# Threat Clusters

* [**go to my Threat Clusters**](https://platform.liberty91.com/disco/threatclusters)

## What is a threat cluster?

Threat Clusters are a logical grouping of [Threat Actors](/the-threat-library/threat-actors.md), [Malware families](/the-threat-library/malware.md), [Vulnerabilities](/the-threat-library/vulnerabilities.md) and/or [Keywords](/the-threat-library/keywords.md). You can find your threat clusters via the [Workbench](broken://spaces/56f9evYVURi6SAGI5JIC/pages/ZV5tojeCmpzTyFnhTt3n#the-workbench) or the [sidebar](broken://spaces/56f9evYVURi6SAGI5JIC/pages/ZV5tojeCmpzTyFnhTt3n#the-sidebar) (you may have to scroll down).

<figure><img src="/files/97oQfpYaIjer0eUHmd63" alt="" width="375"><figcaption><p>Examples of Threat Clusters</p></figcaption></figure>

## How to create a threat cluster card

You can create Threat Clusters by doing one (or more) of the following:

[Broken mention](broken://spaces/56f9evYVURi6SAGI5JIC/pages/JJYcqlEL7OCVzv9hRlNQ#manually-creating-a-cluster)

[Broken mention](broken://spaces/56f9evYVURi6SAGI5JIC/pages/JJYcqlEL7OCVzv9hRlNQ#creating-clusters-with-the-excel-spreadsheet)

[/spaces/56f9evYVURi6SAGI5JIC/pages/JJYcqlEL7OCVzv9hRlNQ#creating-clusters-with-a-.csv-file](https://docs.liberty91.com/the-threat-library/spaces/56f9evYVURi6SAGI5JIC/pages/JJYcqlEL7OCVzv9hRlNQ#creating-clusters-with-a-.csv-file "mention")

[Broken mention](broken://spaces/56f9evYVURi6SAGI5JIC/pages/JJYcqlEL7OCVzv9hRlNQ#creating-threat-clusters-with-the-library-wizard)

## What is on a threat cluster card?

<figure><img src="/files/IAOCCZVta965z2zHQbgU" alt=""><figcaption><p>A typical Threat Cluster in Liberty91</p></figcaption></figure>

A Threat Cluster Card shows you all the events related to all the entities in that cluster. It is then able to do an overarching analysis over all those events, to give you a more strategic-level analysis.

1. The [**criticality**](/what-is-liberty91/key-concepts.md#criticality) you have set for this Threat Cluster
2. The **classification**. This can be Threat (which makes it a Threat Cluster), or Asset, Attack-Surface, Supply Chain, Data, People, Company, Region, Sector or Other (which make it a [Company Cluster](broken://spaces/yQ7t2q3rDqZzaz9D2IXV)). Company Clusters and Threat Clusters are logically the same, they just cover different 'things' as it relates to your security posture. This difference is important for both the AI (it needs to understand how to interpret your assets vs your threats), and to keep the User Interface friendly.
3. &#x20;**Top Threat**: if this cluster is a [Top Threat](/dashboards/top-threats-dashboard.md), this would say 'yes'
4. The **Edit** button, to edit the Cluster
5. **Update Description**. This button is extremely useful. Note how the current description is very boring and generic. By clicking on the 'update description' button, Liberty91 will review and analyze all the events in your cluster, and then do an 'analysis-of-analyses' to provide you with a more strategic level analysis on cluster-level. Consider this updated, custom description

<figure><img src="/files/aRCyYICUBU8iYSEJiBJv" alt=""><figcaption></figcaption></figure>

This was generated with a single click of a button. This is especially useful with evolving threats: if new events have occured since you've last updated the description, simply update it again, and it will consider all those new event. Gone are the days of outdated Threat Cards at vendor portals or in open source.

6. **Delete**. Bored of your Threat Cluster, or its not relevant to you anymore? Simply delete it. This will also delete associated [keywords](/the-threat-library/keywords.md), but will keep the Threat Actors, Malware and Vulnerabilities in your library.
7. **Events**. You can find all related events order chronologically here, complete with relevant tags.
8. **Threat Library Links**. These show all the entities related to your Threat Cluster.

Under your Threat Library Links, you will find an option to bulk-add keywords. Liberty91 works with relatively complex regexes to act as a first filter. Those regexes are based on the keywords you provide. For example: if you have a cluster for 'The Netherlands', then you may want to also monitor for the keyword 'Holland'. Just provide that in the 'bulk add keywords' box to create them, without ever having to type any regex yourself.

<figure><img src="/files/bn8ft8ydWaWhh6FvPA3Q" alt="" width="300"><figcaption><p>In this exampe, 'down under' keywords would be generated in the Australia cluster.</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.liberty91.com/the-threat-library/threat-clusters.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.