Liberty91

Threat Entities.

Last updated 14 Jun 20263 min read

A Threat Entity is a Threat Actor, a piece of malware, or a vulnerability that you track in your Threat Library. Building a library of the entities that matter to you means the relevant reporting, aliases, and analysis are gathered and kept current in one place, so you can track an actor or campaign over time and report on it in minutes. Collections, which group entities together, are covered in Collections.

The three entity types

Liberty91 works with three types of Threat Entity: Threat Actors, malware, and vulnerabilities. Each is useful when you are responsible for tracking a particular actor, a malware family, or a vulnerability, because the platform gathers every relevant report from all your sources into one card and keeps it current.

How to create a Threat Entity

You can create a Threat Entity in three ways:

  • From an Event where the entity is mentioned, by clicking it under Suggestions.
  • From an enrichment, where an IOC association surfaces the entity.
  • Directly in your Threat Library.

To create one by hand, go to your Threat Library in the sidebar, click Threat Actors, Malware, or Vulnerabilities, then click Create New and give it a name. The overview also lists everything you have created before, each with a short note on the latest development.

When you create a Threat Entity, Liberty91 finds all the relevant reporting, captures the aliases, and generates a comprehensive description.

Aliases

The platform captures aliases automatically and tracks them under one card. If you track APT35 as Charming Kitten, for example, both names live on the same Threat Card, one as the primary name and one as an alias, so you never have to switch between cards for the same actor.

Criticality and Top Threats

Set a criticality to tell the platform how much of a priority the entity is to you. Criticality runs from baseline to emergency, defaults to medium, and you can move it up or down. It also determines how related Events are handled and where they appear on the Critical Threats dashboard.

Mark an entity as a Top Threat to add it to the Top Threats dashboard, a management view that shows the latest development on each of the handful of threats you care about most. A CISO or SOC manager often keeps this on a screen as a single overview of the current state of threat.

The Threat Entity page

The page opens with the name and aliases, then the description.

Description

The description usually opens with a Latest Developments paragraph that explains what has changed since the previous description was generated, followed by a Description, a Timeline, TTPs, and IOCs. Click Update Description to generate a fresh one from the latest reporting when the current description has gone stale. Liberty91 needs at least one linked event to generate a description.

On the right you see every Threat Entity this one is linked to. A Threat Actor can be linked to the malware it uses, a vulnerability it exploits, or a Collection it belongs to. Liberty91 sets these links, and you can add or remove them by hand.

Linked events and reporting

At the bottom, under the description, you find every linked event, along with the other entities linked to each. To report, click Report on Selected, choose the events you want to include, then pick one or more Organizations (each report is tailored to its organization), select the chapters to include, and optionally set a specific Intelligence Requirement to focus the report on a particular angle. See Report on a Threat Entity or requirement.

Frequently asked questions

What types of Threat Entity can I track?

Three: Threat Actors, malware, and vulnerabilities. Collections, which group entities together, are covered separately.

Why does Liberty91 need at least one linked event?

Descriptions are generated from linked reporting, so a Threat Entity needs at least one linked event before Liberty91 can write or refresh its description.

Was this page helpful?
← PreviousThreat EventsNext →Collections