- 23 Jan 2024
- 5 Minutes to read
- Updated on 23 Jan 2024
- 5 Minutes to read
Indicator Status categorizes Indicators in ThreatConnect® as being in one of two states:
- Active: The Indicator is considered to be an Indicator of Compromise (IOC) at the current time and should be treated in accordance with its ThreatAssess score.
- Inactive: The Indicator is not currently considered an IOC, but is being kept in ThreatConnect for historical accuracy rather than being deleted.NoteInactive Indicators are not returned via API queries made against ThreatConnect.
Knowledge of whether an Indicator is active or not allows ThreatConnect users to make more informed analytical choices and helps prevent them from wasting time and resources on Indicators that do not have any recent activity or are outdated. Each Indicator in ThreatConnect has a systemwide Indicator Status that provides information on whether the Indicator is active or inactive and whether the status was set by ThreatConnect (i.e., any user in the ThreatConnect instance) or by CAL™.
Before You Start
Viewing and Setting Indicator Status for Existing Indicators
- On the top navigation bar, hover the cursor over Browse and select Indicators to display all Indicators, or select an Indicator type (Host in this example) to display all Indicators of that type.
- Click on an entry to display its Details drawer (Figure 1).
- The Indicator Status is provided at the upper-right corner of the drawer. Figure 1 shows the Details drawer for an active Indicator whose status was set by ThreatConnect, as indicated by theicon and the Status set bytext, respectively.
The following elements in an Indicator’s Details drawer identify whether the Indicator is active or inactive and whether its status was set by ThreatConnect or CAL:
- Orange circle with checkmark: The Indicator is active.
- Orange circle with minus sign: The Indicator is inactive.
- Status set by: The status was set by ThreatConnect (i.e., by a user with permissions to change Indicator Status on your ThreatConnect instance).
- Status set by: The status was set by CAL.NoteIf an Indicator Status has not been set for an Indicator, then no status information will be displayed at the upper-right corner of its Details drawer.
- Click the Detailsicon at the upper-right corner of the drawer, or hover over the Indicator’s entry in the table and click the Detailsicon that is displayed on the right side of its Summary cell, to display the Overview tab of the Details screen for the Indicator (Figure 2).
- Indicator Status is displayed at the upper right of the screen:Active orInactive. To change the status, click the … menu in the upper-right corner and select Change Status to Inactive or Change Status to Active if an administrator has enabled this functionality for your Organization.
- The source of the status is displayed next to the Indicator Status: Status set by(i.e., by a user with permissions to change Indicator Status on your ThreatConnect instance) or Status set by .
- To disallow or allow CAL to change the Indicator Status, click the … menu in the upper-right corner and select Enable CAL Status Lock or Disable CAL Status Lock, respectively. See the next section, “CAL and Indicator Status,” for more information.
- To configure Indicator Status on the legacy Details screen for an Indicator, click the Revert to Legacy View button at the upper-right corner of the new Details screen (Figure 2). The Overview tab of the legacy Details screen will be displayed (Figure 3).
- Active: Indicator Status is shown via the Active checkbox at the upper right of the screen, which can be selected (to set the status to active) or cleared (to set the status to inactive) by users if an administrator has enabled this functionality for your Organization.
- ThreatConnect or CAL Logo: The logo to the right of the Active checkbox indicates whether the status was set by ThreatConnector CAL.
- CAL Status Lock: Select this checkbox to prevent CAL from being able to change the Indicator Status. See the next section, “CAL and Indicator Status,” for more information.
CAL and Indicator Status
ThreatConnect users may wish to leverage CAL analytics by having CAL set Indicator Status for Indicators on their instance. CAL Status Lock can be used on a per-Indicator basis when users want to override CAL’s recommendation for particular Indicators. If CAL Status Lock is not enabled for a given Indicator, ThreatConnect users can still set that Indicator’s status, but if CAL generates updated information for that Indicator, it will change the Indicator’s status accordingly.
Setting Indicator Status During Indicator Import
- When importing Indicators via a structured Indicator import, set Indicator Status by creating an Active column in the comma-separated values (CSV) file. Each Indicator will be imported with its individual status as indicated by the value provided in the Active column for that Indicator. Possible values for data in the Active column include:
- 0 or false: Sets Indicator Status to inactive (applies to both new and existing Indicators).
- 1 or true: Sets Indicator Status to active (applies to both new and existing Indicators).
- Blank (no value provided): Sets Indicator Status to active for new Indicators and leaves Indicator Status unchanged for existing Indicators.
If no Active column is provided in the CSV file, all new Indicators will be imported as active and the status for all existing Indicators will be left unchanged.
When importing Indicators via an unstructured Indicator import, Indicator Status is set on the Optional Data tab of the Import Indicators - Unstructured screen (Figure 4).
- Active: Select this checkbox to set the Indicator Status as active.
- Update Existing Status: Select this checkbox to change the status of any imported Indicators that already exist in ThreatConnect to the status provided during the unstructured import. To retain the original (pre-import) status of any imported Indicators that already exist in ThreatConnect, leave this checkbox cleared.NoteThe Indicator Status set during an unstructured import is the same for all imported Indicators. Unlike in a structured import, there is no way to set the status for individual Indicators in an unstructured import.
ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.