ThreatConnect Glossary
  • 27 Mar 2024
  • 48 Minutes to read
  • Dark
    Light

ThreatConnect Glossary

  • Dark
    Light

Article summary

Overview

This glossary consists of definitions of important and commonly used terms in ThreatConnect®.

A

Accounts Administrator - Accounts Administrator is a System role that provides you with read-only access at the System and Organization levels. Users with this role can create and modify, but not delete, Organizations, and can add Organizations to Communities and Sources.

Active Cases - Active Cases is a Cases Metric dashboard card that provides a graphical representation of the total number of active Workflow Cases (i.e., Cases with a status of Open) assigned to each user or user group.

Active Mode - Active Mode is used when a Playbook has been completely designed and configured with no validation issues. When Playbooks are active, they are available for execution in an Organization. Playbooks may not be edited in Active Mode. However, you can view Trigger and App parameters in Active Mode by double-clicking on the element.

Address Indicator - The Address Indicator represents a valid IP Address, either IPv4 or IPv6 (e.g., 192.168.0.1).

Administrator - Administrator is a System role that provides you with full access to all System and Organization settings within a ThreatConnect instance. This role, also known as the System Administrator, is typically used for administration purposes, but can perform most other functions, such as creating Indicators and Groups, viewing and adding Dashboards, and adding and running Playbooks.

Adversary Group - The Adversary Group represents a malicious actor or group of actors. An Adversary can be tracked by its assets (e.g., websites, email addresses, hacker handles) to allow for monitoring of activity.

AI Insights - The AI Insights card, available on the Overview tab of the new Details screen for Report Groups in the CAL Automated Threat Library (ATL) Source, displays an artificial intelligence–generated summary of the Group being viewed.

Alias - An alias is another name that a vendor may use for a Group. When scanning online resources for Groups with ThreatConnect Intelligence Anywhere, aliases for Groups found during the scan are displayed on the Groups tab of the Scan Results window . If viewing the Details screen for a Group for which known alias information exists in CAL, you can view these aliases using the CAL Aliases button displayed on the Groups card of the Associations tab; on the legacy Details screen, this button is displayed on the Associated Groups section of the Associations card while the card is in table view. Additionally, you can view alias information for a Group that exists in CAL via the CAL Alias Information option when using Threat Graph.

Analysis Layer - An analysis layer represents a Group object added to an ATT&CK® view in the ATT&CK Visualizer. Adding a Group as an analysis layer to an ATT&CK view allows you to see the MITRE ATT&CK® Enterprise tactics, techniques, and sub-techniques used by the Group.

Analyst Workload - Analyst Workload is a Cases Metric dashboard card that provides a graphical representation of the total current Case workload of individual users and the severity of those Cases.

Api User - Api User is a system role that grants API users access to all ThreatConnect v2 and v3 API endpoints except the TC Exchange™ administration endpoints on the v3 API.

App Builder - The App Builder is a Python development environment that allows you to create, edit, and release Playbook apps directly in ThreatConnect.

App Developer - App Developer is an Organization role that allows licensed user accounts to build apps in an Organization.

Approximate Match - The Approximate Match ATT&CK Tag conversion rule converts standard Tags that start with the letter “T” followed by a set of digits that map to a MITRE ATT&CK technique/sub-technique ID (e.g., T1055, T1055.001) to the corresponding ATT&CK Tag.

Artifact - An Artifact in Workflow is any piece of data not captured in a Note that provides information relevant to a Workflow Case that may be useful to an analyst. Potential Artifact types include all ThreatConnect Indicator types, as well as a variety of other data types. Examples of Artifacts include domains, email addresses, log files, emails, PCAP files, screenshots, SIEM event files, and malware documents.

ASN Indicator - The ASN (Autonomous System Number) Indicator represents a number that uniquely identifies each network on the Internet (e.g., 204288).

Asset - An Asset is an account or web resource that an Adversary leverages in support of its operations, such as handles (aliases), phone numbers, and website URLs. Assets can be added to an Adversary in ThreatConnect.

Association - An association is the mechanism through which ThreatConnect models a relationship between two objects. Associating data empowers an analyst to pivot to related objects and further investigate their relationships to the primary object. In ThreatConnect, you can associate Groups to Intelligence Requirements (IRs), Indicators, Victim Assets, and other Groups; associate Indicators to IRs, Groups, Victim Assets, and, using custom associations, other Indicators; and associate IRs to Indicators, Groups, and Victim Assets. In addition, you can associate Groups, Indicators, and IRs to Workflow Cases and their Artifacts.

Association Attribute - An Association Attribute for an object is an Attribute that belongs to a Group associated to the object, provided that the Attribute Type has been configured as an association Attribute Type by an Organization Administrator or Director in a Community or Source.

ATT&CK Tag - An ATT&CK Tag is a system-generated Tag that represents a technique or sub-technique in the MITRE ATT&CK Enterprise Matrix. ATT&CK Tags are tied directly to the ATT&CK Visualizer in ThreatConnect, as they must be applied to a Group to view the Group’s techniques and sub-techniques when using the ATT&CK Visualizer while the Group is added as an analysis layer. In addition to Groups, you may also apply ATT&CK Tags to Indicators, Victims, and Workflow Cases.

ATT&CK Tag Conversion Rule - An ATT&CK Tag conversion rule allows System Administrators to convert standard Tags in a specific owner into ATT&CK Tags based on whether the Tags exactly or approximately match a technique or sub-technique in the MITRE ATT&CK Enterprise Matrix. See “Exact Match” and “Approximate Match” for more information.

ATT&CK View - An ATT&CK view is the mechanism through which you can visualize all or a subset of tactics, techniques, and sub-techniques in the MITRE ATT&CK Enterprise Matrix when using the ATT&CK Visualizer. Currently, there are two types of ATT&CK views: imported ATT&CK views and standard ATT&CK views. See “Imported ATT&CK View” and “Standard ATT&CK View” for more information.

ATT&CK Visualizer - The ATT&CK Visualizer in ThreatConnect allows you to create standard ATT&CK views that show tactics, techniques, and sub-techniques in the MITRE ATT&CK Enterprise Matrix used by one or more ThreatConnect Group objects. You can also import ATT&CK views created in the MITRE ATT&CK Navigator into the ATT&CK Visualizer. Organization Administrators can leverage the ATT&CK Visualizer to assign security coverage to specific techniques and sub-techniques for their Organization so that they may evaluate the strengths and weaknesses of those techniques, identify gaps in security coverage, and enhance defense strategies with precision.

Attack Pattern Group - The Attack Pattern Group represents a type of tactics, techniques, and procedures (TTP) that describes ways that adversaries attempt to compromise targets.

