you can also view all other owners of an Indicator, along with the Threat and Confidence Ratings for each version of the Indicator, on the Owners & Feeds card (Figure 4). Click on an owner in the Owner & Feeds card to open the Details screen for that version of the Indicator.

If your System Administrator turned on the multiSourceViewEnabled system setting, you can view all of the Indicator’s owners, as well as view and manage the Tags applied to the Indicator in those owners, on the Tags Across Owners card (Figure 5).

Legacy Details Screen

On an Indicator’s legacy Details screen, the orange block at the upper-right corner will be a dropdown that you can use to view all owners of the Indicator if it exists in multiple owners (Figure 7). Select an owner to open the Details screen for that version of the Indicator.

The Additional Owners card on the legacy Details screen also lists all other owners of an Indicator, along with the Threat and Confidence Ratings for each version of the Indicator (Figure 8). Click on an owner to open the Details screen for that version of the Indicator.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.

20026-01 v.08.A