ThreatConnect Glossary
  • 28 Aug 2023
  • 38 Minutes to read
  • Dark

ThreatConnect Glossary

  • Dark

Article Summary


This glossary consists of definitions of important and commonly used terms in ThreatConnect®.


Accounts Administrator - Accounts Administrator is a System role that provides you with read-only access at the System and Organization levels. Users with this role can create and modify, but not delete, Organizations, and can add Organizations to Communities and Sources.

Active Cases - Active Cases is a Cases Metric dashboard card that provides a graphical representation of the total number of active Workflow Cases (i.e., Cases with a status of Open) assigned to each user or user group.

Active Mode - Active Mode is used when a Playbook has been completely designed and configured with no validation issues. When Playbooks are active, they are available for execution in an Organization. Playbooks may not be edited in Active Mode. However, you can view Trigger and App parameters in Active Mode by double-clicking on the element.

Address Indicator - The Address Indicator represents a valid IP Address, either IPv4 or IPv6 (e.g.,

Administrator - Administrator is a System role that provides you with full access to all System and Organization settings within a ThreatConnect instance. This role, also known as the System Administrator, is typically used for administration purposes, but can perform most other functions, such as creating Indicators and Groups, viewing and adding Dashboards, and adding and running Playbooks.

Adversary Group - The Adversary Group represents a malicious actor or group of actors. An Adversary can be tracked by its assets (e.g., websites, email addresses, hacker handles) to allow for monitoring of activity.

Alias - An alias is another name that a vendor may use for a Group. When scanning online resources for Groups with ThreatConnect Intelligence Anywhere, aliases for Groups found during the scan are displayed on the Groups tab of the Scan Results window. If viewing the Details screen for a Group for which known alias information exists in CAL, you can view these aliases using the CAL Aliases button displayed on the Groups card of the Associations tab; on the legacy Details screen, this button is displayed on the Associated Groups section of the Associations card while the card is in table view. Additionally, you can view alias information for a Group that exists in CAL via the CAL Alias Information option when using Threat Graph.

Analyst Workload - Analyst Workload is a Cases Metric dashboard card that provides a graphical representation of the total current Case workload of individual users and the severity of those Cases.

App Builder - The App Builder is a Python development environment that allows you to create, edit, and release Playbook apps directly in ThreatConnect.

App Developer - App Developer is an Organization role that allows licensed user accounts to build apps in an Organization.

Artifact - An Artifact in Workflow is any piece of data not captured in a Note that provides information relevant to a Workflow Case that may be useful to an analyst. Potential Artifact types include all ThreatConnect Indicator types, as well as a variety of other data types. Examples of Artifacts include domains, email addresses, log files, emails, PCAP files, screenshots, SIEM event files, and malware documents.

ASN Indicator - The ASN (Autonomous System Number) Indicator represents a number that uniquely identifies each network on the Internet (e.g., 204288).

Asset - An Asset is an account or web resource that an Adversary leverages in support of its operations, such as handles (aliases), phone numbers, and website URLs. Assets can be added to an Adversary in ThreatConnect.

Association - An associations is the mechanism through which the ThreatConnect platform models a relationship between two objects. Associating Indicators to Groups empowers an analyst to pivot to any related Group. You can associate Indicators to other Indicators via custom associations, and you can associate Groups of any type to each other. Indicators and Groups can also be associated to Workflow Cases and to Artifacts in Workflow Cases.

Association Attribute - An Association Attribute for an object is an Attribute that belongs to a Group associated to the object, provided that the Attribute Type has been configured as an association Attribute Type by an Organization Administrator or Director in a Community or Source.

Attack Pattern Group - The Attack Pattern Group represents a type of tactics, techniques, and procedures (TTP) that describes ways that adversaries attempt to compromise targets.

Attribute - An Attribute is a key/value data set that can be added to a Group, Indicator, Victim, or Workflow Case. This type of metadata provides an excellent way to organize, categorize, and integrate the objects into an Organization’s analytic workflow. Attributes and their accepted values are managed on the Attribute Types and Attribute Validation Rules tabs, respectively, of the System Settings screen (for System-level Attributes), Organization Config screen (for Organization-level Attributes), and Community Config screen (for Community- and Source-level Attributes).

Attribute Preference - An Attribute Preference allows an Organization Administrator or Director in a Community or Source to configure an Attribute Type as a default, pinned, or association Attribute Type in an Organization or a Community or Source, respectively.


Banned - Banned is a Community role that provides you with no access at all to a Community.

Browse Screen - The Browse screen provides a central point from which to access and filter content in ThreatConnect. You can use the Browse screen to view objects (Indicators, Groups, Tags, Tracks, Victims, or Victim Assets) for an Organization, Community, or Source.


CAL - CAL™ is a service that aggregates anonymized data from multiple instances of ThreatConnect and other sources. Analysts may find it useful to compare information from CAL with information that appears in their local instance of ThreatConnect.

CAL Alias - See “Alias.”

CAL Automated Threat Library (ATL) - The CAL ATL Source aggregates articles from information security blogs; parses them for IOCs, malware families, threat actors, etc.; and automatically models them in ThreatConnect.

CAL Impact Factor - A CAL impact factor is a key factor that increases or decreases an Indicator’s CAL score. When viewing an Indicator’s Details screen, the CAL impact factors that affected its CAL score, if any, are displayed on the ThreatAssess and CAL section of the Details card.