Attribute - An Attribute is a key/value data set that can be added to a Group, Indicator, Victim, or Workflow Case. This type of metadata provides an excellent way to organize, categorize, and integrate the objects into an Organization’s analytic workflow. Attributes and their accepted values are managed on the Attribute Types and Attribute Validation Rules tabs, respectively, of the System Settings screen (for System-level Attributes), Organization Config screen (for Organization-level Attributes), and Community Config screen (for Community- and Source-level Attributes).

Attribute Preference - An Attribute Preference allows an Organization Administrator or Director in a Community or Source to configure an Attribute Type as a default, pinned, or association Attribute Type in an Organization or a Community or Source, respectively.

B

Banned - Banned is a Community role that provides you with no access at all to a Community.

Browse Screen - The Browse screen provides a central point from which to access and filter content in ThreatConnect. You can use the Browse screen to view objects (Intelligence Requirements, Indicators, Groups, Tags, Tracks, Victims, or Victim Assets) for an Organization, Community, or Source.

C

CAL - CAL™ is a service that aggregates anonymized data from multiple instances of ThreatConnect and other sources. Analysts may find it useful to compare information from CAL with information that appears in their local instance of ThreatConnect.

CAL Alias - See “Alias.”

CAL Automated Threat Library (ATL) - The CAL ATL Source aggregates articles from information security blogs; parses them for IOCs, malware families, threat actors, etc.; and automatically models them in ThreatConnect.

CAL Impact Factor - A CAL impact factor is a key factor that increases or decreases an Indicator’s CAL score. When viewing an Indicator’s Details screen, the CAL impact factors that affected its CAL score, if any, are displayed on the ThreatAssess and CAL section of the Details card.

CAL Score - An Indicator’s CAL score (also known as CAL reputation score) is out of a maximum value of 1000. This score is based on several factors, including aggregated and anonymized false positive and observation data from all instances participating in CAL, an Indicator’s presence in malicious and benign data sources to which CAL has access and ingests, relationships to other known good and bad Indicators in CAL, and more.

Campaign Group - The Campaign Group represents a collection of Incidents over time.

Card - A card is a rectangular section of the screen on which information on a particular topic is organized and presented.

Case Attribute - A Case Attribute is a key/value data set that you can add to a Workflow Case. These Attributes enrich a Case’s data and aid security teams as they investigate a threat and determine the appropriate escalation path for a Case.

Case Close Time - The date and time when a Workflow Case was closed.

Case Open Time - The date and time when a Workflow Case was opened.

Cases Metrics - Cases Metrics are available on dashboard Metric cards and provide a graphical representation of nine metrics for Workflow Cases: Active Cases, Analyst Workload, False Positives, Mean Time to Detection (MTTD), MTTD Average, Mean Time to Resolution (MTTR), MTTR Average, Top 10 Case Closing Analyst, and Unassigned Cases.

Central Space - A Central Space is used with an App that can be applied across ThreatConnect. They are accessed via the Spaces option on the top navigation bar.

CIDR Indicator - The CIDR (Classless Inter-Domain Routing) Indicator represents a block of network IP addresses (e.g., 10.10.1.16/32).

Classifier - A series of labels representing predefined categorizations derived from CAL’s classification analytics. Classifiers behave like Tags in ThreatConnect, except that they are applied by CAL using the totality of its data set and statistical models.

Commenter - Commenter is a Community role that allows you to view existing data and create and reply to posts in a Community.

Community - A Community is a tightly administered group of ThreatConnect owners. A Community may have Organizations or individuals as members. Members can contribute intelligence to the Community, vote on Indicator ratings, and have collaborative discussions. Communities have the option to allow their members to use pseudonyms. A Community will often be formed around a common purpose, such as an industry sector, a current event, or a geopolitical region.

Community Leader - Community Leader is a System role that provides you with read-only access at the System and Organization levels. The main use case for a Community Leader is for read-only viewing of all Organizations in the System (i.e., on the ThreatConnect instance) in order to make informed requests to System Administrators (e.g., request changes to the System configuration or request creation of new Communities and Sources).

Community Role - A user’s Community role is their owner role within a Community or Source. See “Owner Role” for more information.

Component - See "Playbook Components."

Confidence Rating - The Confidence Rating identifies how confident you are in your Threat Rating. It is measured on a scale of 0–100%—the higher the rating, the higher the confidence.

Content Block - A content block in a report template contains predefined visual and text-based elements that are populated automatically in reports created from the template. If a report template contains a content block section, users do not need to configure the section in reports created from the template, as it will have already been configured in the template.

Content Pack - A Content Pack includes a set of Apps, Artifact types, Attribute Types, Playbooks, and Workflows that makes implementing popular ThreatConnect use cases quicker and easier. System Administrators can install Content Packs published to the TC Exchange catalog, as well as those for which they have a corresponding .tcxp file.

Contextually Aware Space - A Contextually Aware Space is an analytic pane that runs and displays multiple Apps for use with a particular Indicator or Group in a single, convenient place. They are a powerful enrichment tool tailored to automate and improve the way you work with specific Indicator or Group types and provide a way to work with favorite third-party tools and products to bring their capabilities directly into ThreatConnect.

Contribute - Contribute is the action of adding a copy of a Group in an Organization to a Community or Source. The functionality is found on the Sharing tab of the legacy Details screen for a Group object.

Contributor - Contributor is a Community role that allows you to view existing data, create and reply to posts, and create Indicators, Groups, and Tags in a Community.

Course of Action Group - The Course of Action Group represents a recommendation from a producer of intelligence to a consumer on the actions that they might take in response to that intelligence.

Create - A quick way to add data into ThreatConnect is to use the Create option on the top navigation bar to create a single Indicator, Group, Track, or Victim.

Cross-Owner Association - A cross-owner association is an association between a Case, Group, or Indicator in your Organization and a Group or Indicator that exist in a Community or Source to which you have access. Super Users have the ability to create these associations between objects in the Organizations on their instance and between those in the Communities and Sources to which they have access.

Custom Indicator - For users with a Dedicated Cloud or On-Premise subscription, ThreatConnect can be extended to create custom Indicator types to support different use cases. Custom Indicators are treated in the same manner as built-in Indicator types, such as URL and File, and they can be associated with Groups, such as Threats, Incidents, and Emails, as well as with other Indicators via the custom Associations functionality. See ThreatConnect System Administration Guide for more information about using custom Indicators.

Custom View - The Custom View tab, available on the new Details screen for Indicators and Groups, enables you to select the cards you want to see and arrange them on the tab in the way that works best for you. Each ThreatConnect user can configure two Custom View tabs for their user profile: one for all Groups in all of their owners, and one for all Indicators in all of their owners.

D

Dashboard - The Dashboard is the first screen displayed after you log into ThreatConnect. It is your control center for ThreatConnect, providing a variety of data and metrics, such as recent activity, active Incidents, open Tasks, Indicator trends, and query results. Each type of information is presented on a card whose location, format, colors, and type of graphic can be set according to your or an administrator’s preferences. 

