- 29 Oct 2024
- 1 Minute to read
-
Print
-
DarkLight
Indicator Confidence Deprecation
- Updated on 29 Oct 2024
- 1 Minute to read
-
Print
-
DarkLight
Overview
Indicator confidence deprecation is an automated process that lowers an Indicator’s Confidence Rating over time if the Confidence Rating is not being maintained through updates. When you configure a confidence deprecation rule for a given Indicator type, ThreatConnect will lower the Indicator’s Confidence Rating by a certain amount or percentage if the Confidence Rating has not changed during the specified time interval. If the Indicator’s Confidence Rating drops to 0, ThreatConnect will either do nothing, set the Indicator Status to inactive, or delete the Indicator, depending on how you have configured the rule. Changing the Indicator Status to inactive or deleting the Indicator demonstrates that the Indicator is dormant or that the threat actor may not be using it anymore.
You can create confidence deprecation rules at the System, Organization, and Community/Source levels. System deprecation rules apply to all newly created owners of the type(s) (Organization, Community, and/or Source) specified in the configuration on the ThreatConnect instance. They can also be applied as templates when creating deprecation rules for existing Organizations ,Communities, and Sources. Organization and Community/Source deprecation rules apply only to the owner for which they are configured. Confidence deprecation rules configured for an Organization will not be applied to Communities and Sources that belong to the Organization. If you want your Organization’s confidence deprecation rules to apply to Communities and Sources that belong to the Organization, you must create the rules in each Community and Source.
In This Series
- System Indicator Confidence Deprecation: Learn how to view, create, and configure Indicator confidence deprecation rules that can be used as templates for Organization, Community, and Source deprecation rules or as default Indicator confidence deprecation rules in newly created Organizations, Communities, and/or Sources.
- Organization Indicator Confidence Deprecation: Learn how to view, create, and configure Indicator confidence deprecation rules for an Organization.
- Community and Source Indicator Confidence Deprecation: Learn how to view, create, and configure Indicator confidence deprecation rules for a Community or Source.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
20039-01 v.14.A