CAL Score - An Indicator’s CAL score (also known as CAL reputation score) is out of a maximum value of 1000. This score is based on several factors, including aggregated and anonymized false positive and observation data from all instances participating in CAL, an Indicator’s presence in malicious and benign data sources to which CAL has access and ingests, relationships to other known good and bad Indicators in CAL, and more.

Campaign Group - The Campaign Group represents a collection of Incidents over time.

Card - A card is a rectangular section of the screen on which information on a particular topic is organized and presented.

Case Attribute - A Case Attribute is a key/value data set that you can add to a Workflow Case. These Attributes enrich a Case’s data and aid security teams as they investigate a threat and determine the appropriate escalation path for a Case.

Case Close Time - The date and time when a Workflow Case was closed.

Case Open Time - The date and time when a Workflow Case was opened.

Cases Metrics - Cases Metrics are available on dashboard Metric cards and provide a graphical representation of nine metrics for Workflow Cases: Active Cases, Analyst Workload, False Positives, Mean Time to Detection (MTTD), MTTD Average, Mean Time to Resolution (MTTR), MTTR Average, Top 10 Case Closing Analyst, and Unassigned Cases.

Central Space - A Central Space is used with an App that can be applied across ThreatConnect. They are accessed via the Spaces option on the top navigation bar.

CIDR Indicator - The CIDR (Classless Inter-Domain Routing) Indicator represents a block of network IP addresses (e.g.,

Classifier - A series of labels representing predefined categorizations derived from CAL’s classification analytics. Classifiers behave like Tags in ThreatConnect, except that they are applied by CAL using the totality of its data set and statistical models.

Commenter - Commenter is a Community role that allows you to view existing data and create and reply to posts in a Community.

Community - A Community is a tightly administered group of ThreatConnect owners. A Community may have Organizations or individuals as members. Members can contribute intelligence to the Community, vote on Indicator ratings, and have collaborative discussions. Communities have the option to allow their members to use pseudonyms. A Community will often be formed around a common purpose, such as an industry sector, a current event, or a geopolitical region.

Community Leader - Community Leader is a System role that provides you with read-only access at the System and Organization levels. The main use case for a Community Leader is for read-only viewing of all Organizations in the System (i.e., on the ThreatConnect instance) in order to make informed requests to System Administrators (e.g., request changes to the System configuration or request creation of new Communities and Sources).

Community Role - A user’s Community role is their owner role within a Community or Source. See “Owner Role” for more information.

Component - See "Playbook Components."

Confidence Rating - The Confidence Rating identifies how confident you are in your Threat Rating. It is measured on a scale of 0–100%—the higher the rating, the higher the confidence.

Contextually Aware Space - A Contextually Aware Space is an analytic pane that runs and displays multiple Apps for use with a particular Indicator or Group in a single, convenient place. They are a powerful enrichment tool tailored to automate and improve the way you work with specific Indicator or Group types and provide a way to work with favorite third-party tools and products to bring their capabilities directly into ThreatConnect.

Contribute - Contribute is the action of adding a copy of a Group in an Organization to a Community or Source. The functionality is found on the Sharing tab of the legacy Details screen for a Group object.

Contributor - Contributor is a Community role that allows you to view existing data, create and reply to posts, and create Indicators, Groups, and Tags in a Community.

Course of Action Group - The Course of Action Group represents a recommendation from a producer of intelligence to a consumer on the actions that they might take in response to that intelligence.

Create - A quick way to add data into ThreatConnect is to use the Create option on the top navigation bar to create a single Indicator, Group, Track, or Victim.

Cross-Owner Association - A cross-owner association is an association between a Case, Group, or Indicator in your Organization and a Group or Indicator that exist in a Community or Source to which you have access. Super Users have the ability to create these associations between objects in the Organizations on their instance and between those in the Communities and Sources to which they have access.

Custom Indicator - For users with a Dedicated Cloud or On-Premise subscription, ThreatConnect can be extended to create custom Indicator types to support different use cases. Custom Indicators are treated in the same manner as built-in Indicator types, such as URL and File, and they can be associated with Groups, such as Threats, Incidents, and Emails, as well as with other Indicators via the custom Associations functionality. See ThreatConnect System Administration Guide for more information about using custom Indicators.


Dashboard - The Dashboard is the first screen displayed after you log into ThreatConnect. It is your control center for ThreatConnect, providing a variety of data and metrics, such as recent activity, active Incidents, open Tasks, Indicator trends, and query results. Each type of information is presented on a card whose location, format, colors, and type of graphic can be set according to your or an administrator’s preferences. 

DataStore - The DataStore is a feature that allows runtime and Playbook Apps to persist data using OpenSearch®. The DataStore is available to any Job, Spaces, or Playbook App requiring persistent storage.

Description Attribute - The Description Attribute, found on every Indicator, Group, Tag, Track, Victim, and Victim Asset in ThreatConnect, is a space for an analyst to provide a brief, high-level explanation of the nature of the content.

Design Mode - When the Playbook Designer is in Design Mode, a Playbook is inactive and can be created and edited.

Details Drawer - The Details drawer provides a detailed overview of an Indicator, Group, Tag, Track, Victim, or Victim Asset.