DataStore - The DataStore is a feature that allows runtime and Playbook Apps to persist data using OpenSearch®. The DataStore is available to any Job, Spaces, or Playbook App requiring persistent storage.

Description Attribute - The Description Attribute, found on every Indicator, Group, Tag, Track, Victim, and Victim Asset in ThreatConnect, is a space for an analyst to provide a brief, high-level explanation of the nature of the content.

Design Mode - When the Playbook Designer is in Design Mode, a Playbook is inactive and can be created and edited.

Details Drawer - The Details drawer provides a detailed overview of an Indicator, Group, Tag, Track, Victim, or Victim Asset.

Details Screen - The Details screen is the main screen where you can view information for Groups, Indicators, Intelligence Requirements, Tags, Tracks, and Victims. As of ThreatConnect version 7.0, there are two ways to view the Details screen: the new Details screen view and the legacy Details screen view.

Diamond Model - The Diamond Model represents the four core features of a cyber-attack: Adversary, Capabilities, Infrastructure, and Victim. Each core feature is represented as a vertex on the Diamond and are linked via edges to illustrate their relationship to one another.

Director - Director is a Community role that allows you to view, create, and delete data (i.e., posts and threat intelligence), edit threat intelligence, and administrate members in a Community.

Doc Analysis Import - A Doc Analysis Import allows you to import Indicators, Groups, or both from a block of text or an unstructured document parsed by CAL.

Document Group - The Document Group represents an actual file of interest, such as a PDF report that contains valuable intelligence or a malware sample. Documents can have their contents indexed for future searching.

E

Editor - Editor is a Community role that allows you to view, create, and delete data (i.e., posts and threat intelligence), as well as edit threat intelligence, in a Community.

Email Group - The Email Group represents an occurrence of a specific suspicious email, such as a phishing attempt.

Email Address Indicator - The Email Address Indicator represents a valid email address (e.g., badguy@bad.com).

Email Subject Indicator - The Email Subject Indicator represents the subject line of an email.

Email Import - An Email Import allows you to import a malicious or suspicious email into ThreatConnect as an Email Group.

Enrichment - The Enrichment tab of an Indicator’s Details screen displays a card for each built-in enrichment service enabled for the Indicator’s type that includes a summary of data retrieved from the enrichment service. Each enrichment service card also provides the ability to view detailed enrichment information for the Indicator and retrieve the most up-to-date information from the enrichment service manually. Depending on the enrichment service, you may also be able to import enrichment data into ThreatConnect.

Enrichment Service - ThreatConnect includes built-in enrichment services from which you can retrieve data to enrich Indicators. The following third-party enrichment services are currently available in ThreatConnect:

  • DomainTools®
  • Farsight Security®
  • RiskIQ®
  • Shodan®
  • urlscan.io
  • VirusTotal™

Event Group - The Event Group is an observable occurrence of notable activity in an information system or network that may indicate a security incident. For example, an Event might be created from a SIEM alert that needs to be triaged and investigated.

Exact Match - The Exact Match ATT&CK Tag conversion rule converts standard Tags that have the same name as a MITRE ATT&CK technique/sub-technique or the same combination of technique/sub-technique ID and name to the corresponding ATT&CK Tag.

Exchange Admin - Exchange Admin is a system role that grants API users access to all ThreatConnect v2 and v3 API endpoints, including the TC Exchange administration endpoints on the v3 API.

Execute - The act of running a Playbook. The results of a Playbook execution can be viewed in the Executions pane of the Playbook Designer while the Playbook is open, and full details of an execution can be viewed by clicking on it in the Executions pane to open its Execution screen .

Explore In Graph - See “Threat Graph.”

F

False Positive - A false positive is an Indicator that has been erroneously classified as malicious. ThreatConnect allows you to report false positives, although this feature is limited to one report per day per Indicator per user. As such, different users may report the same Indicator once on the same day.

False Positives - False Positives is a Cases Metric dashboard card that provides a graphical representation of the percentage of Workflow Cases that had their status set to Closed and resolution set to False Positive over a period of time.

Feed Deployer - System Administrators can use the Feed Deployer to create Sources, which then run associated jobs in an Organization.

Feed Explorer - The Feed Explorer presents all open-source feeds available to an instance of ThreatConnect in a table with associated metric data derived from information gathered from CAL. The Feed Explorer also provides a report card for each feed, showing how the feed’s metrics compare with aggregated metrics from the other feeds.

File Indicator - The File Indicator represents a unique file hash or series of hashes (e.g., MD5, SHA-1, and SHA-256).

G

Graph Screen - Selecting Graph on the top navigation bar will display the Graph screen , where you can view all graphs saved to your ThreatConnect user account. See “Threat Graph” for more information.

Group - A Group is a collection of related behavior and intelligence. Groups are currently classified in one of 17 categories: Adversary, Attack Pattern, Campaign, Course of Action, Document, Email, Event, Incident, Intrusion Set, Malware, Report, Signature, Tactic, Task, Threat, Tool, and Vulnerability.

Group Alias - See “Alias.”

Group Template - A Group template is a report template from which you can create a report for a Group. See “Report Template” for more information.

H

Hashtag Indicator - The Hashtag Indicator represents a hashtag term as used in social media.

Host Indicator - The Host Indicator represents a valid hostname, which is also referred to as a domain (e.g., bad.com).

I

Import - The Import feature allows you to quickly import data, such as Email, Indicators, and Signatures, into ThreatConnect. You can perform five types of imports: Email, Doc Analysis, Structured Indicator, Unstructured Indicator, and Signature.

Imported ATT&CK View - An imported ATT&CK view in the ATT&CK Visualizer is created from an imported JSON file for an ATT&CK view built in the MITRE ATT&CK Navigator. This type of ATT&CK view allows you to visualize the color scheme and scores used when Enterprise techniques and sub-techniques were annotated in the MITRE ATT&CK Navigator (Imported Color Assignments), the prevalence of annotated techniques and sub-techniques (Imported Score Prevalence), and security coverage assigned to those items by your Organization Administrator (Security Coverage).

Imported Color Assignments - The Imported Color Assignments view option in the ATT&CK Visualizer allows you to visualize the same color selections and scores for techniques and sub-techniques that were annotated when an imported ATT&CK view was built in the MITRE ATT&CK Navigator.

Imported Score Prevalence - The Imported Score Prevalence view option in the ATT&CK Visualizer allows you to generate a color-coded heat map that displays the score range corresponding to techniques and sub-techniques that were annotated and assigned scores when an imported ATT&CK view was built in the MITRE ATT&CK Navigator.

Incident Group - The Incident Group represents a snapshot of a particular intrusion, breach, or other event of interest.

