---
title: "Creating Indicators | ThreatConnect"
slug: "creating-indicators"
description: "This article describes how to create Indicators using the + Create & Import option on the Search: Indicators screen in ThreatConnect."
tags: ["Getting Started"]
updated: 2026-01-11T15:05:07Z
published: 2026-01-11T15:05:07Z
---

> ## Documentation Index
> Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Creating Indicators

## Overview

An [Indicator](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model#indicators) represents an atomic piece of information that has some intelligence value within the ThreatConnect® [Diamond Model](https://knowledge.threatconnect.com/docs/the-diamond-model). Indicators are unique within an [owner](https://knowledge.threatconnect.com/docs/ownership-in-threatconnect). For example, an Organization can have only one copy of the Host Indicator **bad.com**.

You can create individual Indicators in your ThreatConnect owners using the **+ Create & Import**option on the **[](https://knowledge.threatconnect.com/docs/searching-indicators)** [](https://knowledge.threatconnect.com/docs/searching-indicators)[**Search: Indicators**screen](https://knowledge.threatconnect.com/docs/searching-indicators)[](https://knowledge.threatconnect.com/docs/searching-indicators)**[](https://knowledge.threatconnect.com/docs/searching-indicators)**.

## Before You Start

### User Roles

- To create Indicators in an Organization, your user account must have an [Organization role](https://knowledge.threatconnect.com/docs/organization-roles) of Standard User, Sharing User, Organization Administrator, or App Developer.
- To create Indicators in a Community or Source, your user account must have a [Community role](https://knowledge.threatconnect.com/docs/community-roles) of Contributor, Editor, or Director for that Community or Source.

## Creating an Indicator

Follow these steps to create an Indicator:

1. From the **Search & Create**dropdown on the top navigation bar, select **Indicators**.
2. Click **+ Create & Import**at the upper right of the **Search: Indicators**screen.
3. Select **Create**, and then select an [Indicator type](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model#indicator-types).
4. On the **Create**window, do the following:
  1. Select the [owner](https://knowledge.threatconnect.com/docs/ownership-in-threatconnect) in which to create the Indicator.
  2. Enter the Indicator’s value(s).
  3. Click **SAVE**to create the Indicator.NoteEach owner can have only one copy of a given Indicator. If you try to create an Indicator that already exists in the selected owner, the [**Details**screen](https://knowledge.threatconnect.com/docs/the-details-screen) for the existing Indicator will open after you click **SAVE**on the **Create**window.

The name and appearance of the **Create**window depend on the Indicator type you select from the **+ Create & Import**menu. See the [“Available Options When Creating Indicators”](/docs/creating-indicators#available-options-when-creating-indicators) section for a list of options available in the **Create**window for each Indicator type.

### Available Options When Creating Indicators

See Table 1 for a description of each option available in the **Create**window for each Indicator type.

| Field Name | Description | Required? |
| --- | --- | --- |
| Address |
| IP Address | Enter a valid IP address, either IPv4 or IPv6. Example192.168.0.1NoteFor IPv6, ThreatConnect supports standard (e.g., 1762:0:0:0:0:B03:1:AF18), “exploded” standard (e.g., 1762:0000:0000:0000:0000:0B03:0001:AF18), and compressed (e.g., 1762::B03:1:AF18) representations. Mixed notation (e.g., 1762:0:0:0:0:B03:127.32.67.15) is not supported. | Required |
| ASN |
| AS Number | Enter an ASN (Autonomous System Number) that uniquely identifies each network on the Internet. ExampleASN204288 | Required |
| CIDR |
| Block | Enter a block of network IP addresses. Example10.10.1.16/32 | Required |
| Email Address |
| E-mail Address | Enter a valid email address. Examplebadguy@bad.com | Required |
| Email Subject |
| Subject | Enter the subject line of an email. ExampleFINAL WARNING: Mailbox Update Notice!! | Required |
| File |
| MD5 | Enter a valid MD5 file hash. ExampleD852C3D06EF63EA6C6A21B0D1CDF14D4 | At least one valid file hash (MD5, SHA1, or SHA256) is required |
| SHA1 | Enter a valid SHA1 file hash. Example3351A8E25E471E4704628E990525CEED1D79791B | At least one valid file hash (MD5, SHA1, or SHA256) is required |
| SHA256 | Enter a valid SHA256 file hash. Example9974B4BEFA2906A6925E786C47651319ED70E3B9FE1F76E25AE0EF81F6555996 | At least one valid file hash (MD5, SHA1, or SHA256) is required |
| Hashtag |
| Hashtag | Enter a hashtag term used in social media. Example#apt | Required |
| Host |
| Host Name | Enter a valid hostname or domain. Examplebad.com | Required |
| DNS Resolution Active | Select this checkbox to turn on [DNS resolution tracking](https://knowledge.threatconnect.com/docs/dns-resolutions) for the Host Indicator. | Optional |
| Whois Active | Select this checkbox to turn on the [WHOIS feature](https://knowledge.threatconnect.com/docs/whois-registration-information) for the Host Indicator. | Optional |
| Mutex |
| Mutex | Enter a synchronization primitive that can be used to identify malware files and relate malware families. Example\Sessions\1\BaseNamedObjects\Globa\CLR_PerfMon_WrapMutex | Required |
| Registry Key |
| Key Name | Enter a node in a hierarchical database (i.e., key) that contains data critical for the operation of Windows® and the applications and services that run on Windows. ExampleHKEY_CURRENT_USER\Software\CurrentVersion\Policies\System | Required |
| Value Name | Enter a registry value associated with the specified registry key. Exampledisabletaskmgr | Optional |
| Value Type | Select the registry value type. ExampleREG_DWORD | Required |
| URL |
| URL | Enter a valid URL, including protocol. Examplehttp://www.bad.com/index.php?id=1NoteURLs are accepted according to [RFC 3986](https://datatracker.ietf.org/doc/html/rfc3986), with a few exceptions: Underscore (_) is an allowed character for the third label (i.e., subdomains); the host section of the authority part must be lowercase; URL encoding is not verified (% is simply an accepted character in the path, query, and fragment); and user information must be removed from the authority part. Accepted schemes are http, https, ftp, and sftp. The host section of the authority part can be a hostname or an IPv4 address. | Required |
| User Agent |
| User Agent String | Enter a characteristic identification string that a software agent uses when operating in a network protocol. ExampleMozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36. | Required |

---

*ThreatConnect® is a registered trademark of ThreatConnect, Inc.* *Windows® is a registered trademark of Microsoft Corporation.*

20003-02 v.01.C