Details Screen - The Details screen is the main screen where you can view information for Indicators, Groups, Tags, Tracks, and Victims. As of ThreatConnect version 7.0, there are two ways to view the Details screen: the new Details screen view and the legacy Details screen view.

Diamond Model - The Diamond Model represents the four core features of a cyber-attack: Adversary, Capabilities, Infrastructure, and Victim. Each core feature is represented as a vertex on the Diamond and are linked via edges to illustrate their relationship to one another.

Director - Director is a Community role that allows you to view, create, and delete data (i.e., posts and threat intelligence), edit threat intelligence, and administrate members in a Community.

Document Group - The Document Group represents an actual file of interest, such as a PDF report that contains valuable intelligence or a malware sample. Documents can have their contents indexed for future searching.


Editor - Editor is a Community role that allows you to view, create, and delete data (i.e., posts and threat intelligence), as well as edit threat intelligence, in a Community.

Email Group - The Email Group represents an occurrence of a specific suspicious email, such as a phishing attempt.

Email Address Indicator - The Email Address Indicator represents a valid email address (e.g.,

Email Subject Indicator - The Email Subject Indicator represents the subject line of an email.

Email Import - An Email Import allows you to import a malicious or suspicious email into ThreatConnect as an Email Group.

Enrichment – The Enrichment tab of an Indicator’s Details screen displays a card for each built-in enrichment service enabled for the Indicator’s type that includes a summary of data retrieved from the enrichment service. Each enrichment service card also provides the ability to view detailed enrichment information for the Indicator and retrieve the most up-to-date information from the enrichment service manually. Depending on the enrichment service, you may also be able to import enrichment data into ThreatConnect.

Enrichment Service – ThreatConnect includes built-in enrichment services from which you can retrieve data to enrich Indicators. The following third-party enrichment services are currently available in ThreatConnect:

  • Shodan®
  • VirusTotal™

Event Group - The Event Group is an observable occurrence of notable activity in an information system or network that may indicate a security incident. For example, an Event might be created from a SIEM alert that needs to be triaged and investigated.

Execute - The act of running a Playbook. The results of a Playbook execution can be viewed in the Executions pane of the Playbook Designer while the Playbook is open, and full details of an execution can be viewed by clicking on it in the Executions pane to open its Execution screen.

Explore In Graph - See “Threat Graph.”


False Positive - A false positive is an Indicator that has been erroneously classified as malicious. ThreatConnect allows you to report false positives, although this feature is limited to one report per day per Indicator per user. As such, different users may report the same Indicator once on the same day.

False Positives - False Positives is a Cases Metric dashboard card that provides a graphical representation of the percentage of Workflow Cases that had their status set to Closed and resolution set to False Positive over a period of time.

Feed Deployer - System Administrators can use the Feed Deployer to create Sources, which then run associated jobs in an Organization.

Feed Explorer - The Feed Explorer presents all open-source feeds available to an instance of ThreatConnect in a table with associated metric data derived from information gathered from CAL. The Feed Explorer also provides a report card for each feed, showing how the feed’s metrics compare with aggregated metrics from the other feeds.

File Indicator - The File Indicator represents a unique file hash or series of hashes (e.g., MD5, SHA-1, and SHA-256).


Graph - An Indicator’s, Group’s, Case’s. or Tag's graph is where you can pivot on Indicator, Group, Case, and Tag associations in ThreatConnect, as well as relationships for Indicators and Groups that exist within a CAL dataset. You can access the graph for an Indicator or Group by clicking the Explore In Graph button on the Indicator’s or Group’s Details screen and Details drawer. For Cases, you can access a Case’s graph by clicking the Explore In Graph button displayed when viewing the Case. See “Threat Graph” for more information.

Graph Screen - Selecting Graph on the top navigation bar will display the Graph screen, where you can view all graphs saved to your ThreatConnect user account. See “Graph” and “Threat Graph” for more information.

Group - A Group is a collection of related behavior and intelligence. Groups are currently classified in one of 17 categories: Adversary, Attack Pattern, Campaign, Course of Action, Document, Email, Event, Incident, Intrusion Set, Malware, Report, Signature, Tactic, Task, Threat, Tool, and Vulnerability.

Group Alias - See “Alias.”


Hashtag Indicator - The Hashtag Indicator represents a hashtag term as used in social media.

Host Indicator - The Host Indicator represents a valid hostname, which is also referred to as a domain (e.g.,


Import - The Import feature allows you to quickly import data, such as Email, Indicators, and Signatures, into ThreatConnect. You can perform four types of imports: Email, Structured Indicator, Unstructured Indicator, and Signature.

Incident Group - The Incident Group represents a snapshot of a particular intrusion, breach, or other event of interest.

Indicator - An Indicator represents an atomic piece of information that has some intelligence value, regardless of where it exists on ThreatConnect’s Diamond Model. Indicators are guaranteed to be unique within an Owner. Indicators currently are classified in one of 12 categories: Address, E-mail Address, File, Host, URL, ASN, CIDR, Email Subject, Hashtag, Mutex, Registry Key, and User Agent.

Indicator Exclusion List - An Indicator Exclusion List is created to prevent the import of Indicators that may be deemed legitimate or non-hostile to an organization.