Indicator - An Indicator represents an atomic piece of information that has some intelligence value, regardless of where it exists on ThreatConnect’s Diamond Model. Indicators are guaranteed to be unique within an Owner. Indicators currently are classified in one of 12 categories: Address, E-mail Address, File, Host, URL, ASN, CIDR, Email Subject, Hashtag, Mutex, Registry Key, and User Agent.

Indicator Exclusion List - An Indicator Exclusion List is created to prevent the import of Indicators that may be deemed legitimate or non-hostile to an organization.

Indicator Status - Each Indicator in ThreatConnect has a systemwide Indicator Status that provides information on whether the Indicator is active (i.e., an Indicator of Compromise (IOC) at the current time) or inactive (i.e., an Indicator that is not an IOC at the current time, but is being kept in ThreatConnect for historical accuracy) and whether the status was set by ThreatConnect (i.e., any user in the ThreatConnect instance) or by CAL.

Intelligence - Intelligence products and/or organizations and activities that incorporate all sources of information, most frequently including human resources intelligence, imagery intelligence, measurement and signature intelligence, signals intelligence, and open-source data in the production of finished intelligence. [1]

Intelligence Anywhere - See "ThreatConnect Intelligence Anywhere."

Intelligence Requirement (IR) - An Intelligence Requirement (IR) is a ThreatConnect object type that models a collection of topics or a research question reflecting an organization’s cyber threat–related priorities that guides a security or threat intelligence team’s research and analysis efforts.

Intelligence Requirement Category - An Intelligence Requirement (IR) category provides a method for organizing IRs. For example, you can use categories to organize IRs based on different stakeholder groups (e.g., SecOps, HR, Finance) or threat actor types (e.g., Nation State, Hacktivist). After a System Administrator creates an IR category, it can be assigned to an IR object when creating or updating it.

Intelligence Requirement Keyword - An Intelligence Requirement (IR) keyword is a topic or word used in a keyword query for an IR.

Intelligence Requirement Keyword Query - An Intelligence Requirement (IR) keyword query is a logic-based query that identifies Artifacts, Cases, Groups, Indicators, Tags, and Victims that are likely related to an IR object. Each keyword query defines the keywords that objects must include and exclude to be returned as results for an IR.

Intelligence Requirement Result - An Intelligence Requirement (IR) result corresponds to an Artifact, Case, Group, Indicator, Tag, or Victim that an IR keyword query returned as a match. IR results are categorized as one of the following types:

  • Local - The result corresponds to an object in your Organization or one of your Communities or Sources.
  • Global - The result corresponds to an object in the ThreatConnect Global Intelligence Dataset.

Intelligence Requirement Subtype - An Intelligence Requirement (IR) subtype indicates the area of focus for an IR object. You must assign a subtype to an IR when creating it, and you can update the subtype for existing IRs. Available IR subtypes include the following:

  • Intelligence Requirement (IR) - This subtype corresponds to threats of overall concern to an organization (e.g., cyber threats, fraud, geopolitical/physical threats).
  • Priority Intelligence Requirement (PIR) - This subtype corresponds to threat actor motives; tactics, techniques, and procedures (TTPs); targets; impacts; or attributions in association with IRs.
  • Specific Intelligence Requirement (SIR) - This subtype corresponds to facts associated with threat activity, such as indicators of compromise (IOCs).
  • Request for Information (RFI) - This subtype corresponds to one-off requests for information related to topics of interest to particular stakeholders.
  • Research Requirement (RR) - This subtype corresponds to a topic or area of investigation that is of interest to an individual or group and does not merit a full IR, but does require tracking of relevant information.

Intelligence Source - An Intelligence Source is a type of data owner in ThreatConnect, containing data from an open-source or premium-feed Source that an Organization is following.

Interactive Mode - When the Playbook Designer is in Interactive Mode, you may interactively test an app in-line and collaborate with other users on the Playbook.

Intrusion Set Group - The Intrusion Set Group is a set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a commonly known or unknown Adversary. New activity can be attributed to an Intrusion Set even if the Adversaries behind the attack are not known. Adversaries can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets.

Investigation Links - The Investigation Links card on the Details screen provides links to search results of various third-party lookup and other information services.

J

Job Server - See “Playbook Server.”

M

Main Tag - A main Tag is a Tag that synonymous Tags are converted to based on a Tag normalization rule configured by a System Administrator.

Malware Group - The Malware Group is a type of TTP that represents malicious code.

Malware Vault - The Malware Vault allows for the safe storage of malware or suspicious files for analysis. Malware uploaded to the Malware Vault must be zipped and password protected.

Menu Space - A Menu Space is a shortcut to a Spaces App and is listed under Spaces on the top navigation bar.

Metric Card - A Metric card is a dashboard card that can be configured to display System Metrics, User Metrics, Cases Metrics, or Playbooks Metrics.

MTTD - Mean Time to Detection (MTTD) is a Cases Metric dashboard card that provides a graphical representation of the average amount of time it took to detect a security issue or event, which is measured by calculating the average amount of time between the Time of Occurrence and Time of Detection for Workflow Cases.

MTTD Average - Mean Time to Detection (MTTD) Average is a Cases Metric dashboard card that provides a comparative numerical representation of MTTD over a period of days, weeks, or months and highlights the percentage increase of MTTD during that period of time.

MTTR - Mean Time to Resolution (MTTR) is a Cases Metric dashboard card that provides a graphical representation of the average amount of time it took to resolve a Workflow Case, which is measured by calculating the average amount of time between the Open Time and Close Time for Cases, over a specified period of time broken down by days, weeks, or months.

MTTR Average - Mean Time to Resolution (MTTR) Average is a Cases Metric dashboard card that provides a comparative numerical representation of MTTR over a period of days, weeks, or months and highlights the percentage increase of MTTR during that period of time.

Mutex Indicator - The Mutex Indicator is a synchronization primitive that can be used to identify malware files and relate malware families (e.g., \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex).

N

Note - A Note in Workflow is freeform information entered by a user (e.g., in a Case or attached to a Task or Artifact). Notes can be used to provide commentary, directives to another user, additional details, or any information that cannot be captured elsewhere. They enable security teams to journal key data findings in an unstructured format.

Notifications - ThreatConnect allows you to receive push-notification and email updates on changes to Indicators, Groups, Tasks, Tags, Victims, and other items that you want to track.

Notifications Center - The Notifications Center displays push-notification alerts on changes to Indicators, Groups, Tasks, Tags, Victims, and other items users want to track.

O

Observation - An observation is a count of the number of times an Indicator has been reported by a bidirectional integration with ThreatConnect. They allow users to correlate external intelligence with internal intelligence.

Operations Administrator - Operations Administrator is a System role that provides you with read-only access at the System level and full permissions at the Organization level. Operation Administrators can make administrative changes to Organizations, such as creating, deleting, and updating accounts, and can add, modify, and remove Communities and Sources.

