Skip to content

Collections

What are Collections in SnapAttack?

Collections are packages of specially curated research around threat actors, software, vulnerabilities, and MITRE ATT&CK. Intelligence, threats, detections, and attack scripts that have one or more of these tags will be shown as linked content in the collection. Organizations will be able to see their private content if appropriately tagged, but that content will not be able to be seen by other organizations. Organizations may also create their own custom collections around their internal use cases.

For a full walkthrough on how to create/edit a collection, check out our tutorial below.

Common Use Cases

Collections can be utilized throughout your organization:

  • Threat Intelligence: Intelligence teams can use collections for tracking threat actor or campaign activity.
  • Detection Engineering: Detection engineers can use collections to manage various workflows, like a collection of backlogged intelligence or red team threats that need new detections created, or a collection of detections that need tuning.
  • Threat Hunting: Hunters can create hunt plans around specific tradecraft and activity, making it easy to re-run a hunt from the collection in the future.
  • Red Teaming: Red teams can memorialize tradecraft, then collate this information into a collection for detection engineers to build upon potential detection opportunities.
  • Purple Teaming: Collections can organize red and blue team activity, track which threats have detections, and which ones need to be created.

Viewing Existing Collections

Collections can be found under the "Research" tab in the navigation. SnapAttack offers curated collections for threat actors, ATT&CK techniques, software (malware/tools), and vulnerabilities, with data provided by MITRE or our partner Mandiant (now part of Google Cloud). You can use the filters on the collections feed to further refine what you're searching for, such as actors targeting your industry or CVEs that are exploited in the wild. Additionally, users can create their own collections, which will remain private to their organization. These are just general "Collections" under navigation and in the filters.

Research

Once you have an idea of what content you'd like to include within your own collection, you can either "create" your own collection, "add" to an existing one, or "delete" either specific content or the entire collection altogether.

Creating and Editing Collections

From the Collection feed, you can click the "Create a New Collection" button to create a new collection. New collections can also be created through the "Add to Collection" workflow by specifying a new collection instead of an existing collection.

New Collection

To edit a collection, go to that collection's page and click on the hamburger menu icon. Select "Edit Collection Overview" to make modifications to the collection's title, description, or tags. To edit items inside of a collection, click the "Edit Linked Content" option.

Edit Collection Menu

Managing linked content is done via the transfer table. The right side of the table shows content items currently inside of the collection. If you wanted to remove one or more of these items, you could click the checkboxes next to those items then select the "Delete" option from the buttons in the middle. If you wanted to add items, you can use the search input to look for specific content items by name, then check the box and select the arrow to move it to the right side. At the end of this process, click the "Save" button. There are also undo and redo buttons in the middle that can be used anytime before the updates are saved.

Edit Linked Content in Collection

Add Content to Collection

While you can use the "Edit Linked Content" workflow described above to add content to an existing collection, an easier way of adding items is from the feed or individual content pages.

  • From the feed in card view, you can apply filters to narrow down a list of content items. Then, you can click the hamburger menu and click "Add to Collection".
  • If you need finer grained control, use the hamburger menu to switch the feed to grid view. From there, select specific content items with the checkbox. Then, you can click the hamburger menu and click "Add to Collection" to add only the checked items to the collection.
  • On every content page (intelligence, threats, detections, attack scripts), you can find an "Add to Collection" button in the hamburger menu which will add that item to a collection.

Add to Collection

For curated collections — threat actors, ATT&CK techniques, software (malware/tools), and vulnerabilities — content automatically is added or removed based on the tags. If you own a content item, you can edit the appropriate tags on that item, which in turn will make it appear in the curated collection. Removing the tag will also remove it from the collection. Note that content aliases may also be added and populated by the system (for example, content for COBALTSTRIKE will also be tagged with BEACON).

Deleting a Collection

Sometimes you need to get rid of the whole collection, and that's ok! To do so, navigate to the hamburger menu and select "Delete Collection". You can only delete collections owned by your organization. To view these, you can go to the collections feed and filter by your organization.

Delete Collection