Indicator Status - Each Indicator in ThreatConnect has a systemwide Indicator Status that provides information on whether the Indicator is active (i.e., an Indicator of Compromise (IOC) at the current time) or inactive (i.e., an Indicator that is not an IOC at the current time, but is being kept in ThreatConnect for historical accuracy) and whether the status was set by ThreatConnect (i.e., any user in the ThreatConnect instance) or by CAL.

Intelligence Anywhere - See "ThreatConnect Intelligence Anywhere."

Intelligence Source - An Intelligence Source is a type of data owner in ThreatConnect, containing data from an open-source or premium-feed Source that an Organization is following.

Interactive Mode - When the Playbook Designer is in Interactive Mode, you may interactively test an app in-line and collaborate with other users on the Playbook.

Intrusion Set Group - The Intrusion Set Group is a set of adversarial behaviors and resources with common properties that is believed to be orchestrated by a single organization. An Intrusion Set may capture multiple Campaigns or other activities that are all tied together by shared attributes indicating a commonly known or unknown Adversary. New activity can be attributed to an Intrusion Set even if the Adversaries behind the attack are not known. Adversaries can move from supporting one Intrusion Set to supporting another, or they may support multiple Intrusion Sets.

Investigation Links - The Investigation Links card on the Details screen provides links to search results of various third-party lookup and other information services.


Job Server - See “Playbook Server.”


Malware Group - The Malware Group is a type of TTP that represents malicious code.

Malware Vault - The Malware Vault allows for the safe storage of malware or suspicious files for analysis. Malware uploaded to the Malware Vault must be zipped and password protected.

Menu Space - A Menu Space is a shortcut to a Spaces App and is listed under Spaces on the top navigation bar.

Metric Card - A Metric card is a dashboard card that can be configured to display System Metrics, User Metrics, Cases Metrics, or Playbooks Metrics.

MTTD - Mean Time to Detection (MTTD) is a Cases Metric dashboard card that provides a graphical representation of the average amount of time it took to detect a security issue or event, which is measured by calculating the average amount of time between the Time of Occurrence and Time of Detection for Workflow Cases.

MTTD Average - Mean Time to Detection (MTTD) Average is a Cases Metric dashboard card that provides a comparative numerical representation of MTTD over a period of days, weeks, or months and highlights the percentage increase of MTTD during that period of time.

MTTR - Mean Time to Resolution (MTTR) is a Cases Metric dashboard card that provides a graphical representation of the average amount of time it took to resolve a Workflow Case, which is measured by calculating the average amount of time between the Open Time and Close Time for Cases, over a specified period of time broken down by days, weeks, or months.

MTTR Average - Mean Time to Resolution (MTTR) Average is a Cases Metric dashboard card that provides a comparative numerical representation of MTTR over a period of days, weeks, or months and highlights the percentage increase of MTTR during that period of time.

Mutex Indicator - The Mutex Indicator is a synchronization primitive that can be used to identify malware files and relate malware families (e.g., \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex).


Note - A Note in Workflow is freeform information entered by a user (e.g., in a Case or attached to a Task or Artifact). Notes can be used to provide commentary, directives to another user, additional details, or any information that cannot be captured elsewhere. They enable security teams to journal key data findings in an unstructured format.

Notifications - ThreatConnect allows you to receive push-notification and email updates on changes to Indicators, Groups, Tasks, Tags, Victims, and other items that you want to track.

Notifications Center - The Notifications Center displays push-notification alerts on changes to Indicators, Groups, Tasks, Tags, Victims, and other items users want to track.


Observation - An observation is a count of the number of times an Indicator has been reported by a bidirectional integration with ThreatConnect. They allow users to correlate external intelligence with internal intelligence.

Operations Administrator - Operations Administrator is a System role that provides you with read-only access at the System level and full permissions at the Organization level. Operation Administrators can make administrative changes to Organizations, such as creating, deleting, and updating accounts, and can add, modify, and remove Communities and Sources.

Organization (Org) - An Organization, often referred to as an Org, is one of the three owner types in ThreatConnect. It represents a team of persons with the same levels of access and trust. An Organization is a collaborative space—its members are meant to work on tasks while fully visible to one another.

Organization Administrator - Organization Administrator is an Organization role that allows licensed user accounts to administer and configure all Organization data and members.

Organization Role - A user’s Organization role in ThreatConnect is their owner role within an Organization. See “Owner Role” for more information.

Overall Threat Rating - For an Organization, Overall Threat Rating is the latest assertion of an Indicator's Threat Rating by any member of the Organization, including via the API. For a Community, Overall Threat Rating is the average of all of the Threat Ratings for the Indicator across the Community, based on the latest assertion per Organization across the Community membership. For a Source, Overall Threat Rating is typically the rating for the Indicator that was set upon the Indicator's import.

Owner - Every piece of data in ThreatConnect has an owner. Owners have full control over the data they own, and they fall under one of three categories: Organization, Community, Source.

Owner Role - A user’s Owner role in ThreatConnect determines the permissions that they have within that Organization, Community, or Source. These permissions cover Organization or Community/Source administration, threat intelligence objects within the owner, and, for Organizations only, Case management (i.e., Workflow) and Playbooks.


Pathways - The various routes between Triggers, Apps, and Operators that a Playbook execution can take.

Phase - A Phase in Workflow is a logical grouping of Tasks.