Organization (Org) - An Organization, often referred to as an Org, is one of the three owner types in ThreatConnect. It represents a team of persons with the same levels of access and trust. An Organization is a collaborative space—its members are meant to work on tasks while fully visible to one another.

Organization Administrator - Organization Administrator is an Organization role that allows licensed user accounts to administer and configure all Organization data and members.

Organization Role - A user’s Organization role in ThreatConnect is their owner role within an Organization. See “Owner Role” for more information.

Overall Threat Rating - For an Organization, Overall Threat Rating is the latest assertion of an Indicator's Threat Rating by any member of the Organization, including via the API. For a Community, Overall Threat Rating is the average of all of the Threat Ratings for the Indicator across the Community, based on the latest assertion per Organization across the Community membership. For a Source, Overall Threat Rating is typically the rating for the Indicator that was set upon the Indicator's import.

Owner - Every piece of data in ThreatConnect has an owner. Owners have full control over the data they own, and they fall under one of three categories: Organization, Community, Source.

Owner Role - A user’s Owner role in ThreatConnect determines the permissions that they have within that Organization, Community, or Source. These permissions cover Organization or Community/Source administration, threat intelligence objects within the owner, and, for Organizations only, Case management (i.e., Workflow) and Playbooks.

P

Pathways - The various routes between Triggers, Apps, and Operators that a Playbook execution can take.

Phase - A Phase in Workflow is a logical grouping of Tasks.

Pivot - Pivoting is an analytic transition in which you move from one entity—Indicators and Groups in the ThreatConnect Data Model, as well as Tags and Attributes—to an associated entity in accordance with the methodology defined by the Diamond Model. Through the process of pivoting, you can, in a contiguous manner, explore relationships, and find correlations between entities.

Placeholder Block - A placeholder block in a report template acts as a prompt that indicates where users should add specific information and elements to reports created from the template. If a report template contains a placeholder block section, users must configure the section manually in reports created from the template.

Playbook - The Playbooks feature allows you to automate cyberdefense tasks via a drag-and-drop interface. The interface uses Triggers (e.g., a new IP address Indicator, a phishing email sent to an inbox) to pass data to Apps, which perform a variety of functions, including data enrichment, malware analysis, and blocking actions. Once enabled, Playbooks run in real time and provide you with detailed logs of each run.

Playbook Activity - The Playbooks Activity screen is a control panel on which Organization Administrators can monitor Playbook Server and Worker execution metrics, priorities, and processes for their Organization or instance. From this screen, current, present, and past Worker activity and allocation to Servers can be viewed and Playbook executions can be killed.

Playbook App - A Playbook App is a tool that is used to act on data provided by a Trigger or another App within a Playbook. Currently, there are 15 App categories:

  • Collaboration & Messaging - Collaboration & Messaging Apps send a customizable message via a client (e.g., email, meeting invitation, SMS).
  • Component - Components are Apps that consist of modules of Playbook elements (Apps and Operators, with a single initial Trigger) that can be called from a Playbook.
  • Data Enrichment - Data Enrichment Apps automate the enrichment of Indicators through ThreatConnect or third-party enrichment tools.
  • Email Security - Email Security Apps automate email investigation and response actions based on senders, attachments, and folders.
  • Endpoint Detection & Response - Endpoint Detection & Response Apps add, update, and remove Indicators from alerting and blocking lists on endpoint security tools.
  • Identity & Access Management - Identity & Access Management Apps retrieve user information and update, activate, and block users.
  • Incident Response & Ticketing - Incident Response & Ticketing Apps create a ticket, record, or issue for the Trigger in a third-party system such as Jira™, ServiceNow®, or IBM Resilient Incident Response Platform® (Resilient).
  • IT Infrastructure: IT Infrastructure Apps investigate storage solutions and other infrastructures, such as Amazon Simple Storage Service (Amazon S3™) or Apache Kafka®, to identify Indicators and security alerts.
  • Malware Analysis - Malware Analysis Apps analyze a file artifact for maliciousness and automate actions to be taken on the resulting report data.  
  • Network Security - Network Security Apps add, update, and remove Indicators from alerting and blocking lists on network tools.
  • SIEM & Analytics - SIEM & Analytics Apps add, update, and remove Indicators from alerting and blocking lists on SIEM tools.
  • Threat Intelligence - Threat Intelligence Apps integrate with third-party products that typically use data in ThreatConnect. These integrations bring timely and relevant information into ThreatConnect so that users can make informed decisions.
  • ThreatConnect - ThreatConnect Apps perform a task in ThreatConnect.
  • Utility - Utility Apps perform data utility functions, like formatting dates, filtering regexes, and extracting data from a file of a given type (CSV, JSON, EML/MSG, RSS, or XPath).
  • Vulnerability Management - Vulnerability Management Apps search for, retrieve, and prioritize vulnerabilities.

Playbook Component - A Playbook Component is an App that consists of modules of Playbook elements (Apps and Operators, with a single initial Trigger) that can be called from a Playbook in ThreatConnect. They make Playbook design more convenient when a group of elements is used repeatedly by allowing the elements to be packaged together and called as a single element.

Playbook Designer - The Playbook Designer is the configuration screen that appears after creating or opening a Playbook. It is the screen where you build and activate a Playbook, create and operate Run Profiles, access a Playbook’s version history, create global variables, view execution details and logs, and access administrative functions and settings for the Playbook.

Playbook Environment - The Playbooks Environments screen provides information to Organization Administrators, Operations Administrators, and System Administrators on the Environments available to their ThreatConnect instance and allows them to administrate the Environments from within their instance.

Playbook Operator - A Playbook Operator is a logic-based link between Triggers and Apps.

Playbook ROI - The Playbooks Return on Investment (ROI) feature allows you to view and visualize the return on investment for the Playbooks executed in your Organization—that is, how much money and time each execution of a given Playbook has saved you (versus doing all of the tasks in the Playbook manually, without orchestration) over various periods of time.

Playbook Server - A Playbook Server, also known as a Job Server, is a ThreatConnect instance that is dedicated to the execution of Playbooks.

Playbook Service - A Playbook Service App is a microservice that constantly runs in the background. Currently, there are two types of Services available in ThreatConnect:

  • Custom Trigger Service - This type of Trigger creates Push-type events to handle a custom protocol or raw-port access or that Pull on a configured interval.
  • Webhook Trigger Service - This type of Trigger creates Push-type events that have complex data requiring normalization, filtering, or a better UX. This Trigger Service is essentially a custom WebHook Trigger.

Playbook Template - A Playbook Template is a System-level Playbook that may be imported into and used in an Organization. ThreatConnect provides a set of Playbook Templates that System Administrators may install on their ThreatConnect instance via TC Exchange. System, Operations, and Accounts Administrators may also install Playbook Templates on their ThreatConnect instance using a Playbook file (.pbx). 

