Creating Indicators
- 11 Jan 2026
- 3 Minutes to read
-
Print
-
DarkLight
-
PDF
Creating Indicators
- Updated on 11 Jan 2026
- 3 Minutes to read
-
Print
-
DarkLight
-
PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Overview
An Indicator represents an atomic piece of information that has some intelligence value within the ThreatConnect® Diamond Model. Indicators are unique within an owner. For example, an Organization can have only one copy of the Host Indicator bad.com.
You can create individual Indicators in your ThreatConnect owners using the + Create & Import option on the Search: Indicators screen.
Before You Start
User Roles
- To create Indicators in an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
- To create Indicators in a Community or Source, your user account must have a Community role of Contributor, Editor, or Director for that Community or Source.
Creating an Indicator
Follow these steps to create an Indicator:
- From the Search & Create dropdown on the top navigation bar, select Indicators.
- Click + Create & Import at the upper right of the Search: Indicators screen.
- Select Create, and then select an Indicator type.
- On the Create window, do the following:
- Select the owner in which to create the Indicator.
- Enter the Indicator’s value(s).
- Click SAVE to create the Indicator.NoteEach owner can have only one copy of a given Indicator. If you try to create an Indicator that already exists in the selected owner, the Details screen for the existing Indicator will open after you click SAVE on the Create window.
The name and appearance of the Create window depend on the Indicator type you select from the + Create & Import menu. See the “Available Options When Creating Indicators” section for a list of options available in the Create window for each Indicator type.
Available Options When Creating Indicators
See Table 1 for a description of each option available in the Create window for each Indicator type.
| Field Name | Description | Required? |
|---|---|---|
| Address | ||
| IP Address | Enter a valid IP address, either IPv4 or IPv6. Example 192.168.0.1 Note For IPv6, ThreatConnect supports standard (e.g., 1762:0:0:0:0:B03:1:AF18), “exploded” standard (e.g., 1762:0000:0000:0000:0000:0B03:0001:AF18), and compressed (e.g., 1762::B03:1:AF18) representations. Mixed notation (e.g., 1762:0:0:0:0:B03:127.32.67.15) is not supported. | Required |
| ASN | ||
| AS Number | Enter an ASN (Autonomous System Number) that uniquely identifies each network on the Internet. Example ASN204288 | Required |
| CIDR | ||
| Block | Enter a block of network IP addresses. Example 10.10.1.16/32 | Required |
| Email Address | ||
| E-mail Address | Enter a valid email address. Example badguy@bad.com | Required |
| Email Subject | ||
| Subject | Enter the subject line of an email. Example FINAL WARNING: Mailbox Update Notice!! | Required |
| File | ||
| MD5 | Enter a valid MD5 file hash. Example D852C3D06EF63EA6C6A21B0D1CDF14D4 | At least one valid file hash (MD5, SHA1, or SHA256) is required |
| SHA1 | Enter a valid SHA1 file hash. Example 3351A8E25E471E4704628E990525CEED1D79791B | At least one valid file hash (MD5, SHA1, or SHA256) is required |
| SHA256 | Enter a valid SHA256 file hash. Example 9974B4BEFA2906A6925E786C47651319ED70E3B9FE1F76E25AE0EF81F6555996 | At least one valid file hash (MD5, SHA1, or SHA256) is required |
| Hashtag | ||
| Hashtag | Enter a hashtag term used in social media. Example #apt | Required |
| Host | ||
| Host Name | Enter a valid hostname or domain. Example bad.com | Required |
| DNS Resolution Active | Select this checkbox to turn on DNS resolution tracking for the Host Indicator. | Optional |
| Whois Active | Select this checkbox to turn on the WHOIS feature for the Host Indicator. | Optional |
| Mutex | ||
| Mutex | Enter a synchronization primitive that can be used to identify malware files and relate malware families. Example \Sessions\1\BaseNamedObjects\Globa\CLR_PerfMon_WrapMutex | Required |
| Registry Key | ||
| Key Name | Enter a node in a hierarchical database (i.e., key) that contains data critical for the operation of Windows® and the applications and services that run on Windows. Example HKEY_CURRENT_USER\Software\CurrentVersion\Policies\System | Required |
| Value Name | Enter a registry value associated with the specified registry key. Example disabletaskmgr | Optional |
| Value Type | Select the registry value type. Example REG_DWORD | Required |
| URL | ||
| URL | Enter a valid URL, including protocol. Example http://www.bad.com/index.php?id=1 Note URLs are accepted according to RFC 3986, with a few exceptions: Underscore (_) is an allowed character for the third label (i.e., subdomains); the host section of the authority part must be lowercase; URL encoding is not verified (% is simply an accepted character in the path, query, and fragment); and user information must be removed from the authority part. Accepted schemes are http, https, ftp, and sftp. The host section of the authority part can be a hostname or an IPv4 address. | Required |
| User Agent | ||
| User Agent String | Enter a characteristic identification string that a software agent uses when operating in a network protocol. Example Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.95 Safari/537.36. | Required |
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
Windows® is a registered trademark of Microsoft Corporation.
20003-02 v.01.C
Was this article helpful?