Pivot - Pivoting is an analytic transition in which you move from one entity—Indicators and Groups in the ThreatConnect Data Model, as well as Tags and Attributes—to an associated entity in accordance with the methodology defined by the Diamond Model. Through the process of pivoting, you can, in a contiguous manner, explore relationships, and find correlations between entities.

Playbook - The Playbooks feature allows you to automate cyberdefense tasks via a drag-and-drop interface. The interface uses Triggers (e.g., a new IP address Indicator, a phishing email sent to an inbox) to pass data to Apps, which perform a variety of functions, including data enrichment, malware analysis, and blocking actions. Once enabled, Playbooks run in real time and provide you with detailed logs of each run.

Playbook Activity - The Playbooks Activity screen is a control panel on which Organization Administrators can monitor Playbook Server and Worker execution metrics, priorities, and processes for their Organization or instance. From this screen, current, present, and past Worker activity and allocation to Servers can be viewed and Playbook executions can be killed.

Playbook App - A Playbook App is a tool that is used to act on data provided by a Trigger or another App within a Playbook. Currently, there are 15 App categories:

  • Collaboration & Messaging: Collaboration & Messaging Apps send a customizable message via a client (e.g., email, meeting invitation, SMS).
  • Component: Components are Apps that consist of modules of Playbook elements (Apps and Operators, with a single initial Trigger) that can be called from a Playbook.
  • Data Enrichment: Data Enrichment Apps automate the enrichment of Indicators through ThreatConnect or third-party enrichment tools.
  • Email Security: Email Security Apps automate email investigation and response actions based on senders, attachments, and folders.
  • Endpoint Detection & Response: Endpoint Detection & Response Apps add, update, and remove Indicators from alerting and blocking lists on endpoint security tools.
  • Identity & Access Management: Identity & Access Management Apps retrieve user information and update, activate, and block users.
  • Incident Response & Ticketing: Incident Response & Ticketing Apps create a ticket, record, or issue for the Trigger in a third-party system such as Jira™, ServiceNow®, or IBM Resilient Incident Response Platform® (Resilient).
  • IT Infrastructure: IT Infrastructure Apps investigate storage solutions and other infrastructures, such as Amazon Simple Storage Service (Amazon S3™) or Apache Kafka®, to identify Indicators and security alerts.
  • Malware Analysis: Malware Analysis Apps analyze a file artifact for maliciousness and automate actions to be taken on the resulting report data.  
  • Network Security: Network Security Apps add, update, and remove Indicators from alerting and blocking lists on network tools.
  • SIEM & Analytics: SIEM & Analytics Apps add, update, and remove Indicators from alerting and blocking lists on SIEM tools.
  • Threat Intelligence: Threat Intelligence Apps integrate with third-party products that typically use data in ThreatConnect. These integrations bring timely and relevant information into ThreatConnect so that users can make informed decisions.
  • ThreatConnect: ThreatConnect Apps perform a task in ThreatConnect.
  • Utility: Utility Apps perform data utility functions, like formatting dates, filtering regexes, and extracting data from a file of a given type (CSV, JSON, EML/MSG, RSS, or XPath).
  • Vulnerability Management: Vulnerability Management Apps search for, retrieve, and prioritize vulnerabilities.

Playbook Component - A Playbook Component is an App that consists of modules of Playbook elements (Apps and Operators, with a single initial Trigger) that can be called from a Playbook in ThreatConnect. They make Playbook design more convenient when a group of elements is used repeatedly by allowing the elements to be packaged together and called as a single element.

Playbook Designer - The Playbook Designer is the configuration screen that appears after creating or opening a Playbook. It is the screen where you build and activate a Playbook, create and operate Run Profiles, access a Playbook’s version history, create global variables, view execution details and logs, and access administrative functions and settings for the Playbook.

Playbook Environment - The Playbooks Environments screen provides information to Organization Administrators, Operations Administrators, and System Administrators on the Environments available to their ThreatConnect instance and allows them to administrate the Environments from within their instance.

Playbook Operator - A Playbook Operator is a logic-based link between Triggers and Apps.

Playbook ROI - The Playbooks Return on Investment (ROI) feature allows you to view and visualize the return on investment for the Playbooks executed in your Organization—that is, how much money and time each execution of a given Playbook has saved you (versus doing all of the tasks in the Playbook manually, without orchestration) over various periods of time.

Playbook Server - A Playbook Server, also known as a Job Server, is a ThreatConnect instance that is dedicated to the execution of Playbooks.

Playbook Service - A Playbook Service App is a microservice that constantly runs in the background. Currently, there are two types of Services available in ThreatConnect:

  • Custom Trigger Service - This type of Trigger creates Push-type events to handle a custom protocol or raw-port access or that Pull on a configured interval.
  • Webhook Trigger Service - This type of Trigger creates Push-type events that have complex data requiring normalization, filtering, or a better UX. This Trigger Service is essentially a custom WebHook Trigger.

Playbook Template - A Playbook Template is a Playbook provided by ThreatConnect to illustrate best-in-class use cases for Playbooks and help educate users in how to construct more complex Playbooks.

