Creating Indicators
  • 08 Nov 2024
  • 3 Minutes to read
  • Dark
    Light

Creating Indicators

  • Dark
    Light

Article summary

Overview

An Indicator represents an atomic piece of information that has some intelligence value, regardless of where it exists on the ThreatConnect® Diamond Model. Indicators are guaranteed to be unique within an owner. For example, a single Organization can have only one copy of the Email Address Indicator badguy@bad.com.

You can use the Create option on the top navigation bar in ThreatConnect to create individual Indicators in your owners.

Before You Start

User Roles

  • To create Indicators in an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
  • To create Indicators in a Community or Source, your user account must have a Community role of Contributor, Editor, or Director for that Community or Source.

Creating an Indicator

Follow these steps to create an Indicator:

  1. Hover over Create on the top navigation bar and select an Indicator type.
  2. On the Create window, select the owner in which to create the Indicator and enter the Indicator’s value(s).
  3. Click SAVE to create the Indicator.
Note
If you try to create an Indicator that already exists in the selected owner, the Details screen for the existing Indicator will open after you click SAVE on the Create window. This is because Indicators exist as unique copies in each owner.

The name and appearance of the Create window depends on the type of Indicator you select from the Create menu. For example, selecting Address from the Create menu will open the Create Address window, which prompts you to enter the IP address for the Address Indicator (Figure 1).

Figure 1_Creating Indicators_7.7.1

 

See the “Available Options When Creating Indicators” section for a list of options available in the Create window for each Indicator type.

Available Options When Creating Indicators

The follow subsections describe the options available in the Create window for each Indicator type:

Address

  • IP Address: Enter a valid IPv4 or IPv6 address (e.g., 192.168.0.1). For IPv6, supported representations are standard (e.g., 1762:0:0:0:0:B03:1:AF18), “exploded” standard (e.g., 1762:0000:0000:0000:0000:0B03:0001:AF18), and compressed (e.g., 1762::B03:1:AF18). Mixed notation is not supported (e.g., 1762:0:0:0:0:B03:127.32.67.15).

Email Address

  • E-mail Address: Enter a valid email address (e.g., badguy@bad.com).

File

  • MD5: Enter a valid MD5 file hash (e.g., D852C3D06EF63EA6C6A21B0D1CDF14D4).
  • SHA1: Enter a valid SHA1 file hash (e.g., 3351A8E25E471E4704628E990525CEED1D79791B).
  • SHA256: Enter a valid SHA256 file hash (e.g., 9974B4BEFA2906A6925E786C47651319ED70E3B9FE1F76E25AE0EF81F6555996).
Note
You must provide at least one valid file hash when creating a File Indicator.

Host

  • Host Name: Enter a valid hostname or domain (e.g., bad.com).
  • DNS Resolution Active: (Optional) Select the checkbox to turn on DNS resolution tracking for the Indicator.
  • Whois Active: (Optional) Select the checkbox to turn on the WHOIS feature for the Indicator.

URL

  • URL: Enter a valid URL, including protocol (e.g., http://www.bad.com/index.php?id=1). URLs are accepted according to RFC 3986, with a few exceptions: Underscore (_) is an allowed character for the third label (i.e., subdomains); the host section of the authority part must be lowercase; URL encoding is not verified (% is simply an accepted character in the path, query, and fragment); and user information must be removed from the authority part. Accepted schemes are http, https, ftp, and sftp. The host section of the authority part can be a hostname or an IPv4 address.

ASN

  • AS Number: Enter an autonomous system (AS) number that uniquely identifies each network on the Internet (e.g., ASN204288).

CIDR

  • Block: Enter a block of network IP addresses (e.g., 10.10.1.16/32).

Email Subject

  • Subject: Enter the subject line of an email (e.g., FINAL WARNING: Mailbox Update Notice!!).

Hashtag

  • Hashtag: Enter a hashtag term used in social media (e.g., #apt).

Mutex

  • Mutex: Enter a synchronization primitive used to identify malware files and related malware families (e.g., \Sessions\1\BaseNamedObjects\Local\SM0:1456:120:WilError_01).

Registry Key

  • Key Name: Enter a node in a hierarchical database (i.e., key) that contains data critical for the operation of Windows and the applications and services that run on Windows (e.g., HKEY_CURRENT_USER\Software\CurrentVersion\Policies\System).
  • Value Name: (Optional) Enter a registry value associated with the specified registry key (e.g., disabletaskmgr).
  • Value Type: Select the registry value type (e.g., REG_DWORD).

User Agent

  • User Agent String: Enter a characteristic identification string that a software agent uses when operating in a network protocol [e.g., Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0; NP02)].

ThreatConnect® is a registered trademark of ThreatConnect, Inc.

20003-02 v.01.B


Was this article helpful?

What's Next