- 06 Mar 2023
- 5 Minutes to read
- Updated on 06 Mar 2023
- 5 Minutes to read
On the Posts screen in ThreatConnect®, you can view, create, and reply to posts in the owners (i.e., Organizations, Communities, and Sources) to which you have access. When creating a post, you can link the post to Indicators, Groups, Tags, Tracks, or Victims in ThreatConnect by using the ADD LINK feature or ThreatConnect Markup.
Before You Start
In an Organization, all users can view posts; all users except Read Only Users (System and Organization role of Read Only User) can create and reply to posts and delete their own posts; and only Organization Administrators can delete any post.
In a Community, all users except Banned users can view posts; all users except Users (Community role of User) and Subscribers can create and reply to posts and delete their own posts; and only Editors and Directors can delete any post.See ThreatConnect Owner Roles and Permissions for more details.
On the top navigation bar, click Posts to display the Home view of the Posts screen (Figure 1). This screen displays posts for your Organization and all Communities and Sources to which you have viewing access.
On the My ThreatConnect card, select an Organization, Community, or Source from the My Org, Communities, or Intelligence Sources section, respectively. Alternatively, use the selector at the upper-right corner of the Posts screen to select an owner.
After an owner is selected (Sample Community in this example), its Posts screen will be displayed (Figure 2). Here, you can view posts in the owner, create new posts, and reply to existing posts. See the “Creating Posts” and “Replying to Posts” sections for instructions on creating posts and replying to posts, respectively.
You can view posts linked to Indicators, Groups, Tags, Tracks, and Victims on an object’s Details screen. On the new Details screen, posts linked to an object are displayed in the Notes card (Figure 3). This card is located on the right side of the new Details screen, at the bottom of the screen.
On the legacy Details screen, posts linked to an object, as well as replies to each post, are displayed on the Posts card (Figure 4). This card is located on the right side of the legacy Details screen, at the bottom of the screen.
Posts Screen and Legacy Details Screen
The Add New Comment card (Figure 5) of an owner’s Posts screen and an object’s Details screen is where you can create posts in the owner and the object’s owner that are linked to the object, respectively.
- Click in the text box to enter the contents of the post.
- Suppress Notifications: Select this checkbox if you do not want to receive notifications when others reply to your post.NoteNotifications will be suppressed only for posts that have the Suppress Notifications checkbox selected. They will not be suppressed for replies to the post unless those replies also have the Suppress Notifications checkbox selected.
- ADD LINK…: Click this button to link the post to an Indicator, Group, Tag, Track, or Victim. See the “Linking Posts to Objects” section for instructions on using this feature.NoteIf you create a post via the Add New Comment card on an object’s Details screen, the post will be linked to the object automatically.
- Click the POST button. The post will be displayed in the Posts card below the Add Comment card on the Posts screen or an object’s legacy Details screen.
New Details Screen
On the new Details screen, click Addat the upper-right corner of the Notes card to create a post linked to the object whose Details screen you are viewing. The Add Note window will be displayed (Figure 6).
- Note: Enter the contents of the post in the text box.
- Click the Save button. The post will be displayed in the Notes card on the object’s Details screen, as well as in the Posts card on the Posts screen for the object’s owner.
Linking Posts to Objects
When creating or replying to a post on the Posts screen and an object’s legacy Details screen, you can use the ADD LINK… feature or ThreatConnect Markup to link the post to an object that exists in the selected owner.
- Click ADD LINK… to display a window below the Add New Comment card (Figure 7).
- Use the Select Type dropdown menu to select the type of object to which the post will be linked. After an object type is selected (Adversary Group in this example), the window will display all objects of that type (Figure 8).
- Filter: If desired, enter a search term in this field and click Searchto narrow the results.
- Select the object to which the post will be linked.
- Click the ADD button.
- A link to the selected object will be displayed in the Add New Comment text box (Figure 9). After finalizing the post, click the POST button.ImportantThe ADD LINK… feature allows you to link one object to a post at a time. To link more than one object to a post using the ADD LINK… feature, repeat Steps 1–3 for each object.
You can use ThreatConnect Markup to link posts to objects by typing the syntax directly into the text box on the Add New Comment card using the formats provided in Table 1, where the values in italics represent the content of the object.
|Object Type||ThreatConnect Markup Syntax||Example|
Only the owner in which the post is being created can be linked. Do not replace “this” with the name of the owner after the @ sign. The only valid expression is [[@this]]. The ADD LINK… feature does not support this link type, so the only way to link the owner is through this syntax.
|Attack Pattern||[[attackpattern:AttackPattern]]||[[attackpattern:Session Credential Falsification through Forging]]|
|Course of Action||[[courseofaction:CourseOfAction]]||[[courseofaction:User Training]]|
|[[email:Email]]||[[email:Your ACME order]]|
|Event||[[event:Event]]||[[event:Hash seen on endpoint]]|
|Incident||[[incident:Incident]]||[[incident:Something bad happened here]]|
|Intrusion Set||[[intrusionset:IntrusionSet]]||[[intrusionset:Frozen Penguin]]|
|Malware||[[malware:Malware]]||[[malware:Ransomware - Ryuk]]|
|Report||[[report:Report]]||[[report:BadRabbit Ransomware Report]]|
|Tactic||[[tactic:Tactic]]||[[tactic:TA0011 Command and Control]]|
|Threat||[[threat:Threat]]||[[threat:Very bad people]]|
Replying to Posts
To reply to a post, click Replyat the lower-right corner of the post. A text box for creating a reply will be displayed (Figure 10).
To delete a post, click Deleteat the lower-right corner of the post. The Delete Post window will be displayed. Click the YES button to delete the post.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.