Indicator Confidence Deprecation
- 29 Oct 2024
- 1 Minute to read
-
Print
-
DarkLight
Indicator Confidence Deprecation
- Updated on 29 Oct 2024
- 1 Minute to read
-
Print
-
DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Overview
Indicator confidence deprecation is an automated process that lowers an Indicator’s Confidence Rating over time if the Confidence Rating is not being maintained through updates. When you configure a confidence deprecation rule for a given Indicator type, ThreatConnect will lower the Indicator’s Confidence Rating by a certain amount or percentage if the Confidence Rating has not changed during the specified time interval. If the Indicator’s Confidence Rating drops to 0, ThreatConnect will either do nothing, set the Indicator Status to inactive, or delete the Indicator, depending on how you have configured the rule. Changing the Indicator Status to inactive or deleting the Indicator demonstrates that the Indicator is dormant or that the threat actor may not be using it anymore.
You can create confidence deprecation rules at the System, Organization, and Community/Source levels. System deprecation rules apply to all newly created owners of the type(s) (Organization, Community, and/or Source) specified in the configuration on the ThreatConnect instance. They can also be applied as templates when creating deprecation rules for existing Organizations ,Communities, and Sources. Organization and Community/Source deprecation rules apply only to the owner for which they are configured. Confidence deprecation rules configured for an Organization will not be applied to Communities and Sources that belong to the Organization. If you want your Organization’s confidence deprecation rules to apply to Communities and Sources that belong to the Organization, you must create the rules in each Community and Source.
Important
Only one confidence deprecation rule per Indicator type can exist in each owner.
Your title goes here
The only factor that affects Indicator confidence deprecation is Confidence Rating. If the Confidence Rating for an Indicator is not updated within the amount of time configured in the applicable deprecation rule, then the Confidence Rating will be deprecated according to the rule’s configuration.
In This Series
- System Indicator Confidence Deprecation: Learn how to view, create, and configure Indicator confidence deprecation rules that can be used as templates for Organization, Community, and Source deprecation rules or as default Indicator confidence deprecation rules in newly created Organizations, Communities, and/or Sources.
- Organization Indicator Confidence Deprecation: Learn how to view, create, and configure Indicator confidence deprecation rules for an Organization.
- Community and Source Indicator Confidence Deprecation: Learn how to view, create, and configure Indicator confidence deprecation rules for a Community or Source.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
20039-01 v.14.A
Was this article helpful?