Playbook Trigger - A Playbook Trigger is an event that initiates the actions defined within a Playbook. In order to be activated, a Playbook must have one, and only one, Trigger. Currently, there are five Trigger categories:

  • External Triggers - External Triggers are actions that occur outside of the ThreatConnect platform. Currently, there are five External Trigger types:
    • WebHook Trigger - The WebHook Trigger is an External Trigger that creates an HTTPS endpoint that can process nearly any piece of information that can be sent via HTTP.
    • Mailbox Trigger - The Mailbox Trigger is an External Trigger that lets you create a mailbox to send information to a Playbook.
    • Timer Trigger - The Timer Trigger is an External Trigger that allows you to initiate execution of a Playbook on a set schedule (e.g., once a day; on the 15th of the month).
    • UserAction Trigger - The UserAction Trigger is an External Trigger that allows you to run Playbooks on demand from the Details screen of Groups, Indicators, Intelligence Requirements, Tracks, or Victims. You can also run UserAction Trigger–based Playbooks for Indicators while using Threat Graph. This Trigger is contextually aware and user driven, and it allows a customized response (HTML or plain text).
    • Custom Trigger - See “Playbook Services.”
  • Group Triggers - Group Triggers correspond to all of the defined Groups on your ThreatConnect instance.
  • Indicator Triggers - Indicator Triggers correspond to all of the defined Indicators on your ThreatConnect instance.
  • Other Triggers - Other Triggers correspond to the Case, Intelligence Requirement, Track, and Victim objects.
  • Service Triggers - Service Triggers are microservices that constantly run in the background.

Playbook Worker - A Playbook Worker is an embedded process in a Playbook Server responsible for executing orchestration logic in a queue. A Worker can execute only one Playbook at a time, and multiple Workers can exist inside a Playbook Server.

Playbooks Metrics - Playbooks Metrics are available on dashboard Metric cards and provide a graphical representation of three metrics calculated by the Playbooks Return on Investment (ROI) feature for all selected Playbooks: Playbook Execution Count, Playbook Financial Savings, and Playbook Hours Saved.

Post - A post is a comment in your Organization or one of your Communities or Sources. When creating a post, you may link it to Indicators, Groups, Tags, Tracks, and Victims that belong to one of your owners.

Posts Screen - The Posts screen displays posts (i.e., comments) that were added to Indicators, Groups, Tags, Tracks, and Victims across your Organization, Communities, and Sources. If an owner has been selected, there will also be an Add New Comment text box that will allow for commenting directly into that owner.

Potential Association - A potential association is an association to a specific Artifact, Case, Group, or Indicator that is suggested for the object you are working with in ThreatConnect. Potential associations can be based on Artifacts that share the same summary and type as Indicators on your ThreatConnect instance, second-degree associations to objects on your ThreatConnect instance, or both. For Cases, potential associations to other Cases are based on both Cases containing an Artifact with the same summary and type.

Private Indicator - An Indicator marked as private will not be sent to CAL for aggregation, and CAL data retrieval and CAL pivoting in Threat Graph will be disabled for the Indicator.

Q

Query Card - A Query card is a dashboard card that displays the results of a saved TQL query.

R

Read Only Commenter - Read Only Commenter is an Organization role that allows you to view and comment on existing data in an Organization, as well as create posts and add Notes to Workflow Cases.

Read Only User - Read Only User is an Organization role that allows you to view existing data in the Organization(s) to which you belong.

Registry Key Indicator - The Registry Key Indicator represents a node in a hierarchical database that contains data critical for the operation of Windows and the applications and services that run on Windows (e.g., HKEY_CURRENT_USER\Software\MyApp).

Report - A report is a customized document that may contain details about Groups or Cases; summaries of Attributes added to a Group or Case; tables displaying objects associated to a Group or Case; visual elements, such as saved Group or Case graphs from Threat Graph and images; query-based charts and tables, metric charts, and pre-configured tables; text blocks that support rich text formatting, code blocks, and inline images; and page layout elements. You can save a report for later viewing, export it as a PDF or HTML file, and create a Report Group that includes the report as a file attachment.

Report Editor - The Report Editor is the screen where you can add content to a report and customize its layout. You can access the Report Editor by clicking the + Create Custom Report button while viewing a Group or Case or on the Reporting screen.

Report Group - The Report Group is a collection of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. It is used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story. PDF and HTML files uploaded to a Report Group are viewable directly on the Report File card on the Overview tab of the Group's Details screen.

Report Template - A report template allows you to define a standard format users can follow when they create reports in ThreatConnect. When building a report template, you can add content blocks with preconfigured text or visual elements, such as charts, images, tables, and saved graphs from Threat Graph, or placeholder sections that users can fill in after they create a report from the template. Once you customize and save a report template, users in your Organization can use it when creating a report for a Group from the Group’s Details screen.

Reporting - The Reporting screen displays all reports you and other users in your Organization have saved and provides the ability to create a generic report (i.e., a report that is not for a specific Group or Case).

ROI Metrics - Metrics on Playbook Return on Investment (ROI) are available on dashboard Metric cards.

S

SAML - Security Assertion Markup Language™ (SAML™, pronounced SAM-el) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular between an identity provider and a service provider.

Search Drawer - The Search drawer in ThreatConnect uses a combination of direct and indirect search algorithms to find data based on a given input. Search results also provide information of analytic value, including exact and potential matches in your ThreatConnect instance and the ability to identify, create, and explore new Indicators.

Security Coverage - Within the ATT&CK Visualizer, Organization Administrators can assign security coverage to specific techniques and sub-techniques in the MITRE ATT&CK Enterprise Matrix for their Organization. Doing so enables your team to evaluate the strengths and weaknesses of specific techniques, identify gaps in security coverage, and enhance defense strategies with precision. In addition, other users in the Organization can overlay the security coverage map onto any ATT&CK view with the Security Coverage view option, allowing them to identify which techniques are covered and which ones may need attention.

Security Label - Security Labels provide a means to designate information stored within ThreatConnect as sensitive. When sharing data with partners, or when copying data to and from Communities, Security Labels provide control over what is shared and allow the sharer to redact information based on Security Labels that are applicable to Indicators, Groups, and Victims, as well as Attributes added to those object types.

Sharing User - Sharing User is an Organization role that allows licensed user accounts to view, create, delete, and share data in an Organization.

Signature Group - The Signature Group represents an actual Signature that can be used for detection or prevention. ThreatConnect supports the following Signature formats: Bro, ClamAV®, CybOX™, Iris® Search Hash, Microsoft® Kusto Query Language (KQL), OpenIOC, Regex, Splunk® Search Processing Language (SPL), Sigma, Snort®, STIX™ Pattern, Suricata, TQL Query, and YARA).

