Community and Source Indicator Confidence Deprecation

Overview

Each Community or Source Indicator confidence deprecation rule applies to Indicators of the specified type in the Community or Source, respectively. System Indicator confidence deprecation rules that are configured as default deprecation rules for newly created Communities or Sources will be automatically created and saved on the Deprecation Rules tab of the Community Config screen for the Community or the Source Config screen for the Source.

Confidence deprecation rules configured for an Organization will not be applied to Communities and Sources that belong to the Organization. If you want your Organization’s confidence deprecation rules to apply to Communities and Sources that belong to the Organization, you must create the rules in each Community and Source.

Before You Start

User Roles

• To view confidence deprecation rules in a Community or Source, you must have a System role of Administrator, Operations Administrator, Accounts Administrator, Community Leader, Super User, or User and a Community role of Editor or Director.
• To create and configure confidence deprecation rules in a Community or Source, you must have a System role of Administrator, Operations Administrator, Accounts Administrator, Community Leader, Super User, or User and a Community role of Editor or Director.

Prerequisites

• To be able to create and configure confidence deprecation rules in a Community or Source, edit the Community or Source on the Communities/Sources tab of the Account Settings screen and select the Allow Automated Confidence Deprecation checkbox in the Create Community/Source window (must be a System Administrator or Operations Administrator to perform this action).

Confidence Deprecation in Communities

Unlike Indicators in Organizations and Sources, Indicators in Communities do not have a single Confidence Rating. Instead, each Indicator in a Community has Confidence Ratings set by individual users in the Community and a single overall Confidence Rating that is an average of those values. When Indicator confidence deprecation occurs in a Community, all of the member users’ Confidence Rating values drop by the amount or percentage specified in the deprecation rule for the Indicator type, causing the overall value to drop by the same amount or percentage.

Recurring Indicator confidence deprecation and the ability to have ThreatConnect set an Indicator’s status to inactive or delete the Indicator when the Indicator’s Confidence Rating drops to 0 is not available for Communities, because the various Confidence Ratings across the Community would drop to 0 at different times.

Viewing Community and Source Confidence Deprecation Rules

Follow these steps to view the Indicator confidence deprecation rules in a Community or Source:

1. Click Posts on the top navigation bar.
2. Select a Community from the Communities menu or a Source from the Intelligence Sources menu on the left side of the screen to display the Posts screen for that Community or Source.
3. Click Community Config (or Source Config)at the upper-right corner of the Community (or Source) card (Figure 1). 

    

4. Select the Deprecation Rules tab on the Community Config or Source Config screen. All Indicator confidence deprecation rules in the Community or Source will be displayed in a table with the following columns (Figure 2): 

    

   • Indicator Type: The Indicator type to which the deprecation rule applies.
   • Interval: The number of days after which an Indicator’s Confidence Rating should decrease if it has not been updated.
   • Amount: The amount by which an Indicator’s Confidence Rating should decrease if it has not been updated during the specified interval.
   • Percentage: If this checkbox is selected, the specified amount should be applied as a percentage of an Indicator’s Confidence Rating (e.g., if the amount is 2, then the Indicator’s Confidence Rating will be decreased by 2% after the specified interval). If this checkbox is cleared, the specified amount should be applied directly (e.g., if the amount is 2, then the Indicator’s Confidence Rating will be decreased by 2 points after the specified interval).
   • Recurring: If this checkbox is selected, the deprecation rule will be applied on a recurring basis. If this checkbox is cleared, the deprecation rule will be applied only once.
     Note

     Recurring Indicator confidence deprecation is not available for confidence deprecation rules in a Community, because Indicators in Communities have multiple Confidence Ratings. It is available only for confidence deprecation rules in a Source. When viewing this table for a Community, the values in this column are grayed out and should be disregarded.
   • Action at Minimum: The value in this column specifies the action that will be taken if an Indicator’s Confidence Rating drops to 0.
     Note

     Note: The Action at Minimum functionality is not available for confidence deprecation rules in a Community, because Indicators in Communities have multiple Confidence Ratings. It is available only for confidence deprecation rules in a Source. When viewing this table for a Community, the values in this column are grayed out and should be disregarded.
   • Options: Use the options in this column to edit or delete a deprecation rule.