Playbook Trigger - A Playbook Trigger is an event that initiates the actions defined within a Playbook. In order to be activated, a Playbook must have one, and only one, Trigger. Currently, there are five Trigger categories:

  • External Triggers - External Triggers are actions that occur outside of the ThreatConnect platform. Currently, there are five External Trigger types:
    • WebHook Trigger - The WebHook Trigger is an External Trigger that creates an HTTPS endpoint that can process nearly any piece of information that can be sent via HTTP.
    • Mailbox Trigger - The Mailbox Trigger is an External Trigger that lets you create a mailbox to send information to a Playbook.
    • Timer Trigger - The Timer Trigger is an External Trigger that allows you to initiate execution of a Playbook on a set schedule (e.g., once a day; on the 15th of the month).
    • UserAction Trigger - The UserAction Trigger is an External Trigger that allows you to run Playbooks on demand from the Details screen of Indicators, Groups, Tracks, or Victims. You can also run User-Action Trigger–based Playbooks for Indicators while using Threat Graph. This Trigger is contextually aware and user driven, and it allows a customized response (HTTP or plain text).
    • Custom Trigger - See “Playbook Services.”
  • Group Triggers - Group Triggers correspond to all of the defined Groups on your ThreatConnect instance.
  • Indicator Triggers - Indicator Triggers correspond to all of the defined Indicators on your ThreatConnect instance.
  • Other Triggers - Other Triggers correspond to the Case, Track, and Victim objects.
  • Service Triggers - Service Triggers are microservices that constantly run in the background.

Playbook Worker - A Playbook Worker is an embedded process in a Playbook Server responsible for executing orchestration logic in a queue. A Worker can execute only one Playbook at a time, and multiple Workers can exist inside a Playbook Server.

Playbooks Metrics - Playbooks Metrics are available on dashboard Metric cards and provide a graphical representation of three metrics calculated by the Playbooks Return on Investment (ROI) feature for all selected Playbooks: Playbook Execution Count, Playbook Financial Savings, and Playbook Hours Saved.

Post - A post is a comment in your Organization or one of your Communities or Sources. When creating a post, you may link it to Indicators, Groups, Tags, Tracks, and Victims that belong to one of your owners.

Posts Screen - The Posts screen displays posts (i.e., comments) that were added to Indicators, Groups, Tags, Tracks, and Victims across your Organization, Communities, and Sources. If an owner has been selected, there will also be an Add New Comment text box that will allow for commenting directly into that owner.

Private Indicator - An Indicator marked as private will not be sent to CAL for aggregation, and CAL data retrieval and CAL pivoting in Threat Graph will be disabled for the Indicator.


Query Card - A Query card is a dashboard card that displays the results of a saved TQL query.


Read Only Commenter - Read Only Commenter is an Organization role that allows you to view and comment on existing data in an Organization, as well as create posts and add Notes to Workflow Cases.

Read Only User - Read Only User is an Organization role that allows you to view existing data in the Organization(s) to which you belong.

Registry Key Indicator - The Registry Key Indicator represents a node in a hierarchical database that contains data critical for the operation of Windows and the applications and services that run on Windows (e.g., HKEY_CURRENT_USER\Software\MyApp).

Report - A report is a customized document that may contain details about Groups or Cases; summaries of Attributes added to a Group or Case; tables displaying objects associated to a Group or Case; visual elements, such as saved Group or Case graphs from Threat Graph and images; query-based charts and tables, metric charts, and pre-configured tables; Markdown-supported text blocks; and page layout elements. You can save a report for later viewing, export it as a PDF or HTML file, and create a Report Group that includes the report as a file attachment.

Report Editor - The Report Editor is the screen where you can add content to a report and customize its layout. You can access the Report Editor by clicking the + Create Custom Report button while viewing a Group or Case or on the Reporting screen.

Report Group - The Report Group is a collection of threat intelligence focused on one or more topics, such as a description of a threat actor, malware, or attack technique, including context and related details. It is used to group related threat intelligence together so that it can be published as a comprehensive cyber threat story. PDF and HTML files uploaded to a Report Group are viewable directly on the Report File card on the Overview tab of the Group's Details screen.

Reporting - The Reporting screen displays all reports you and other users in your Organization have saved and provides the ability to create a generic report (i.e., a report that is not for a specific Group or Case).

ROI Metrics - Metrics on Playbook Return on Investment (ROI) are available on dashboard Metric cards.


SAML - Security Assertion Markup Language™ (SAML™, pronounced SAM-el) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular between an identity provider and a service provider.

Search Drawer - The Search drawer in ThreatConnect uses a combination of direct and indirect search algorithms to find data based on a given input. Search results also provide information of analytic value, including exact and potential matches in your ThreatConnect instance and the ability to identify, create, and explore new Indicators.

Security Label - Security Labels provide a means to designate information stored within ThreatConnect as sensitive. When sharing data with partners, or when copying data to and from Communities, Security Labels provide control over what is shared and allow the sharer to redact information based on Security Labels that are applicable to Indicators, Groups, and Victims, as well as Attributes added to those object types.

Sharing User - Sharing User is an Organization role that allows licensed user accounts to view, create, delete, and share data in an Organization.

Signature Group - The Signature Group represents an actual Signature that can be used for detection or prevention in a supported format (i.e., Bro, ClamAV®, CybOX™, Iris™ Search Hash, Microsoft® KQL, OpenIOC, Regex, Splunk® Search Processing Language (SPL), Sigma, Snort®, Suricata, TQL Query, and YARA).

