Indicator Status

Overview

Indicator Status categorizes Indicators in ThreatConnect^® as being in one of two states:

• Active: The Indicator is considered to be an Indicator of Compromise (IOC) at the current time and should be treated in accordance with its ThreatAssess score.
• Inactive: The Indicator is not currently considered an IOC, but is being kept in ThreatConnect for historical accuracy rather than being deleted.
  Note

  Inactive Indicators are not included in responses for requests to the ThreatConnect API.

Knowledge of whether an Indicator is active or not lets you make more informed analytical choices and helps prevent you from wasting time and resources on Indicators that do not have any recent activity or are outdated. Each Indicator in ThreatConnect has a systemwide Indicator Status that provides information on whether the Indicator is active or inactive and whether the status was set locally (i.e., by a user with permission to change Indicator Status on your ThreatConnect instance) or by CAL™.

Before You Start

User Roles

• To view Indicator Status for Indicators in an Organization, your user account can have any Organization role.
• To view Indicator Status for Indicators in a Community or Source, your user account can have any Community role except Banned for that Community or Source.
• To modify Indicator Status for Indicators in an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
• To modify Indicator Status for Indicators in a Community or Source, your user account must have a Community role of Editor or Director for that Community or Source.

Prerequisites

• To be able to modify Indicator Status for Indicators in an Organization or a Community or Source that the Organization owns, turn on the ability to change Indicator Status for the Organization on the Account Settings screen (must be an Accounts, Operations, or System Administrator to perform this action).

Viewing Indicator Status

Indicator Status is available on an Indicator’s Details drawer and Details screen.

Details Drawer

You can view Indicator Status at the top right of an Indicator’s Details drawer (Figure 1).

On the Details drawer, the following elements identify an Indicator’s status and whether the status was set locally or by CAL:

• Active: The Indicator is active.
• Inactive: This Indicator is inactive.
• Status set by: The status was set by CAL.
• Status set locally: The status was set by a user with permission to change Indicator Status on your ThreatConnect instance.

Details Screen

You can view Indicator Status in the header of an Indicator’s Details screen (Figure 2).

On the Details screen, the following elements identify an Indicator’s status and whether the status was set locally or by CAL:

• Active: The Indicator is active.
• Inactive: This Indicator is inactive.
• Status set by: The status was set by CAL.
• Status set locally: The status was set by a user with permission to change Indicator Status on your ThreatConnect instance.

Legacy Details Screen

You can view Indicator Status in the Indicator Status section of the legacy Details screen (Figure 3).

On the legacy Details screen, the following elements identify an Indicator’s status and whether the status was set locally or by CAL:

• Active: If the Active checkbox is selected, then the Indicator is active. If the Active checkbox is cleared, then the Indicator is inactive.
• : If the ThreatConnect logo is displayed to the right of the Active checkbox, then the status was set locally (i.e., by a user with permission to change Indicator Status on your ThreatConnect instance).
• : If the CAL logo is displayed to the right of the Active checkbox, then the status was set by CAL.

Setting Indicator Status

If the ability to change Indicator Status has been turned on for your Organization, you can update the status of existing Indicators on the Details screen. In addition, you can set the status for new and existing Indicators during an Indicator import.

Details Screen

Follow these steps to manage an Indicator’s status on the Details screen:

1. Navigate to the Details screen for an Indicator.
2. Click the ⋯ menu at the top right of the Details screen and select one of the following options:
   • Change Status to Active: If viewing an Indicator whose status is inactive, select Change Status to Active to set the Indicator’s status to active.
   • Change Status to Inactive: If viewing an Indicator whose status is active, select Change Status to Inactive to set the Indicator’s status to inactive.

Legacy Details Screen

Follow these steps to manage an Indicator’s status on the legacy Details screen:

1. Navigate to the legacy Details screen for an Indicator.
2. Select or clear the Active checkbox in the Indicator Status section at the top right of the screen to set the Indicator’s status to active or inactive, respectively.

