- 08 Nov 2024
- 3 Minutes to read
-
Print
-
DarkLight
Creating Indicators
- Updated on 08 Nov 2024
- 3 Minutes to read
-
Print
-
DarkLight
Overview
An Indicator represents an atomic piece of information that has some intelligence value, regardless of where it exists on the ThreatConnect® Diamond Model. Indicators are guaranteed to be unique within an owner. For example, a single Organization can have only one copy of the Email Address Indicator badguy@bad.com.
You can use the Create option on the top navigation bar in ThreatConnect to create individual Indicators in your owners.
Before You Start
User Roles
- To create Indicators in an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
- To create Indicators in a Community or Source, your user account must have a Community role of Contributor, Editor, or Director for that Community or Source.
Creating an Indicator
Follow these steps to create an Indicator:
- Hover over Create on the top navigation bar and select an Indicator type.
- On the Create window, select the owner in which to create the Indicator and enter the Indicator’s value(s).
- Click SAVE to create the Indicator.
The name and appearance of the Create window depends on the type of Indicator you select from the Create menu. For example, selecting Address from the Create menu will open the Create Address window, which prompts you to enter the IP address for the Address Indicator (Figure 1).
See the “Available Options When Creating Indicators” section for a list of options available in the Create window for each Indicator type.
Available Options When Creating Indicators
The follow subsections describe the options available in the Create window for each Indicator type:
Address
- IP Address: Enter a valid IPv4 or IPv6 address (e.g., 192.168.0.1). For IPv6, supported representations are standard (e.g., 1762:0:0:0:0:B03:1:AF18), “exploded” standard (e.g., 1762:0000:0000:0000:0000:0B03:0001:AF18), and compressed (e.g., 1762::B03:1:AF18). Mixed notation is not supported (e.g., 1762:0:0:0:0:B03:127.32.67.15).
Email Address
- E-mail Address: Enter a valid email address (e.g., badguy@bad.com).
File
- MD5: Enter a valid MD5 file hash (e.g., D852C3D06EF63EA6C6A21B0D1CDF14D4).
- SHA1: Enter a valid SHA1 file hash (e.g., 3351A8E25E471E4704628E990525CEED1D79791B).
- SHA256: Enter a valid SHA256 file hash (e.g., 9974B4BEFA2906A6925E786C47651319ED70E3B9FE1F76E25AE0EF81F6555996).
Host
- Host Name: Enter a valid hostname or domain (e.g., bad.com).
- DNS Resolution Active: (Optional) Select the checkbox to turn on DNS resolution tracking for the Indicator.
- Whois Active: (Optional) Select the checkbox to turn on the WHOIS feature for the Indicator.
URL
- URL: Enter a valid URL, including protocol (e.g., http://www.bad.com/index.php?id=1). URLs are accepted according to RFC 3986, with a few exceptions: Underscore (_) is an allowed character for the third label (i.e., subdomains); the host section of the authority part must be lowercase; URL encoding is not verified (% is simply an accepted character in the path, query, and fragment); and user information must be removed from the authority part. Accepted schemes are http, https, ftp, and sftp. The host section of the authority part can be a hostname or an IPv4 address.
ASN
- AS Number: Enter an autonomous system (AS) number that uniquely identifies each network on the Internet (e.g., ASN204288).
CIDR
- Block: Enter a block of network IP addresses (e.g., 10.10.1.16/32).
Email Subject
- Subject: Enter the subject line of an email (e.g., FINAL WARNING: Mailbox Update Notice!!).
Hashtag
- Hashtag: Enter a hashtag term used in social media (e.g., #apt).
Mutex
- Mutex: Enter a synchronization primitive used to identify malware files and related malware families (e.g., \Sessions\1\BaseNamedObjects\Local\SM0:1456:120:WilError_01).
Registry Key
- Key Name: Enter a node in a hierarchical database (i.e., key) that contains data critical for the operation of Windows and the applications and services that run on Windows (e.g., HKEY_CURRENT_USER\Software\CurrentVersion\Policies\System).
- Value Name: (Optional) Enter a registry value associated with the specified registry key (e.g., disabletaskmgr).
- Value Type: Select the registry value type (e.g., REG_DWORD).
User Agent
- User Agent String: Enter a characteristic identification string that a software agent uses when operating in a network protocol [e.g., Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP02)].
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
20003-02 v.01.B