Signature Import - A Signature Import allows users to import and manage the following popular Signature formats: Bro, ClamAV, CybOX, Iris Search Hash, Microsoft KQL, OpenIOC, Regex, Splunk Search Processing Language (SPL), Sigma, Snort, Suricata, TQL Query, and YARA.

Skulls - Skulls are used to represent the scale on which Threat Rating is measured, where 0 skulls is the lowest Threat Rating and 5 skulls is the highest. Sometimes, the word "skulls" is omitted. For example, "a Threat Rating of 5" is equivalent to "a Threat Rating of 5 skulls."

Source - A Source is a one-way feed of information. Like Communities, Sources may have Individuals or Organizations as members. Unlike Communities, Sources are not meant to be a collaborative environment. Members, and their pseudonyms, are not visible to one another and typically do not have any write access within a Source. Oftentimes, a Source will represent a feed of Indicators or intelligence, whether premium, open source, or internally produced.

Space - A Space creates an analytic pane that can run and display up to four apps in a single, convenient place. They are a great way to extend the capabilities of the user interface and to work with favorite third-party tools and products to bring their capabilities directly into ThreatConnect.

Structured Import - A Structured Import allows you to import Indicators from a comma-separated values (CSV) file. Structured Imports work with any Indicator, including custom Indicators, that takes a single value and is marked as parsable.

Subscriber - Subscriber is a Community role that provides you with read-only access to published data from a Community.

Super User - Super User is a System role that enables users on multitenant instances to easily view and manage all of their customers’ data from a single user account. Super Users do not have any access or permissions at the System level, but do have full data-level, administrative, and configuration permission at the Organization level for all Organizations on the ThreatConnect instance.

System Administrator - See “Administrator.”

System Metrics - System Metrics are available on dashboard Metric cards and consist of metrics related to Activities, Indicators, and Intelligence.

System Role - A user’s System role in ThreatConnect determines the System-level permissions that they have on their instance of ThreatConnect. These permissions cover access and functionalities on each of the following screens: System Settings, Account Settings, TC Exchange™ Settings, Organization Settings, and Organization Config.


Tactic Group - The Tactic Group represents an action or strategy carefully planned to achieve a specific end.

Tag - A Tag is a data object that can be applied to Indicators, Groups, Victims, and Workflow Cases. They create associations between the data to which they are applied, as well as a path from one intelligence item to another.

Task Group - The Task Group represents an assignment given to a ThreatConnect user. See “Workflow Task” for the definition of a Task within Workflow in ThreatConnect.

TC Exchange - TC Exchange™ is the term for ThreatConnect's catalog of resources such as integrations, Communities, training opportunities, and links to SDK and API documentation.

Technical Blogs and Reports - The Technical Blogs and Reports Source is open to all ThreatConnect users. It aggregates blog posts from over 90 open-source security blogs that have been chosen by ThreatConnect for their quality. In September 2022, ThreatConnect released the CAL Automated Threat Library (ATL), which is the evolution of the Technical Blogs and Reports Source. As a result, the Technical Blogs and Report Source is scheduled to be deprecated in the near future. See “CAL Automated Threat Library (ATL)” for more information.

Threat Graph - Threat Graph provides a graph-based interface where you can discover, visualize, and explore Indicator, Group, Case, and Tag associations and relationships. After accessing an object’s graph, you can pivot on Indicator, Group, Case, and Tag associations in ThreatConnect, Indicator and Group relationships that exist within CAL, and third-party enrichment relationships for supported Indicator types; run active UserAction Trigger–based Playbooks for Indicators that exist in ThreatConnect; import Indicators displayed on the graph into ThreatConnect; view known alias information retrieved from CAL for supported Group types; and save and export graphs.

Threat Group - The Threat Group represents a group of related activity, whether or not attribution is known. This relation can be based on technology (e.g., Shellshock) or pertain to a grouping of activity that is presumed to be by the same selection of actors (e.g., Bitterbug).

Threat Score - When an email is imported into ThreatConnect, a Threat Score is computed using email-scoring rules configured by a System Administrator and assigned to the corresponding Email Group. See ThreatConnect System Administration Guide for more information on how email-scoring rules function in ThreatConnect.

ThreatAssess - ThreatAssess gives a basic risk assessment of an Indicator through a single, actionable score. The score represents the overall potential impact that an Indicator might have to a security organization.

ThreatConnect Intelligence Anywhere - ThreatConnect Intelligence Anywhere is a web browser extension that can scan online resources, such as static and dynamic webpages, social media platforms, email messages, and even ThreatConnect itself, for potential Indicators or Groups. When scanning an online resource for Groups, Intelligence Anywhere will leverage the natural-language processing (NLP) capabilities of CAL to search for text that is indicative of a MITRE ATT&CK® technique. After completing a scan with Intelligence Anywhere, you can import potential Indicators found on the scanned resource into ThreatConnect and associate them to an existing or newly created Group.

ThreatConnect Query Language (TQL) - The advanced search filter allows you to build structured queries using a SQL-like query language called ThreatConnect Query Language (TQL). With this feature, an analyst can specify criteria that cannot be defined using a simple string search. At any time, a query can be saved and revisited later or used in custom dashboards (if enabled).

Threat Rating - The Threat Rating identifies how much of a threat an Indicator represents. It is measured on a scale of 0–5 skulls, where a higher rating represents a higher threat.

