Current ThreatQ Version Filter
 

Intrusion Sets

THREATQ REQUIRED PERMISSIONS

Default ThreatQ Role: Administrative, Maintenance, or Primary Contributor
Custom Role - Action Permissions: Objects & Context - Objects, Individual Object Context & Actions

Note: If a user has View Only permission for Sources, system object creation modals default to the user’s login as the object source.

An Intrusion Sets is grouped sets of adversarial behaviors and resources, sometimes referred to as attack packages, used to target an individual organization.  

Adding an Intrusion Set

  1. Go to Create > Intrusion Set.
    The Add Intrusion Set window is displayed.
    Add Intrusion Set dialog box
  2. Populate the following fields:
    Field  Description
    Name Add an intrusion set name.
    Description Enter a brief description of the intrusion set.

    Any description you add during object creation defaults to a Source value of ThreatQ System.
    Status Optional field.  Click the Status field to assign a status to the intrusion set. 

    Intrusion set statuses are configured in the Object Statuses tab in the  Object Management page.  If none are configured, this field is not displayed.
    First Seen/Last Seen Select the first and last seen dates and times.
    Point of Contact Optional field. Click the field to select the ThreatQ display name of the point of contact for the intrusion set.
    Source Select a Source from the dropdown list provided.
    You can also click the Add a New Source option if the desired source is not listed in the drop-down list. If administrators have enabled TLP view settings, you can select a TLP label for the new source in the dropdown list provided. See the Traffic Light Protocol (TLP) topic for more information on TLP schema.
  3. Select any Related Objects you need to link to the Intrusion Set. This field is optional.
  4. Click Add Intrusion Set.

Adding Context

See the About Object Details section and its topics for details on adding context to an object such as adding sources, attributes, and related objects.

Editing an Intrusion Set

  1. Locate and click on the Intrusion Set.

    The Intrusion Set's detail page opens.
    Intrusion Set details page

  2. Click on Edit next to the Intrusion Set's name.

    The Edit Intrusion Set dialog box opens.
    Edit Intrusion Set dialog box

  3. Make the desired change to the Intrusion Set's name and click Save Intrusion Set.

Changing the Point of Contact

THREATQ REQUIRED PERMISSIONS

Default ThreatQ Role: Administrative, Maintenance, or Primary Contributor
Custom Role - Action Permissions: Objects & Context - Objects, Individual Object Context & Actions - Point of Contact

  1. Locate and click the system object.
  2. From the object details page, click the Point of Contact field.
  3. Use the field's scroll or search option to locate and select a new user as the object's point of contact or to change the point of contact to Unassigned.

Deleting an Intrusion Set

  1. Locate and click on the Intrusion Set.

    The Intrusion Set's details page opens.
    Intrusion Set details page

  2. Click on the Actions menu and select Delete Intrusion Set.

    A confirmation dialog box appears.
    Deletion Confirmation dialog box

  3. Click on Delete Intrusion Set.