Current ThreatQ Version Filter
 

TTPs

THREATQ REQUIRED PERMISSIONS

Default ThreatQ Role: Administrative, Maintenance, or Primary Contributor
Custom Role - Action Permissions: Objects & Context - Objects, Individual Object Context & Actions

Note: If a user has View Only permission for Sources, system object creation modals default to the user’s login as the object source.

TTP, which stands for tactics, techniques, and procedures, describes how an intruder may attempt to access your system.   

Use the steps below to create, edit and delete a TTP.  

Adding a TTP

  1. Go to Create > TTP.
    The Add TTP dialog box opens.
    Add TTP dialog box
  2. Populate the following fields:
    Field  Description
    Name Add a TTP name.
    Description Enter a brief description of the TTP.

    Any description you add during object creation defaults to a Source value of ThreatQ System.
    Status Optional field.  Click the Status field to assign a status to the TTP. 

    TTP statuses are configured in the Object Statuses tab in the  Object Management page.  If none are configured, this field is not displayed.
    Point of Contact Optional field. Click the field to select the ThreatQ display name of the point of contact for the TTP.
    Source Select a Source from the dropdown list provided.
    You can also click the Add a New Source option if the desired source is not listed in the drop-down list. If administrators have enabled TLP view settings, you can select a TLP label for the new source in the dropdown list provided. See the Traffic Light Protocol (TLP) topic for more information on TLP schema.
  3. Select any Related Objects you need to link to the TTP. This field is optional.
  4. Click Add TTP.

Adding Context

See the About Object Details section and its topics for details on adding context to an object such as adding sources, attributes, and related objects.

Editing a TTP

  1. Locate and click on the TTP.

    The TTP's detail page opens.

    TTP Details page

  2. Click on Edit next to the TTP's name.

    The Edit TTP dialog box opens.

    Edit TTP dialog box

  3. Make the desired change to the TTP name and click Save TTP.

Changing the Point of Contact

THREATQ REQUIRED PERMISSIONS

Default ThreatQ Role: Administrative, Maintenance, or Primary Contributor
Custom Role - Action Permissions: Objects & Context - Objects, Individual Object Context & Actions - Point of Contact

  1. Locate and click the system object.
  2. From the object details page, click the Point of Contact field.
  3. Use the field's scroll or search option to locate and select a new user as the object's point of contact or to change the point of contact to Unassigned.

Deleting a TTP

  1. Locate and click on the TTP.

    The TTP's details page opens.

    TTP Details page

  2. Click on the Actions menu and select Delete TTP.

    A confirmation dialog box appears.

    Deletion Confirmation dialog box

  3. Click on Delete TTP.