Create and copy the link to an Indicator or Group in two clicks
ThreatConnect developed the Playbooks capability to help analysts automate time consuming and repetitive tasks so they can focus on what is most important. And in many cases, to ensure the analysis process can occur consistently and in real time, without human intervention.
Communication is essential for life as we know it. This is why cars have turn signals and referees have whistles. When it comes to securing your organization’s computer systems, it is no different. Communication within your IR team, your organization, and with other researchers is essential for you to be able to fight above your weight class and scale to meet the threats we are facing today.
ThreatConnect facilitates communication by providing posts which let ThreatConnect users ask question, provide answers, and make sure everyone is on the same page. One of the nice features of posts in ThreatConnect is that you can use a simple form of markdown to add links to a comment. These links go directly to the Group or Indicator you are discussing. These playbooks create links which allow you to quickly add links for a Group or Indicator to a comment.
This Playbook is triggered with a User Action Trigger available on the page for all Indicators and Groups. This means that if you want to get the text that will create a link to a Group or Indicator in a comment in ThreatConnect, you can simply click the trigger to start the playbook, click the button to copy the text, and paste that text in a comment!
Setting up these playbooks is easy. The instructions below will walk you through the process of downloading, importing, and using these playbooks.
First, go to https://github.com/ThreatConnect-Inc/threatconnect-playbooks/tree/master/playbooks/comment-link-creators and download the “group comment link creator.pbx” and/or “indicator comment link creator.pbx” files. You can download one or both of them depending on what you would like to be able to create comments for. Now we need to import the playbook(s) into ThreatConnect. To do this, go to the “Playbooks” tab in ThreatConnect and click “New” > “Import” (on ThreatConnect versions before 5.7, you can just click the “Import” button). Then import the either of the playbook files (“group comment link creator.pbx” and/or “indicator comment link creator.pbx“). Because this Playbook works with data already in ThreatConnect, there is no configuration needed. After installing the Playbook, you are ready to turn it on and run it!
Using the App
To use the app, select a Group or Indicator from the browse screen. On the page for the Group or Indicator, there should be an entry on the “Playbook Actions” card which says “Create Share Comment Link”. If this is not showing up, make sure you turned the Group/Indicator comment link creator playbooks on.