The Publish Feature
  • 25 Oct 2022
  • 2 Minutes to read
  • Dark
    Light

The Publish Feature

  • Dark
    Light

Minimum Role: Community role of Contributor, Editor, or Director

Prerequisites: A Group that has exists in or has been contributed to a Community or Source

Overview

The Publish feature in ThreatConnect® packages intelligence in the form of Group data objects and writes it to a JSON file. It is a necessary step in the process of sharing the data with users on other instances of ThreatConnect via the Cross-Intel Sharing App. When a Group is published, the following objects will be included in the corresponding JSON file (unless they are excluded via a Security Label:

The following Group types can be published: Adversary, Attack Pattern, Campaign, Course of Action, Document, E-mail, Event, Incident, Intrusion Set, Malware, Report, Signature, Tactic, Threat, Tool, and Vulnerability. In order to publish a Group, it must first exist in, or be contributed to, a Community or Source.

Note
If a System Administrator has enabled publishing from Organizations, Organization Administrators may publish Groups that exist in their Organization without needing to contribute them to a Community or Source (i.e., they can publish Groups directly from their Organization).

Publishing a Group

  1. Navigate to the Sharing tab of the Details screen for the Group in the Community or Source to which it belongs or was contributed (Figure 1).

    Timeline  Description automatically generated

     

  2. Click the PUBLISH… button. The Publish Intel window will be displayed, with the Initial screen selected (Figure 2). This screen provides a summary of the Group that is to be published for cross-instance sharing.

    Graphical user interface, application, Teams  Description automatically generated

     

    • Click the Next button.
  3. The Security Labels screen will be displayed (Figure 3).

    Graphical user interface, application  Description automatically generated

     

    • Excluded Security Labels: Select Security Labels to exclude. Any associated objects and Attributes with the selected Security Labels applied to them will not be included in the published JSON file.
    • Click the Next button.
  4. The Save screen will be displayed (Figure 4). This screen lists the Group and its associated Groups that will be published.

    Graphical user interface, text, website  Description automatically generated

     

    • Click the PUBLISH button.
  5. The Sharing tab of the Details screen for the Group will be displayed again, with the newly created JSON file listed in the Published in: table at the bottom of the screen (Figure 5).

    Timeline  Description automatically generated

     

    Note
    A Group can also be published at the same time that it is being contributed to a Community or Source by selecting the Publish after Copy checkbox on the Save screen of the Contribute to Community/Source window.

Once a Group has been published, it—and its associated Indicators and Groups, Security Labels, Attributes, and Tags—can be shared across instances via the ThreatConnect Cross-Intel Sharing App.

Important
Changes that are made to a Group after it has been published will not be reflected in the JSON file. The Group will need to be published again in order to capture any changes that occur after its publication.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.

20060-01 v.03.C


Was this article helpful?