Contents x
Ownership in ThreatConnect
  • 11 Apr 2025
  • 6 Minutes to read
  • Print
  • Dark
    Light
Contents

Ownership in ThreatConnect

  • Updated on 11 Apr 2025
  • 6 Minutes to read
  • Print
  • Dark
    Light
Article summary

Overview

Each threat intelligence data object in ThreatConnect® has an owner. Owners have full control over the data they own, and they fall under one of the following three categories:

  • Organization: An Organization, or Org, represents a team of persons working within the same entity (e.g., company, government office, security team). Every ThreatConnect user belongs to one, and only one, Organization. Organizations are generally a collaborative space. While it is possible to restrict access to particular pieces or types of data in the Organization, members are typically meant to work on tasks while fully visible to one another. Multiple Organizations can exist in a System (i.e., an instance of ThreatConnect).
  • Community: In a multitenant instance of ThreatConnect (i.e., an instance with multiple Organizations), a Community is a collaborative space for users in its member Organizations. Users can contribute and add their knowledge to data in the Community, as well as leverage information and insights contributed by other members to inform the data in their own Organization. Communities can be used for general intelligence sharing across Organizations, or they can be created around a particular topic, such as an industry sector, a current event, or a geopolitical region. Multiple Communities can exist in a System, and Organizations may be members of multiple Communities.
  • Source: A Source is a one-way feed of information, such as Indicators or intelligence, available to users in its member Organizations. The data provided by a Source can come from a premium, open-source, or internally produced feed. Unlike Communities, Sources are not intended to be collaborative environments. Users of member Organizations are not visible to one another and typically do not have any write access for data in the Source. Multiple Sources can exist in a System, and Organizations may be members of multiple Sources.

Before You Start

User Roles

  • To view the owner of a threat intelligence data object in an Organization, your user account can have any Organization role.
  • To view the owner of a threat intelligence data object in a Community or Source, your user account can have any Community role except Banned for that Community or Source.

Prerequisites

  • To have access to the Tags Across Owners card on the Details drawer and Details screen for Indicators and the Unified View option on the Details drawer for Indicators, turn on the multiSourceViewEnabled system setting (must be a System Administrator to perform this action).

Viewing an Object's Owner

There are multiple areas in ThreatConnect where you can view the owner of a threat intelligence data object (i.e., an Indicator, Group, Tag, Victim, or Intelligence Requirement), the most convenient of which is the Details screen.

 Details Screen

On the Details screen for a threat intelligence data object, you can view the object’s owner type and name in the screen’s header (Figure 1).

Important
The Details screen is not currently available for Email, and Task Groups, Tags, and Victims.

Screenshot of a host indicator highlighting the organization.

 

Legacy Details Screen

On the legacy Details screen for a threat intelligence data object, you can view the object’s owner type and name in the screen's header (Figure 2).

Screenshot of an Indicator and with a highlight on the owner in legacy details screen.

 

Copies of Indicators Across Multiple Owners

The same Indicator can reside in multiple owners, because different parties may have different levels of information that they possess, or are willing to share, about that Indicator. In other words, Indicators with matching summaries in different owners (e.g., the badguy.com Host Indicator in Demo Organization and the badguy.com Host Indicator in Demo Community) are copies of the same Indicator. 

Note
Each Group, Tag, and Victim (including their Victim Assets) exists in only one owner. Objects of these types with matching summaries in different owners (e.g., the Bad Guy Adversary Group in Demo Organization and the Bad Guy Adversary Group in Demo Community) or in the same owner (e.g., two Bad Guy Adversary Groups in Demo Organization) are separate objects that are unrelated to each other. Intelligence Requirements exist only in Organizations, are uniquely named within their Organization, and are unrelated to Intelligence Requirements in other Organizations on a ThreatConnect instance.

Changes made to an Indicator in one owner do not affect copies of that Indicator in other owners. The copies are maintained separately to respect the idea that different owners will have different insights. In other words, there is value in viewing an Indicator through the lens of your Organization, as well as seeing intelligence on the Indicator from your Communities and Sources.

You can view all of an Indicator’s owners you have access to in ThreatConnect in multiple places on the Details drawer and Details screen.

Details Drawer

On an Indicator’s Details drawer, you can view the Indicator’s owner at the top left of the drawer. If the Indicator exists in at least one other owner, then the area where its owner type and name are displayed will be a dropdown that you can use to view all owner types and names for the Indicator (Figure 3). Select an owner to open the Details drawer for that version of the Indicator.

Note
If an Indicator exists in multiple owners and your System Administrator turned on the multiSourceViewEnabled system setting, the dropdown in the header of the Indicator’s Details drawer will include a Unified View option that lets you view information about the Indicator from all of its owners to which you have access.

Screenshot of a Address Indicator with a highlight on the owner dropdown

 

You can also view all other owners of an Indicator, along with the Threat and Confidence Ratings for each version of the Indicator, on the Owners & Feeds card (Figure 4). Click an owner in the Owner & Feeds card to open the Details screen for that version of the Indicator.

Figure 4_Ownership in ThreatConnect_7.6.0

 

If your System Administrator turned on the multiSourceViewEnabled system setting, you can view all of the Indicator’s owners and the Tags applied to the Indicator in each of those owners on the Tags Across Owners card (Figure 5).

Figure 5_Ownership in ThreatConnect_7.6.0

 

 Details Screen

On an Indicator’s Details screen, the owner name and type displayed in the header will be a dropdown that you can use to view all owner types and names for the Indicator if the Indicator exists in at least one other owner (Figure 6). Select an owner to open the Details screen for that version of the Indicator.

Screenshot of an Address Indicator with a highlight on the owner dropdown.

 

As in the Details drawer, you can also view all other owners of an Indicator, along with the Threat and Confidence Ratings for each version of the Indicator, on the Owners & Feeds card (Figure 4). Click  an owner in the Owner & Feeds card to open the Details screen for that version of the Indicator.

If your System Administrator turned on the multiSourceViewEnabled system setting, you can view all of the Indicator’s owners, as well as view and manage the Tags applied to the Indicator in those owners, on the Tags Across Owners card (Figure 5).

Note
If you are viewing an Indicator that does not exist in your Organization and your user account has an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer, the Indicator’s Details screen will display a message stating the Indicator does not exist in your Organization and provide a link to create a copy of the Indicator in your Organization. If you click the link, the Details screen will show details for the copy of the Indicator in your Organization after it is created. In addition, if your System Administrator turned on the multiSourceViewEnabled system setting, your Organization will be listed on the Tags Across Owners card for the Indicator in addition to the Indicator’s other owners.

Legacy Details Screen

On an Indicator’s legacy Details screen, the owner name displayed in the header will be a dropdown that you can use to view all owners of the Indicator if it exists in multiple owners (Figure 7). Select an owner to open the Details screen for that version of the Indicator.

Screenshot of an Indicator and with a highlight on the owner in legacy details screen.

 

The Additional Owners card on the legacy Details screen also lists all other owners of an Indicator, along with the Threat and Confidence Ratings for each version of the Indicator (Figure 8). Click an owner to open the Details screen for that version of the Indicator.

Figure 8_Ownership in ThreatConnect_7.6.0

 

ThreatConnect® is a registered trademark of ThreatConnect, Inc.

20026-01 v.09.A

Was this article helpful?
Related articles
What's Next
Company
Sales and Support
Follow Us
© 2012–2025 ThreatConnect, Inc. All Rights Reserved.