Signature Import - A Signature Import allows users to import and manage the following popular Signature formats: Bro, ClamAV, CybOX, Iris Search Hash, Microsoft KQL, OpenIOC, Regex, Splunk Search Processing Language (SPL), Sigma, Snort, STIX Pattern, Suricata, TQL Query, and YARA.

Skulls - Skulls are used to represent the scale on which Threat Rating is measured, where 0 skulls is the lowest Threat Rating and 5 skulls is the highest. Sometimes, the word "skulls" is omitted. For example, "a Threat Rating of 5" is equivalent to "a Threat Rating of 5 skulls."

Source - A Source is a one-way feed of information. Like Communities, Sources may have Individuals or Organizations as members. Unlike Communities, Sources are not meant to be a collaborative environment. Members, and their pseudonyms, are not visible to one another and typically do not have any write access within a Source. Oftentimes, a Source will represent a feed of Indicators or intelligence, whether premium, open source, or internally produced.

Space - A Space creates an analytic pane that can run and display up to four apps in a single, convenient place. They are a great way to extend the capabilities of the user interface and to work with favorite third-party tools and products to bring their capabilities directly into ThreatConnect.

Standard ATT&CK View - A standard ATT&CK view in the ATT&CK Visualizer allows you to see all tactics, techniques, and sub-techniques in the MITRE ATT&CK Enterprise Matrix and those used by one or more Group objects added to the view. This type of ATT&CK view also allows you to reveal shared techniques and sub-techniques among all Groups added to the view (Threat Group Comparison), generate a color-coded heat map that displays the prevalence of each of those techniques (Technique Prevalence), and view security coverage assigned to those items by your Organization Administrator (Security Coverage).

Standard Tag - A standard Tag is any Tag that is not an ATT&CK Tag.

Structured Import - A Structured Import allows you to import Indicators from a comma-separated values (CSV) file. Structured Imports work with any Indicator, including custom Indicators, that takes a single value and is marked as parsable.

Subscriber - Subscriber is a Community role that provides you with read-only access to published data from a Community.

Super User - Super User is a System role that enables users on multitenant instances to easily view and manage all of their customers’ data from a single user account. Super Users do not have any access or permissions at the System level, but do have full data-level, administrative, and configuration permission at the Organization level for all Organizations on the ThreatConnect instance.

Synonymous Tag - A synonymous Tag is a Tag that will be converted to a main Tag based on a Tag normalization rule configured by a System Administrator. Only standard Tags may be defined as synonymous Tags in a Tag normalization rule.

System Administrator - See “Administrator.”

System Metrics - System Metrics are available on dashboard Metric cards and consist of metrics related to Activities, Indicators, and Intelligence.

System Role - A user’s System role in ThreatConnect determines the System-level permissions that they have on their instance of ThreatConnect. These permissions cover access and functionalities on each of the following screens: System Settings, Account Settings, TC Exchange™ Settings, Organization Settings, and Organization Config.

T

Tactic Group - The Tactic Group represents an action or strategy carefully planned to achieve a specific end.

Tag - A Tag is a data object that can be applied to Intelligence Requirements, Indicators, Groups, Victims, and Workflow Cases. They create associations between the data to which they are applied, as well as a path from one intelligence item to another. Currently, there are two types of Tags you can apply to objects: standard Tags and ATT&CK Tags.

Tag Normalization - Tag normalization is the process of converting one or more synonymous Tags to a main Tag based on a Tag normalization rule configured by a System Administrator.

Tag Normalization Rule - A Tag normalization rule is the mechanism used to perform Tag normalization in ThreatConnect. When a Tag normalization rule is enabled, existing Tags in all owners on the ThreatConnect instance that match one of the rule’s synonymous Tags are converted to the main Tag at that time, and new Tags created on the ThreatConnect instance that match one of the rule’s synonymous Tags are converted to the main Tag whenever they are applied to Intelligence Requirements, Indicators, Groups, Victims, and Workflow Cases.

Task Group - The Task Group represents an assignment given to a ThreatConnect user. See “Workflow Task” for the definition of a Task within Workflow in ThreatConnect.

TC Exchange - TC Exchange is the term for ThreatConnect's catalog of resources such as integrations, Communities, training opportunities, and links to SDK and API documentation.

Technical Blogs and Reports - The Technical Blogs and Reports Source has been deprecated and replaced by the CAL Automated Threat Library (ATL). See “CAL Automated Threat Library (ATL)” for more information.

Technique Prevalence - The Technique Prevalence view option in the ATT&CK Visualizer generates a color-coded heat map that displays the prevalence of each technique and sub-technique used by the Groups added to a standard ATT&CK view.

Template Editor - The Template Editor is the screen where you can add content to a report template and customize its layout. You can access the Template Editor by clicking the + Create Group Template button on the Reporting screen.

Threat - Any circumstance or event with the potential to adversely impact organizational operations, organizational assets, individuals, other organizations, or the Nation through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. [2]

Threat Graph - Threat Graph provides a graph-based interface where you can discover, visualize, and explore Indicator, Group, Case, and Tag associations and relationships.     While viewing an object in Threat Graph, you can pivot on Indicator, Group, Case, and Tag associations in ThreatConnect, Indicator and Group relationships that exist within CAL, and third-party enrichment relationships for supported Indicator types; run active UserAction Trigger–based Playbooks for Indicators that exist in ThreatConnect; import Indicators displayed on the graph into ThreatConnect; view known alias information retrieved from CAL for supported Group types; and save and export graphs. For Indicators, Groups, and Tags, you can access Threat Graph from the Details drawer and screen; for Cases, you can access Threat Graph while viewing a Case.

Threat Group - The Threat Group represents a group of related activity, whether or not attribution is known. This relation can be based on technology (e.g., Shellshock) or pertain to a grouping of activity that is presumed to be by the same selection of actors (e.g., Bitterbug).

Threat Group Comparison - The Threat Group Comparison view option in the ATT&CK Visualizer reveals shared techniques and sub-techniques among all Groups added to a standard ATT&CK view.

Threat Score - When an email is imported into ThreatConnect, a Threat Score is computed using email-scoring rules configured by a System Administrator and assigned to the corresponding Email Group. See ThreatConnect System Administration Guide for more information on how email-scoring rules function in ThreatConnect.

ThreatAssess - ThreatAssess gives a basic risk assessment of an Indicator through a single, actionable score. The score represents the overall potential impact that an Indicator might have to a security organization.

ThreatConnect Global Intelligence Dataset - The ThreatConnect Global Intelligence Dataset, historically known as CAL, is used to retrieve keyword suggestions for Intelligence Requirements (IRs) and global results for IR keyword queries. Even if CAL is not enabled for your ThreatConnect instance, you can still leverage the ThreatConnect Global Intelligence Dataset. In this scenario, data returned from the ThreatConnect Global Intelligence Dataset will be read only, and no information stored in your instance will be shared with or collected by CAL.

