Create
  • 20 Oct 2022
  • 7 Minutes to read
  • Dark
    Light

Create

  • Dark
    Light

Minimum Role: Organization role of Standard User (for creating objects); Organization role of Organization Administrator (for enabling Tracks)

Prerequisites: None

Overview

Data can be added to ThreatConnect® in various ways. The quickest method is to create a single Indicator, Group, Track, or Victim via the Create option on the top navigation bar.

Creating an Indicator

Hover the cursor over Create on the top navigation bar and select an Indicator type (Address in this example). The Create window for the selected Indicator type will be displayed (Figure 1).

Graphical user interface, application  Description automatically generated

 

  • Owner: Select the object’s owner . The selected owner determines the Organization, Community, or Source that will own the created data.
  • Fill out the displayed field(s) for the selected Indicator type. The fields will vary depending on the Indicator type. For example, an Address Indicator will display a field labeled IP Address, whereas a File Indicator will display fields labeled MD5, SHA1, and SHA256.
  • Click the SAVE button to create the Indicator and view its Details screen.

Follow these steps for any other Indicators you want to create.

Creating a Group

  1. Hover the cursor over Create on the top navigation bar and select a Group type (Adversary in this example). The Details section of the Create screen for that Group type will be displayed (Figure 2). The Details section is where you can enter basic information about the Group being created.

    Graphical user interface, application, email  Description automatically generated

     

    • Type: By default, this field is set to the selected Group type. If desired, select a different Group type. If a new Group type is selected, the Details section will automatically change to the section for that type.
    • Owner: Select the object’s owner. The selected owner determines the Organization, Community, or Source that will own the created data.
    • Summary: Enter a name for the Group.
    • Description: Provide a general description of the Group, such as the types of actors it comprises; tactics, techniques, and procedures (TTPs); etc.
    • Apply Description to Associations: Select this checkbox to apply the Description to the associated Indicators provided in the Associations section.
    • Tags: Enter Tags to apply to the Group.
    • Apply Tags to Associations: Select this checkbox to apply the Tags to the associated Indicators provided in the Associations section.
    • Click the NEXT button.
  2. The Associations section will be displayed (Figure 3). Associations is an optional section where you can upload Indicators of relevant types, associate them to the Group being created, and provide details about the Indicators (i.e., Description, Tags, Threat Rating, and Confidence Rating).

    Graphical user interface  Description automatically generated

     

    • Indicator Type: Select an Indicator type from the dropdown menu. Available choices include Unknown - (parsed), File, Email Subject, Hashtag, Mutex, Registry Key, and User Agent. Parsable Indicator types include Address, Email Address, Host, URL, ASN, and CIDR. After you select an Indicator type, the Indicator Type section will change to enable the entry of associated Indicators of the selected type. If you selected Unknown - (parsed), the following options will be displayed:
      • Upload: Upload the file containing the Indicators to be imported and associated to the Group. You can view upload requirements by hovering the cursor over the icon to the right of the Upload heading.
      • Retain Document as attachment: If uploading a file containing Indicators, select this checkbox to create a Document Group that contains the file and associate it to the Group being created.
    • Enter Text: Enter the text to be parsed, and then click the plus Icon  Description automatically generatedbutton.
      Important
      Indicators included on an Indicator Exclusion List will not be imported or associated to the Group.
    • Associations: This section displays the associated Indicators entered in the Indicator Type section in a table with the following columns:
      • Type: The associated Indicator’s type.
      • Summary: The associated Indicator’s summary.
      • Private: To mark an Indicator as private, select the corresponding checkbox in the Private column. This column will be displayed only if your System Administrator has enabled private Indicators.
      • Known: If an associated Indicator exists in the owner selected in the Details section (Figure 2), a checkmark will be displayed in this column.
      • Actions: To remove an associated Indicator from the list, click Delete Icon  Description automatically generated in this column.
    • Association Details: In this section, you can fill out the following information for all Indicators being associated to the Group:
      • Description: Enter a description for the associated Indicator(s). If you entered a description for the Group in the Details section (Figure 2) and selected the Apply Descriptions to Associations checkbox, that description will be displayed automatically.
      • Tags: Enter Tags to apply to the associated Indicator(s). If you entered Tags for the Group in the Details section (Figure 2) and selected the Apply Tags to Associations checkbox, those Tags will be displayed automatically.
      • Threat Rating: Use the skull icons to set the Threat Rating for the associated Indicator(s).
      • Confidence Rating: Use the slider to set the Confidence Rating for the associated Indicator(s).
    • Click the NEXT button.
  3. The Attachments section will be displayed (Figure 4). Attachments is an optional section where you can attach related files to the Group.
    Graphical user interface, text, application  Description automatically generated

