Contents x
Ownership in ThreatConnect
  • 05 May 2023
  • 3 Minutes to read
  • Print
  • Dark
    Light
Contents

Ownership in ThreatConnect

  • Updated on 05 May 2023
  • 3 Minutes to read
  • Print
  • Dark
    Light
Article Summary

Overview

Everything in ThreatConnect® has an owner. Owners have full control over whatever they own, and they fall under one of the following three categories:

  • Organization: An Organization, often referred to as an Org, represents a team of persons with the same levels of access and trust. An Organization is a collaborative space—its members are meant to work on tasks while fully visible to one another.
  • Community: A Community is a tightly administered group of ThreatConnect owners. A Community may have Organizations or individual users as members. Members can contribute intelligence to the Community, vote on Indicator ratings, and have collaborative discussions. Communities have the option to allow their members to use pseudonyms. Oftentimes, a Community will rally around a common purpose, such as an industry sector, a current event, or a geopolitical region.
  • Source: A Source is a one-way feed of information. Like Communities, Sources may have Organizations or individual users as members. Unlike Communities, Sources are not meant to be a collaborative environment. Members, and their pseudonyms, are not visible to one another and typically do not have any writable access within a Source. Oftentimes, a Source will represent a feed of Indicators or intelligence, whether premium, open source, or internally produced.

Before You Start

Minimum Role(s)Organization role of Read Only User
PrerequisitesA ThreatConnect object (Indicator, Group, Tag, Track, Victim, or Victim Asset)

Viewing an Object's Owner

New Details Screen

Navigate to the Details screen for an Indicator or Group. The object’s owner type (Organization, Community, or Source) and owner name are displayed in the header at the upper left (Figure 1).

Important
The new Details screen is not currently available for Document, Email, Report, Signature, and Task Groups; Tags; Tracks; and Victims.

Ownership in ThreatConnect_Figure 1

 

Legacy Details Screen

Navigate to the legacy Details screen for an Indicator or Group. The object’s owner type (Organization, Community, or Source) is displayed at the upper left, and its owner name is displayed in the orange block at the upper right (Figure 2).

Ownership in ThreatConnect_Figure 2

 

Copies of Indicators Across Multiple Owners

The same Indicator in ThreatConnect can reside in multiple owners, because different parties may have different levels of information that they possess, or are willing to share, about that Indicator. Indicators with matching summaries in different owners (e.g., the badguy.com Host Indicator in Demo Organization and the badguy.com Host Indicator in Demo Community) are considered to be copies of the same Indicator that exist in different owners. 

Note
Each Group, Tag, Track, Victim, and Victim Asset exists in only one owner. Objects of these types with matching summaries in different owners (e.g., the Bad Guy Adversary Group in Demo Organization and the Bad Guy Adversary Group in Demo Community) are separate objects that are unrelated to each other.

Changes made to an Indicator in one owner do not affect copies of that Indicator in other owners. The copies are maintained separately to respect the idea that different owners will have different insights. In other words, there is value in viewing an Indicator through the lens of your Organization, as well as seeing intelligence on the Indicator from your Communities and Sources.

You can view all other owners of an Indicator in ThreatConnect in multiple places on the Details screen.

New Details Screen

Navigate to the Details screen for an Indicator. If the Indicator exists in at least one other owner, then the area where its owner name and type are displayed will be a dropdown menu that you can click on to view all owner types and names for the Indicator (Figure 3). Click on an owner to view the Details screen for that version of the Indicator.

Ownership in ThreatConnect_Figure 3

 

The Owners & Feeds card also lists all other owners of an Indicator, along with the Threat and Confidence Ratings for each version of the Indicator (Figure 4). Click on an owner to view the Details screen for that version of the Indicator in a new browser tab.

Ownership in ThreatConnect_Figure 4

 

Legacy Details Screen

Navigate to the legacy Details screen for an Indicator. If the Indicator exists in at least one other owner, then the orange block at the upper-right corner will be a dropdown menu that you can click on to view all owners for the Indicator (Figure 5). Select an owner to view the Details screen for that version of the Indicator.

Ownership in ThreatConnect_Figure 5

 

The Additional Owners card also lists all other owners of an Indicator, along with the Threat and Confidence Ratings for each version of the Indicator (Figure 6). Click on an owner to view the Details screen for that version of the Indicator.

Ownership in ThreatConnect_Figure 6

 

ThreatConnect® is a registered trademark of ThreatConnect, Inc.

20026-01 v.07.B

Was this article helpful?
Related articles
What's Next
Company
Sales and Support
Follow Us
© 2012–2023 ThreatConnect, Inc. All Rights Reserved.