ThreatConnect Intelligence Anywhere - ThreatConnect Intelligence Anywhere is a web browser extension that can scan online resources, such as static and dynamic webpages, social media platforms, email messages, and even ThreatConnect itself, for potential Indicators or Groups. When scanning an online resource for Groups, Intelligence Anywhere will leverage the natural-language processing (NLP) capabilities of CAL to search for text that is indicative of a MITRE ATT&CK technique. After completing a scan with Intelligence Anywhere, you can import potential Indicators found on the scanned resource into ThreatConnect and associate them to an existing or newly created Group.

ThreatConnect Query Language (TQL) - The advanced search filter allows you to build structured queries using a SQL-like query language called ThreatConnect Query Language (TQL). With this feature, an analyst can specify criteria that cannot be defined using a simple string search. At any time, a query can be saved and revisited later or used in custom dashboards (if enabled).

Threat Rating - The Threat Rating identifies how much of a threat an Indicator represents. It is measured on a scale of 0–5 skulls, where a higher rating represents a higher threat.

Time of Detection - The date and time when a security incident or threat was detected (e.g., by a security team).

Time of Occurrence - The date and time when a security incident or threat occurred.

Timeline - The timeline in a Workflow Case is a recording of actions performed in the Case in chronological order. Timelines enable security teams to quickly observe key events over a span of dates in a Workflow Case. They also allow users to drill down into important timeframes in the lifespan of a Workflow Case.

Timeline Event - A Timeline Event is added automatically to a Workflow Case’s timeline when an action is performed in the Case. You may also add Timeline Events to a Case manually.

Tool Group - The Tool Group represents legitimate software that can be used by threat actors to perform attacks.

Top 10 Case Closing Analyst - Top 10 Case Closing Analyst is a Cases Metric dashboard card that provides a graphical representation of the 10 analysts who closed the most Workflow Cases in the last 30 days. It also displays the total number of Cases closed in the past 30 days by each user.

TQL - See "ThreatConnect Query Language (TQL)."

Track - ThreatConnect's Reverse Whois Tracks leverage DomainTools, an external data service that interfaces with ThreatConnect to actively detect and issue alerts about new associations discovered in Whois records between Adversary assets and hosts.

U

Unassigned Cases - Unassigned Cases is a Cases Metric dashboard card that provides a graphical representation of the total number of unassigned Workflow Cases and a breakdown of the number of unassigned Cases per severity level (Low, Medium, High, and Critical).

Unstructured Import - An Unstructured Import allows you to import Indicators from input text and unstructured documents, including .txt, .pdf, .doc, .docx, .ppt, .pptx, .xls, and .xksx files.

URL Indicator - The URL Indicator represents a valid URL, including protocol (e.g., http://www.bad.com/index.php?id=1).

User (Community) - In a Community, the User role provides you with read-only access to existing data in a Community.

User (Organization) - In an Organization, the User role allows licensed user accounts to view, create, and delete data in an Organization.

User Agent Indicator - The User Agent Indicator is a characteristic identification string that a software agent uses when operating in a network protocol [e.g., Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36].

User Metrics - User Metrics are custom metrics available on dashboard Metric cards. These metrics can only be created by users with an Organization role of Organization Administrator. See ThreatConnect Organization Administration Guide for more information.

V

Variable - Variables can be preconfigured and used to populate certain fields, such as the ThreatConnect API Access ID or Secret Key in Playbooks or app configurations.

Victim Asset - A Victim Asset represents an endpoint used to leverage a Victim and infiltrate a network.

Vulnerability Group - The Vulnerability Group represents a mistake in software that can be directly used by a hacker to gain access to a system or network.

W

Widget Card - A Widget card is a dashboard card that is predefined and cannot be configured, other than to adjust its size and position on the dashboard.

Workflow  - (1) The Workflow functionality in ThreatConnect enables analysts and their teams to define and operationalize consistent, standardized processes for managing threat intelligence and performing security operations. Analysts and administrators can use Workflow to investigate, track, and collaborate on information related to threats and incidents, all from within one central location in ThreatConnect. (2) A Workflow is a codified procedure for the steps to be taken within a Case. Users and administrators with the requisite permissions may create Workflows from scratch, or they may be copied from a Workflow Template into an Organization.

Workflow Case - A Workflow Case is a single instance of an investigation, inquiry, or other procedure. It contains all required elements of a notable event in a logical structure. Cases can be used to capture key evidence to enable security teams to decide if the Case should be escalated.

Workflow Playbook - A Workflow Playbook is a special type of Playbook that uses a Workflow Trigger, which passes input from within the Workflow process to the rest of the Playbook, which then performs its defined function and returns its output back to the Workflow process.

Workflow Task - A Workflow Task is a step to perform within a Case. Workflow Tasks can be manual (i.e., performed by a user) or automated (i.e., performed by a Workflow Playbook).

Workflow Template - A Workflow Template is a System-level Workflow that is available to be copied into and used in Organizations. ThreatConnect provides a set of Workflow Templates via TC Exchange, and System Administrators may import or install System-level Workflow Templates.


[1] https://csrc.nist.gov/glossary/term/intelligence (NIST SP 800-53 Rev. 5 under “all-source intelligence”)

[2] https://csrc.nist.gov/glossary/term/threat (NIST SP 800-53 Rev. 5 under “threat”)


ThreatConnect® is a registered trademark, and CAL™ and TC Exchange™ are trademarks, of ThreatConnect, Inc.
Amazon S3™ is a trademark of Amazon Technologies, Inc.
Apache Kafka® is a registered trademark of The Apache Software Foundation.
ClamAV® and Snort® are registered trademarks of Cisco Systems, Inc.
DomainTools®, Farsight Security®, and Iris® are registered trademarks of DomainTools, LLC.
IBM Resilient Incident Response Platform® is a registered trademark of IBM Corporation.
Jira™ is a trademark of Atlassian Corporation Plc.

Microsoft® and RiskIQ® are registered trademarks of Microsoft Corporation.
MITRE ATT&CK® and ATT&CK® are registered trademarks, and CybOX™ and STIX™ are trademarks, of The MITRE Corporation
OpenSearch® is a registered trademark of Amazon Web Services.
Security Assertion Markup Language™ and SAML™ are trademarks of OASIS, the open standards consortium where the SAML specification is owned and developed. SAML is a copyrighted © work of OASIS Open. All rights reserved.
ServiceNow® is a registered trademark of ServiceNow, Inc.

Shodan® is a registered trademark of Shodan.
Splunk® is a registered trademark of Splunk, Inc.

VirusTotal™ is a trademark of Google, Inc.

20105-01 v.11.A


Was this article helpful?