Posts
  • 18 Aug 2022
  • 5 Minutes to read
  • Dark
    Light

Posts

  • Dark
    Light

Minimum Role: In an Organization, all users can view posts; all users except Read Only Users (System and Organization role of Read Only User) can create and reply to posts and delete their own posts; and only Organization Administrators can delete any post. In a Community, all users except Banned users can view posts; all users except Users (Community role of User) and Subscribers can create and reply to posts and delete their own posts; and only Editors and Directors can delete any post. See ThreatConnect Owner Roles and Permissions for more details.

Prerequisites: None

Overview

On the Posts screen in ThreatConnect®, you can view, create, and reply to posts in the owners (i.e., Organizations, Communities, and Sources) to which you have access. When creating a post, you can link the post to Indicators, Groups, Tags, Tracks, or Victims in ThreatConnect by using the ADD LINK feature or ThreatConnect Markup.

Important
If anonymity is enabled for a Community or Source, all posts will be anonymous, and the pseudonym of the user who created the post will be displayed. If anonymity is disabled for a Community or Source, all posts will display the First Name and Last Name of the user account that created the post.

Viewing Posts

On the top navigation bar, click Posts to display the Home view of the Posts screen (Figure 1). This screen displays posts for your Organization and all Communities and Sources to which you have viewing access.

Note
An orange circle displayed at the top right of the Posts option on the top navigation bar indicates that there are new, unviewed posts.

Graphical user interface, application, Teams  Description automatically generated

 

On the My ThreatConnect card, select an Organization, Community, or Source from the My Org, Communities, or Intelligence Sources section, respectively. Alternatively, use the selector at the upper-right corner of the Posts screen to select an owner.

After an owner is selected (Sample Community in this example), its Posts screen will be displayed (Figure 2). Here, you can view posts in the owner, create new posts, and reply to existing posts. See the “Creating Posts” and “Replying to Posts” sections for instructions on creating posts and replying to posts, respectively.

Graphical user interface, application, Teams  Description automatically generated

 

To view posts linked to an object, navigate to the object’s Details screen and scroll down to the Posts card on the right side of the screen (Figure 3). For instructions on accessing an object’s Details screen, see the "Viewing the Details Screen" section of The Details Screen.

Graphical user interface, application, Teams  Description automatically generated

 

Creating Posts

The Add New Comment card (Figure 4) of an owner’s Posts screen (Figure 2) and an object’s Details screen (Figure 3) allows you to create posts in the owner and the object’s owner that are linked to the object, respectively.

Graphical user interface, application  Description automatically generated

 

  • Click in the text box to enter the contents of the post.
  • Suppress Notifications: Select this checkbox if you do not want to receive notifications when others reply to your post.
    Note
    Notifications will be suppressed only for posts that have the Suppress Notifications checkbox selected. They will not be suppressed for replies to the post unless those replies also have the Suppress Notifications checkbox selected.
  • ADD LINK…: Click this button to link the post to an Indicator, Group, Tag, Track, or Victim. See the “Linking Posts to Objects” section for instructions on using this feature.
    Note
    If you create a post via the Add New Comment card on an object’s Details screen (Figure 3), the post will be linked to the object automatically.
  • Click the POST button. The post will be displayed in the Posts card below the Add Comment card on the Posts screen or an object’s Details screen.

Linking Posts to Objects

When creating or replying to a post, the ADD LINK… feature allows you to link the post to an object that exists in the selected owner.

  1. Click ADD LINK… to display a window below the Add New Comment card (Figure 5).
    Graphical user interface, application, Teams  Description automatically generated

     

  2. Use the Select Type dropdown menu to select the type of object to which the post will be linked. After an object type is selected (Adversary Group in this example), the window will display all objects of that type (Figure 6).
    Graphical user interface, application, Teams  Description automatically generated

     

    • Filter: If desired, enter a search term in this field and click the magnifying glass Icon  Description automatically generatedto narrow the results.
    • Select the object to which the post will be linked.
    • Click the ADD button.
  3. A link to the selected object will be displayed in the Add New Comment text box (Figure 7). After finalizing the post, click the POST button.
    Graphical user interface, text, application, email  Description automatically generated

     

    Important
    The ADD LINK… feature allows you to link one object to a post at a time. To link more than one object to a post using the ADD LINK… feature, repeat Steps 1–3 for each object.

