- 05 May 2023
- 3 Minutes to read
-
Print
-
DarkLight
Ownership in ThreatConnect
- Updated on 05 May 2023
- 3 Minutes to read
-
Print
-
DarkLight
Overview
Everything in ThreatConnect® has an owner. Owners have full control over whatever they own, and they fall under one of the following three categories:
- Organization: An Organization, often referred to as an Org, represents a team of persons with the same levels of access and trust. An Organization is a collaborative space—its members are meant to work on tasks while fully visible to one another.
- Community: A Community is a tightly administered group of ThreatConnect owners. A Community may have Organizations or individual users as members. Members can contribute intelligence to the Community, vote on Indicator ratings, and have collaborative discussions. Communities have the option to allow their members to use pseudonyms. Oftentimes, a Community will rally around a common purpose, such as an industry sector, a current event, or a geopolitical region.
- Source: A Source is a one-way feed of information. Like Communities, Sources may have Organizations or individual users as members. Unlike Communities, Sources are not meant to be a collaborative environment. Members, and their pseudonyms, are not visible to one another and typically do not have any writable access within a Source. Oftentimes, a Source will represent a feed of Indicators or intelligence, whether premium, open source, or internally produced.
Before You Start
Minimum Role(s) | Organization role of Read Only User |
---|---|
Prerequisites | A ThreatConnect object (Indicator, Group, Tag, Track, Victim, or Victim Asset) |
Viewing an Object's Owner
New Details Screen
Navigate to the Details screen for an Indicator or Group. The object’s owner type (Organization, Community, or Source) and owner name are displayed in the header at the upper left (Figure 1).
Legacy Details Screen
Navigate to the legacy Details screen for an Indicator or Group. The object’s owner type (Organization, Community, or Source) is displayed at the upper left, and its owner name is displayed in the orange block at the upper right (Figure 2).
Copies of Indicators Across Multiple Owners
The same Indicator in ThreatConnect can reside in multiple owners, because different parties may have different levels of information that they possess, or are willing to share, about that Indicator. Indicators with matching summaries in different owners (e.g., the badguy.com Host Indicator in Demo Organization and the badguy.com Host Indicator in Demo Community) are considered to be copies of the same Indicator that exist in different owners.
Changes made to an Indicator in one owner do not affect copies of that Indicator in other owners. The copies are maintained separately to respect the idea that different owners will have different insights. In other words, there is value in viewing an Indicator through the lens of your Organization, as well as seeing intelligence on the Indicator from your Communities and Sources.
You can view all other owners of an Indicator in ThreatConnect in multiple places on the Details screen.
New Details Screen
Navigate to the Details screen for an Indicator. If the Indicator exists in at least one other owner, then the area where its owner name and type are displayed will be a dropdown menu that you can click on to view all owner types and names for the Indicator (Figure 3). Click on an owner to view the Details screen for that version of the Indicator.
The Owners & Feeds card also lists all other owners of an Indicator, along with the Threat and Confidence Ratings for each version of the Indicator (Figure 4). Click on an owner to view the Details screen for that version of the Indicator in a new browser tab.
Legacy Details Screen
Navigate to the legacy Details screen for an Indicator. If the Indicator exists in at least one other owner, then the orange block at the upper-right corner will be a dropdown menu that you can click on to view all owners for the Indicator (Figure 5). Select an owner to view the Details screen for that version of the Indicator.
The Additional Owners card also lists all other owners of an Indicator, along with the Threat and Confidence Ratings for each version of the Indicator (Figure 6). Click on an owner to view the Details screen for that version of the Indicator.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
20026-01 v.07.B