Contents x
Posts
  • 06 Mar 2023
  • 5 Minutes to read
  • Print
  • Dark
    Light
Contents

Posts

  • Updated on 06 Mar 2023
  • 5 Minutes to read
  • Print
  • Dark
    Light

Overview

On the Posts screen in ThreatConnect®, you can view, create, and reply to posts in the owners (i.e., Organizations, Communities, and Sources) to which you have access. When creating a post, you can link the post to Indicators, Groups, Tags, Tracks, or Victims in ThreatConnect by using the ADD LINK feature or ThreatConnect Markup.

Important
If anonymity is enabled for a Community or Source, all posts will be anonymous, and the pseudonym of the user who created the post will be displayed. If anonymity is disabled for a Community or Source, all posts will display the First Name and Last Name of the user account that created the post.

Before You Start

Minimum Role(s)

In an Organization, all users can view posts; all users except Read Only Users (System and Organization role of Read Only User) can create and reply to posts and delete their own posts; and only Organization Administrators can delete any post.

In a Community, all users except Banned users can view posts; all users except Users (Community role of User) and Subscribers can create and reply to posts and delete their own posts; and only Editors and Directors can delete any post.

See ThreatConnect Owner Roles and Permissions for more details.
PrerequisitesNone

Viewing Posts

Posts Screen

On the top navigation bar, click Posts to display the Home view of the Posts screen (Figure 1). This screen displays posts for your Organization and all Communities and Sources to which you have viewing access.

Note
An orange circle displayed at the top right of the Posts option on the top navigation bar indicates that there are new, unviewed posts.

Graphical user interface, application, Teams Description automatically generated

 

On the My ThreatConnect card, select an Organization, Community, or Source from the My Org, Communities, or Intelligence Sources section, respectively. Alternatively, use the selector at the upper-right corner of the Posts screen to select an owner.

After an owner is selected (Sample Community in this example), its Posts screen will be displayed (Figure 2). Here, you can view posts in the owner, create new posts, and reply to existing posts. See the “Creating Posts” and “Replying to Posts” sections for instructions on creating posts and replying to posts, respectively.

Graphical user interface, application, Teams Description automatically generated

 

Details Screen

You can view posts linked to Indicators, Groups, Tags, Tracks, and Victims on an object’s Details screen. On the new Details screen, posts linked to an object are displayed in the Notes card (Figure 3). This card is located on the right side of the new Details screen, at the bottom of the screen.

 

Note
Replies to a post linked to an object are not displayed on the Notes card.

On the legacy Details screen, posts linked to an object, as well as replies to each post, are displayed on the Posts card (Figure 4). This card is located on the right side of the legacy Details screen, at the bottom of the screen.

Graphical user interface, application, Teams Description automatically generated

 

Creating Posts

Posts Screen and Legacy Details Screen

The Add New Comment card (Figure 5) of an owner’s Posts screen and an object’s Details screen is where you can create posts in the owner and the object’s owner that are linked to the object, respectively.

Graphical user interface, application Description automatically generated

 

  • Click in the text box to enter the contents of the post.
  • Suppress Notifications: Select this checkbox if you do not want to receive notifications when others reply to your post.
    Note
    Notifications will be suppressed only for posts that have the Suppress Notifications checkbox selected. They will not be suppressed for replies to the post unless those replies also have the Suppress Notifications checkbox selected.
  • ADD LINK…: Click this button to link the post to an Indicator, Group, Tag, Track, or Victim. See the “Linking Posts to Objects” section for instructions on using this feature.
    Note
    If you create a post via the Add New Comment card on an object’s Details screen, the post will be linked to the object automatically.
  • Click the POST button. The post will be displayed in the Posts card below the Add Comment card on the Posts screen or an object’s legacy Details screen.

New Details Screen

On the new Details screen, click AddAdd button_Details screenat the upper-right corner of the Notes card to create a post linked to the object whose Details screen you are viewing. The Add Note window will be displayed (Figure 6).

 

  • Note: Enter the contents of the post in the text box.
  • Click the Save button. The post will be displayed in the Notes card on the object’s Details screen, as well as in the Posts card on the Posts screen for the object’s owner.

Linking Posts to Objects

When creating or replying to a post on the Posts screen and an object’s legacy Details screen, you can use the ADD LINK… feature or ThreatConnect Markup to link the post to an object that exists in the selected owner.