Creating Community and Source Confidence Deprecation Rules

Follow these steps to create and configure an Indicator confidence deprecation rule in a Community or Source:

1. Click Posts on the top navigation bar.
2. Select a Community from the Communities menu or a Source from the Intelligence Sources menu on the left side of the screen to display the Posts screen for that Community or Source.
3. Click Community Config (or Source Config)at the upper-right corner of the Community (or Source) card (Figure 1).
4. Select the Deprecation Rules tab on the Community Config or Source Config screen (Figure 2).
5. Click + NEW at the top left of the Deprecation Rules screen.
6. Fill out the fields on the Create/Edit Deprecation Rule window (Figure 3) as follows: 

    

   • Apply Template: (Optional) This dropdown will be displayed if at least one System Indicator confidence deprecation rule exists in your ThreatConnect instance. Select a System Indicator confidence deprecation rule to apply as a template. All parameters in the Create/Edit Deprecation Rule will be configured to match the selected rule, but you may edit each option if desired.
     Note

     This dropdown is available only for new deprecation rules. It is not available if you are editing an existing deprecation rule.
   • Indicator Type: Select the Indicator type to which the deprecation rule will apply.
   • Confidence: Enter the amount by which the Confidence Rating for Indicators of the selected type should decrease if they have not been updated during the specified Interval.
   • Percentage: (Optional) Select this checkbox to use the Confidence parameter as a percentage instead of a numerical value. For example, if the Confidence parameter is 5 and the Percentage checkbox is cleared, the Confidence Rating will drop by 5 points (e.g., from 60 to 55) when it is deprecated. If the Confidence parameter is 5 and the Percentagecheckbox is selected, the Confidence Rating will drop by 5% (e.g., from 60 to 57).
     Note

     When a percentage corresponds to a fractional number of points, the final result will be rounded to the nearest whole number. For example, a Confidence Rating of 35 being deprecated by 4% (1.4 points) will be calculated as 33.6 and then rounded up to 34. If that value is the same as the original Confidence Rating, then the value will be decreased by 1. For example, a Confidence Rating of 2 being deprecated by 2% (0.04 points) will be calculated as 1.96 and then finalized as 1.
   • Action at Minimum: Select one of the following actions to take when the Confidence Rating for an Indicator of the selected type drops to 0:
     Note

     The Action at Minimum functionality is not available for confidence deprecation rules in a Community, because Indicators in Communities have multiple Confidence Ratings. It is available only for confidence deprecation rules in a Source. When viewing this window for a Community, this dropdown is grayed out and should be disregarded.
     • None: Select this option to take no action when the Confidence Rating for an Indicator of the selected type drops to 0.
     • Set Inactive: Select this option to set the status of an Indicator of the selected type to inactive when its Confidence Rating drops to 0. When this option is selected, a CAL Status Lock checkbox will be displayed. Select this checkbox to prevent CAL™ from changing the Indicator’s status back to active at any point.
     • Delete: Select this option to delete an Indicator of the selected type from the Organization when its Confidence Rating drops to 0.
   • Interval: Enter the number of days after which the Confidence Rating should decrease if it has not been updated.
   • Recurring: (Optional) Select this checkbox for the deprecation rule to be applied on a recurring basis instead of just once.
     Note

     Recurring Indicator confidence deprecation is not available for confidence deprecation rules in a Community, because Indicators in Communities have multiple Confidence Ratings. It is available only for confidence deprecation rules in a Source. When viewing this window for a Community, this checkbox is selected, but grayed out. This selection does not apply and should be disregarded.
   • Initialize Deprecation from: Select one of the following initialization points for the deprecation rule:
     • Last Modified Date: Select this option to initialize confidence deprecation from the date when each Indicator of the selected type was last modified. For each existing Indicator, confidence deprecation will occur retroactively from its “last modified” date.
     • Time of Save: Select this option to initialize confidence deprecation from the time the rule is saved. For all existing Indicators, confidence deprecation will occur from that time.
7. Click SAVE on the Create/Edit Deprecation Rule window to save the deprecation rule.

ThreatConnect^® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.

20039-04 v.14.A