Time of Detection - The date and time when a security incident or threat was detected (e.g., by a security team).

Time of Occurrence - The date and time when a security incident or threat occurred.

Timeline - The timeline in a Workflow Case is a recording of actions performed in the Case in chronological order. Timelines enable security teams to quickly observe key events over a span of dates in a Workflow Case. They also allow users to drill down into important timeframes in the lifespan of a Workflow Case.

Timeline Event - A Timeline Event is added automatically to a Workflow Case’s timeline when an action is performed in the Case. You may also add Timeline Events to a Case manually.

Tool Group - The Tool Group represents legitimate software that can be used by threat actors to perform attacks.

Top 10 Case Closing Analyst - Top 10 Case Closing Analyst is a Cases Metric dashboard card that provides a graphical representation of the 10 analysts who closed the most Workflow Cases in the last 30 days. It also displays the total number of Cases closed in the past 30 days by each user.

TQL - See "ThreatConnect Query Language (TQL)."

Track - ThreatConnect's Reverse Whois Tracks leverage DomainTools™, an external data service that interfaces with ThreatConnect to actively detect and issue alerts about new associations discovered in Whois records between Adversary assets and hosts.


Unassigned Cases - Unassigned Cases is a Cases Metric dashboard card that provides a graphical representation of the total number of unassigned Workflow Cases and a breakdown of the number of unassigned Cases per severity level (Low, Medium, High, and Critical).

Unstructured Import - An Unstructured Import allows users to import Indicators from input text and unstructured documents, including .txt, .pdf, .doc, .docx, .ppt, .pptx, .xls, and .xksx files.

URL Indicator - The URL Indicator represents a valid URL, including protocol (e.g.,

User (Community) - In a Community, the User role provides you with read-only access to existing data in a Community.

User (Organization) - In an Organization, the User role allows licensed user accounts to view, create, and delete data in an Organization.

User Agent Indicator - The User Agent Indicator is a characteristic identification string that a software agent uses when operating in a network protocol [e.g., Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36].

User Metrics - User Metrics are custom metrics available on dashboard Metric cards. These metrics can only be created by users with an Organization role of Organization Administrator. See ThreatConnect Organization Administration Guide for more information.


Variable - Variables can be preconfigured and used to populate certain fields, such as the ThreatConnect API Access ID or Secret Key in Playbooks or app configurations.

Victim Asset - A Victim Asset represents an endpoint used to leverage a Victim and infiltrate a network.

Vulnerability Group - The Vulnerability Group represents a mistake in software that can be directly used by a hacker to gain access to a system or network.


Widget Card - A Widget card is a dashboard card that is predefined and cannot be configured, other than to adjust its size and position on the dashboard.

Workflow  - (1) The Workflow functionality in ThreatConnect enables analysts and their teams to define and operationalize consistent, standardized processes for managing threat intelligence and performing security operations. Analysts and administrators can use Workflow to investigate, track, and collaborate on information related to threats and incidents, all from within one central location in ThreatConnect. (2) A Workflow is a codified procedure for the steps to be taken within a Case. Users and administrators with the requisite permissions may create Workflows from scratch, or they may be copied from a Workflow Template into an Organization.

Workflow Case - A Workflow Case is a single instance of an investigation, inquiry, or other procedure. It contains all required elements of a notable event in a logical structure. Cases can be used to capture key evidence to enable security teams to decide if the Case should be escalated.

Workflow Playbook - A Workflow Playbook is a special type of Playbook that uses a Workflow Trigger, which passes input from within the Workflow process to the rest of the Playbook, which then performs its defined function and returns its output back to the Workflow process.

Workflow Task - A Workflow Task is a step to perform within a Case. Workflow Tasks can be manual (i.e., performed by a user) or automated (i.e., performed by a Workflow Playbook).

Workflow Template - A Workflow Template is a System-level Workflow that is available to be copied into and used in Organizations. ThreatConnect provides a set of Workflow Templates via TC Exchange, and System Administrators may import or install System-level Workflow Templates.

ThreatConnect® is a registered trademark, and CAL™ and TC Exchange™ are trademarks, of ThreatConnect, Inc.
Amazon S3™ is a trademark of Amazon Technologies, Inc.
Apache Kafka® is a registered trademark of The Apache Software Foundation.
ClamAV® and Snort® are registered trademarks of Cisco Systems, Inc.
DomainTools™ and Iris™ are trademarks of DomainTools, LLC.
IBM Resilient Incident Response Platform® is a registered trademark of IBM Corporation.
Jira™ is a trademark of Atlassian Corporation Plc.

Microsoft® is a registered trademark of Microsoft Corporation.
MITRE ATT&CK® and ATT&CK® are registered trademarks, and CybOX™ is a trademark, of The MITRE Corporation
OpenSearch® is a registered trademark of Amazon Web Services.
Security Assertion Markup Language™ and SAML™ are trademarks of OASIS, the open standards consortium where the SAML specification is owned and developed. SAML is a copyrighted © work of OASIS Open. All rights reserved.
ServiceNow® is a registered trademark of ServiceNow, Inc.

Shodan® is a registered trademark of Shodan.
Splunk® is a registered trademark of Splunk, Inc.

VirusTotal™ is a trademark of Google, Inc.

20105-01 v.08.B


Was this article helpful?