  1. Click ADD LINK… to display a window below the Add New Comment card (Figure 7).
    Graphical user interface, application, Teams Description automatically generated

     

  2. Use the Select Type dropdown menu to select the type of object to which the post will be linked. After an object type is selected (Adversary Group in this example), the window will display all objects of that type (Figure 8).
    Graphical user interface, application, Teams Description automatically generated

     

    • Filter: If desired, enter a search term in this field and click SearchIcon Description automatically generatedto narrow the results.
    • Select the object to which the post will be linked.
    • Click the ADD button.
  3. A link to the selected object will be displayed in the Add New Comment text box (Figure 9). After finalizing the post, click the POST button.
    Graphical user interface, text, application, email Description automatically generated

     

    Important
    The ADD LINK… feature allows you to link one object to a post at a time. To link more than one object to a post using the ADD LINK… feature, repeat Steps 1–3 for each object.

You can use ThreatConnect Markup to link posts to objects by typing the syntax directly into the text box on the Add New Comment card using the formats provided in Table 1, where the values in italics represent the content of the object.

 

Object TypeThreatConnect Markup SyntaxExample
Owner[[@this]]
Note
Only the owner in which the post is being created can be linked. Do not replace “this” with the name of the owner after the @ sign. The only valid expression is [[@this]]. The ADD LINK… feature does not support this link type, so the only way to link the owner is through this syntax.
[[@this]]
Address[[address:Address]][[address:38.21.240.4]]
Adversary[[adversary:Adversary]][[adversary:Bad Guy]]
Attack Pattern[[attackpattern:AttackPattern]][[attackpattern:Session Credential Falsification through Forging]]
Campaign[[campaign:Campaign]][[campaign:Dangerous Effort]]
Course of Action[[courseofaction:CourseOfAction]][[courseofaction:User Training]]
Document[[document:Document]][[document:FireEye APT28.pdf]]
Email[[email:Email]][[email:Your ACME order]]
Email Address[[emailaddress:EmailAddress]][[emailaddress:hacker@bad.com]]
Event[[event:Event]][[event:Hash seen on endpoint]]
File[[file:FileHash]][[file:463E093C46962CABDFCDC2AB61480A6F]]
Host[[host:Host]][[host:bad.com]]
Incident[[incident:Incident]][[incident:Something bad happened here]]
Intrusion Set[[intrusionset:IntrusionSet]][[intrusionset:Frozen Penguin]]
Malware[[malware:Malware]][[malware:Ransomware - Ryuk]]
Report[[report:Report]][[report:BadRabbit Ransomware Report]]
Signature[[signature:Signature]][[signature:20190322B.rules]]
Tactic[[tactic:Tactic]][[tactic:TA0011 Command and Control]]
Tag[[tag:Tag]][[tag:hacker]]
Task[[task:Task]][[task:Investigate this]]
Threat[[threat:Threat]][[threat:Very bad people]]
Tool[[tool:Tool]][[tool:Nmap]]
Track[[track:Track]][[track:202-555-1212]]
URL[[url:URL]][[url:https://www.bad.com]]
Victim[[victim:Victim]][[victim:ACME Analyst]]
Vulnerability[[vulnerability:Vulnerability]][[vulnerability:CVE-2021-44228]]
Important
Do not insert spaces after the colons in ThreatConnect Markup. For example, [[adversary:Bad Guy]] is correct, while [[adversary: Bad Guy]] is not.
Note
ThreatConnect Markup does not support links to the following object types: ASN, CIDR, Email Subject, Hashtag, Mutex, Registry Key, User Agent, and any custom Indicator types on your ThreatConnect instance. To link posts to objects of these types, use the ADD LINK… feature.

Replying to Posts

To reply to a post, click ReplyA picture containing text, ax, tool, clipart Description automatically generatedat the lower-right corner of the post. A text box for creating a reply will be displayed (Figure 10).

Graphical user interface, text, application, email Description automatically generated

 

See the “Creating Posts” section for descriptions of each element displayed on the screen when replying to a post.

Deleting Posts

To delete a post, click DeleteIcon Description automatically generatedat the lower-right corner of the post. The Delete Post window will be displayed. Click the YES button to delete the post.

Warning
Deleting a post will also delete all of its replies.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.

20016-01 v.11.A

Was this article helpful?
Related articles
What's Next
Company
Sales and Support
Follow Us
© 2012–2023 ThreatConnect, Inc. All Rights Reserved.