     

    • Upload files for which Document Groups will be created and associated to the Group being created, if desired. After each file is uploaded, the filename will be displayed below the upload area, along with a checkbox labeled Add to Malware Vault. Leave this checkbox cleared unless you are uploading a malware file.
    • Click the SAVE button to save the Group and view its Details screen.
  4. Follow Steps 1–3 for any other Groups you want to create. The Associations section (Figure 3) and Attachments section (Figure 4) are the same for all Groups, except that the type of Group and Group icon at the upper-left corner of the screen change based on the type of Group being created. Depending on the Group type selected in Step 1, the Details section may prompt you for additional information:
    • Campaign
      • First Seen: Enter the date when the Campaign was first observed.
    • Document 
      • Upload Document: Use this section to upload the file that the Document Group will represent. After the file is uploaded, the filename will be displayed below the orange malware warning, along with a checkbox labeled Add to Malware Vault. Leave this checkbox cleared unless you are uploading a malware file.
    • Event
      • Status: Select the current status of the Event.
      • Event Date: Enter the date and time when the Event occurred.
    • Incident
      • Status: Select the current status of the Incident.
      • Event Date: Enter the date when the Incident occurred.
    • Report
      • Upload Document: Use this section to upload the Report. Once the Report has been uploaded, the filename will be displayed below the orange warning box.
      • Publish Date: Enter the date on which the Report was published.
    • Task
      • Status: Select the current status of the Task.
      • Reminder Date: Select a date when a reminder about the Task will be sent.
      • Assign To: Select one or more users to whom the Task will be assigned.
      • Due Date: Select a due date for the Task.
      • Escalation Date: Select an escalation date, if desired.
      • Escalate To: Select one or more users to whom the Task will be escalated. If the escalation date is met and the Task has not been completed, the system will assign the Task to the selected user(s).
      • Follow: Select this checkbox to follow the Task (i.e., receive notifications about changes and updates), and then select a Notification Level from the dropdown menu that is displayed.

Creating a Track

Enabling Tracks in an Organization

Before you can create a Track, an Organization Administrator must enable DomainTools™ Reverse Whois Tracking.

  1. On the top navigation bar, hover the cursor over SettingsA picture containing text, clipart, light  Description automatically generated and select Org Settings. The Organizations Settings screen will be displayed.
  2. Click the Settings tab. The Settings screen will be displayed (Figure 5).
    Graphical user interface, text, application  Description automatically generated

     

  3. Click the ENABLE button in the Reverse Whois section at the top right of the screen. The Setup DomainTools window will be displayed (Figure 6).
    A screenshot of a cell phone  Description automatically generated

     

  4.  Enter the DomainTools User Name and API Key, and then click the SAVE button.
    Note
    The number of Tracks you can create is determined by your agreement with DomainTools.

Creating a New Track

To create a Track, hover the cursor over Create on the top navigation bar and select Track. The Create Reverse Whois Track window will be displayed (Figure 7).

Graphical user interface  Description automatically generated

 

  • Owner: Select the object’s owner. The selected owner determines the Organization, Community, or Source that will own the created data.
  • Name: Enter a name for the Track.
  • Contains/Does Not Contain: Enter terms that the Track should and should not contain.
  • TEST: Use the TEST button to test the Track.
  • Click the SAVE button to create the Track.

Creating a Victim

To create a victim, hover the cursor over Create on the top navigation bar and select Victim. The Create Victim window will be displayed (Figure 8).

Graphical user interface, text, application, email  Description automatically generated

 

  • Owner: Select the object’s owner. The selected owner determines the Organization, Community, or Source that will own the created data.
  • Name: Enter a name for the Victim.
  • Description: Provide a general description of the Victim, such as why they are a Victim, details about the circumstances that contributed to their being a Victim, or any other noteworthy information.
  • Victim Organization: Enter the name of the Victim’s organization. The default value is the ThreatConnect Organization of the user creating the Victim, but should be changed to the name of the Victim’s organization, which is not necessarily an Organization in ThreatConnect.
  • Sub-Organization: Enter the name of the Victim’s sub-organization (e.g., “IT Department”).
  • Nationality: Enter the nationality of the Victim.
  • Work Location: Enter the work location of the Victim.
  • Click the SAVE button to create the Victim.

ThreatConnect® is a registered trademark of ThreatConnect, Inc.
DomainTools™ is a trademark of DomainTools, LLC.

20003-01 v.13.B


Was this article helpful?


What's Next