Indicator Import

Structured Import

When importing Indicators via a structured Indicator import, set Indicator Status by creating an Active column in the comma-separated values (CSV) file. Each Indicator will be imported with its individual status as indicated by the value provided in the Active column for that Indicator. Possible values for data in the Active column include:

• 0 or false: Sets Indicator Status to inactive (applies to both new and existing Indicators).
• 1 or true: Sets Indicator Status to active (applies to both new and existing Indicators).
• Blank (no value provided): Sets Indicator Status to active for new Indicators and leaves Indicator Status unchanged for existing Indicators.

If no Active column is provided in the CSV file, all new Indicators will be imported as active and the status for all existing Indicators will be left unchanged.

Unstructured Import

When importing Indicators via an unstructured Indicator import, Indicator Status is set on the Optional Data tab of the Import Indicators - Unstructured screen (Figure 4).

• Active: Select this checkbox to set the Indicator Status as active.
• Update Existing Status: Select this checkbox to change the status of any imported Indicators that already exist in ThreatConnect to the status provided during the unstructured import. To retain the original (pre-import) status of any imported Indicators that already exist in ThreatConnect, leave this checkbox cleared.
  Note

  The Indicator Status set during an unstructured import is the same for all imported Indicators. Unlike in a structured import, there is no way to set the status for individual Indicators in an unstructured import.

Doc Analysis Import

When importing Indicators via a Doc Analysis import, Indicator Status is set on the Optional Data tab of the Import Intel - Doc Analysis screen (Figure 5).

• Active: Select this checkbox to set the Indicator Status as active.
• Update Existing Status: Select this checkbox to change the status of any imported Indicators that already exist in ThreatConnect to the status provided during the Doc Analysis import. To retain the original (pre-import) status of any imported Indicators that already exist in ThreatConnect, leave this checkbox cleared.
  
  Note

  The Indicator Status set during a Doc Analysis import is the same for all imported Indicators. Unlike in a structured import, there is no way to set the status for individual Indicators in an unstructured import.

CAL and Indicator Status

It can be useful to leverage CAL analytics by having CAL set Indicator Status for Indicators in your owners. However, CAL Status Lock can be used on a per-Indicator basis when you want to override CAL’s recommendation for particular Indicators. If CAL Status Lock is turned on for a particular Indicator, the Indicator’s status will retain the value set by you or another user in the Indicator’s owner regardless of the information that CAL has for the Indicator. If CAL Status Lock is not turned on for a given Indicator, you can still set that Indicator’s status, but if CAL generates updated information for the Indicator, it will change the Indicator’s status accordingly.

When determining whether to set an Indicator’s status to active or inactive, CAL takes several factors into account, including the Indicator’s type and specific metadata related to that type; the Indicator’s ThreatAssess score; CAL Classifiers; feed activity; and observations, impressions, and false positive reports for the Indicator over periods of time that vary depending on the Indicator’s type.

If the ability to change Indicator Status has been turned on for your Organization, you can manage CAL Status Lock for existing Indicators on the Details screen.

Details Screen

Follow these steps to manage CAL Status Lock on an Indicator’s Details screen:

1. Navigate to the Details screen for an Indicator.
2. Click the ⋯ menu at the top right of the Details screen and select one of the following options:
   • Disable CAL Status Lock: If CAL Status Lock is turned on for the Indicator, select Disable CAL Status Lock to turn off CAL Status Lock for the Indicator and allow CAL to change the Indicator’s status.
   • Enable CAL Status Lock: If CAL Status Lock is turned off for the Indicator, select Enable CAL Status Lock to turn on CAL Status Lock for the Indicator and prevent CAL from changing the Indicator’s status.

Legacy Details Screen

Follow these steps to manage CAL Status Lock on an Indicator’s legacy Details screen:

1. Navigate to the legacy Details screen for an Indicator.
2. Select or clear the CAL Status Lock checkbox in the Indicator Status section at the top right of the screen to turn on or off CAL Status Lock for the Indicator, respectively.

ThreatConnect^® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.

20074-01 v.05.A