- 18 Oct 2023
- 5 Minutes to read
-
Print
-
DarkLight
Configuring Indicator Confidence Deprecation
- Updated on 18 Oct 2023
- 5 Minutes to read
-
Print
-
DarkLight
Minimum Role: Organization role of Organization Administrator for creating and configuring deprecation rules in an Organization; System role of User and Community role of Editor for creating and configuring deprecation rules in a Community or Source
Prerequisites: Confidence deprecation enabled for an Organization, Community, or Source. See ThreatConnect Account Administration Guide for more information.
Overview
Indicator confidence deprecation is a great way to allow ThreatConnect® Indicators to drop in Confidence Rating over time or be deleted if the Confidence Rating is not being maintained and updated. Confidence deprecation is used in the case of an Indicator, such as an IP Address, that is no longer being used for any malicious activity for a certain amount of time. Depending on the confidence deprecation rule, ThreatConnect will drop the Confidence Rating or delete the Indicator, assuming that the Indicator is dormant or that the threat actor has ceased using it. ThreatConnect allows the creation of confidence deprecation rules at the System, Organization, Community, and Source levels. This article covers Organization and Community/Source confidence deprecation rules. See the “Deprecation Rules” section of ThreatConnect Account Administration Guide for more information about System-level confidence deprecation rules.
Configuring Indicator Confidence Deprecation for an Organization
- On the top navigation bar, hover the cursor over Settings
and select Org Config. The Attribute Types tab of the Organization Config screen will be displayed.
- Click the Deprecation Rules tab. The Deprecation Rules screen will be displayed (Figure 1).
- Click the + NEW button to create a new deprecation rule, or click Edit
to modify an existing deprecation rule. The Create/Edit Deprecation Rule window will be displayed (Figure 2).
- Apply Template: This option will be displayed only if at least one System-level deprecation rule exists in your ThreatConnect instance. Select a System-level deprecation rule to apply as a template. All options in the Create/Edit Deprecation Rule will be configured to match the selected rule, but you may edit each option if desired. Once you edit an existing deprecation rule, the Apply Template dropdown will be grayed out. For more information on System-level deprecation rules, see the “Deprecation Rules” section of ThreatConnect Account Administration Guide.
- Indicator Type: Select the type of Indicator to which the deprecation rule is to apply.
- Confidence: Enter the amount by which the Confidence Rating for Indicators of the selected type should decrease if not updated by a ThreatConnect user.
- Percentage: Select this checkbox to use the value entered in the Confidence box as a percentage instead of a numerical value. For example, if the Confidence is 5 and the Percentage checkbox is cleared, the Confidence Rating will drop by a value of 5 (e.g., from 60 to 55) when it is deprecated. If the Confidence is 5 and the Percentage checkbox is selected, the Confidence Rating will drop by 5% (e.g., from 60 to 57).
- Action at Minimum: Select the action to take when the Confidence Rating for an Indicator of the selected type drops to 0. Available options include the following:
- None: Select this option to take no action when the Confidence Rating for an Indicator of the selected type drops to 0.
- Set Inactive: Select this option to set the status of an Indicator of the selected type to inactive when its Confidence Rating drops to 0. When this option is selected, a CAL Status Lock checkbox will be displayed. Select this checkbox to prevent CAL™ from changing the Indicator’s status back to active.
- Delete: Select this option to delete an Indicator of the selected type when its Confidence Rating drops to 0.
- Interval: Enter the number of days after which the Confidence Rating should decrease if not updated by a ThreatConnect user (i.e., the number of days after the date when the Indicator was last modified).
- Recurring: Select this checkbox for the deprecation rule to be applied on a recurring basis instead of just once.
- Initialize Deprecation from: Select when to initialize the confidence deprecation rule. Available options include the following:
- Last Modified Date: Select this option to initialize confidence deprecation from the date when Indicators of the selected type were last modified. For existing Indicators, confidence deprecation will occur retroactively from that date.
- Time of Save: Select this option to initialize confidence deprecation from the time the rule is saved. For existing Indicators, confidence deprecation will occur from that time.
- Click the SAVE button to create the new deprecation rule or save any changes made to an existing deprecation rule.
Configuring Indicator Confidence Deprecation for a Community or Source
- On the top navigation bar, click Posts. The Posts screen will be displayed (Figure 3).
- Select a Community or Source from the Home dropdown menu at the upper-right corner of the screen or from the Communities or Intelligence Sources menus on the left side of the screen. The Community Profile or Source Profile screen will be displayed. This example uses a Source (Figure 4).
- Click Community Config or Source Config
at the upper-right corner of the Community or Source card. The Attributes Type tab of the Community Config or Source Config screen will be displayed for the selected Community or Source.
- Click the Deprecation Rules tab. The Deprecation Rules screen will be displayed (Figure 5).
- Click the + NEW button to create a new deprecation rule, or click Edit
to modify an existing deprecation rule. The Create/Edit Deprecation Rule window will be displayed (Figure 2 for a Source; Figure 6 for a Community). For a Source, configure the deprecation rule as described in Step 3 of the “Configuring Indicator Confidence Deprecation for an Organization” section. For a Community, the Action at Minimum dropdown menu will be grayed out, and the Recurring checkbox will be selected and grayed out so that it may not be cleared (Figure 6). Unlike in Organizations and Sources, Indicators in Communities do not have a single Confidence Rating; rather, each Indicator has a user-assigned Confidence Rating and an overall (Community-wide) Confidence Rating. Therefore, Action at Minimum is disabled because there is no single Confidence Rating to trigger a change in Indicator Status or the deletion of an Indicator.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
CAL™ is a trademark of ThreatConnect, Inc.
20039-01 v.13.C