In addition to the ADD LINK… feature, you can use ThreatConnect Markup to link posts to objects by typing the syntax directly into the text box on the Add New Comment card using the formats provided in Table 1, where the values in italics represent the content of the object.

 

Object TypeThreatConnect Markup SyntaxExample
Owner[[@this]]
Note
Only the owner in which the post is being created can be linked. Do not replace “this” with the name of the owner after the @ sign. The only valid expression is [[@this]]. The ADD LINK… feature does not support this link type, so the only way to link the owner is through this syntax.
[[@this]]
Address[[address:Address]][[address:38.21.240.4]]
Adversary[[adversary:Adversary]][[adversary:Bad Guy]]
Attack Pattern[[attackpattern:AttackPattern]][[attackpattern:Session Credential Falsification through Forging]]
Campaign[[campaign:Campaign]][[campaign:Dangerous Effort]]
Course of Action[[courseofaction:CourseOfAction]][[courseofaction:User Training]]
Document[[document:Document]][[document:FireEye APT28.pdf]]
Email[[email:Email]][[email:Your ACME order]]
Email Address[[emailaddress:EmailAddress]][[emailaddress:hacker@bad.com]]
Event[[event:Event]][[event:Hash seen on endpoint]]
File[[file:FileHash]][[file:463E093C46962CABDFCDC2AB61480A6F]]
Host[[host:Host]][[host:bad.com]]
Incident[[incident:Incident]][[incident:Something bad happened here]]
Intrusion Set[[intrusionset:IntrusionSet]][[intrusionset:Frozen Penguin]]
Malware[[malware:Malware]][[malware:Ransomware - Ryuk]]
Report[[report:Report]][[report:BadRabbit Ransomware Report]]
Signature[[signature:Signature]][[signature:20190322B.rules]]
Tactic[[tactic:Tactic]][[tactic:TA0011 Command and Control]]
Tag[[tag:Tag]][[tag:hacker]]
Task[[task:Task]][[task:Investigate this]]
Threat[[threat:Threat]][[threat:Very bad people]]
Tool[[tool:Tool]][[tool:Nmap]]
Track[[track:Track]][[track:202-555-1212]]
URL[[url:URL]][[url:https://www.bad.com]]
Victim[[victim:Victim]][[victim:ACME Analyst]]
Vulnerability[[vulnerability:Vulnerability]][[vulnerability:CVE-2021-44228]]
Important
Do not insert spaces after the colons in ThreatConnect Markup. For example, [[adversary:Bad Guy]] is correct, while [[adversary: Bad Guy]] is not.
Note
ThreatConnect Markup does not support links to the following object types: ASN, CIDR, Email Subject, Hashtag, Mutex, Registry Key, User Agent, and any custom Indicator types on your ThreatConnect instance. To link posts to objects of these types, use the ADD LINK… feature.

Replying to Posts

To reply to a post, click Reply A picture containing text, ax, tool, clipart  Description automatically generated at the lower-right corner of the post. A text box for creating a reply will be displayed (Figure 8).

Graphical user interface, text, application, email  Description automatically generated

 

See the “Creating Posts” section for descriptions of each element displayed on the screen when replying to a post.

Deleting Posts

To delete a post, click Delete Icon  Description automatically generated at the lower-right corner of the post. The Delete Post window will be displayed. Click the YES button to delete the post.

Warning
Deleting a post will also delete all of its replies.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.

20016-01 v.10.B


Was this article helpful?