Organization Indicator Confidence Deprecation

Overview

Each Organization Indicator confidence deprecation rule applies to Indicators of the specified type in the Organization. System Indicator confidence deprecation rules that are configured as default deprecation rules for newly created Organizations will be automatically created and saved on the Deprecation Rules tab of the Organization Config screen for the Organization.

Confidence deprecation rules configured for an Organization will not be applied to Communities and Sources that belong to the Organization. If you want your Organization’s confidence deprecation rules to apply to Communities and Sources that belong to the Organization, you must create the rules in each Community and Source.

Before You Start

User Roles

• To view confidence deprecation rules in your home Organization, you can have any user role.
• To view confidence deprecation rules in any Organization on your ThreatConnect instance, you must have a System role of Administrator, Operations Administrator, or Super User.
• To create and configure confidence deprecation rules in your home Organization, you must have an Organization role of Organization Administrator.
• To create and configure confidence deprecation rules in any Organization on your ThreatConnect instance, you must have a System role of Administrator, Operations Administrator, or Super User and an Organization role of Organization Administrator.

Prerequisites

• To be able to create and configure confidence deprecation rules in an Organization, edit the Organization on the Organizations tab of the Account Settings screen and select the Enable Automated Confidence Deprecation checkbox in the Permissions tab of the Organization Information window (must be a System Administrator, Operations Administrator, or Accounts Administrator to perform this action).

Viewing Organization Confidence Deprecation Rules

Follow these steps to view the Indicator confidence deprecation rules in an Organization:

1. Hover over Settingson the top navigation bar and select Org Config.
2. Select the Deprecation Rules tab on the Organization Configscreen. All Indicator confidence deprecation rules in your home Organization will be displayed in a table with the following columns (Figure 1):
   Note

   If you have a System role of Administrator, Operations Administrator, or Super User, you can use the selector to the right of the Organization Config header to view this screen for any Organization on your ThreatConnect instance.
   

    

   • Indicator Type: The Indicator type to which the deprecation rule applies.
   • Interval: The number of days after which an Indicator’s Confidence Rating should decrease if it has not been updated.
   • Amount: The amount by which an Indicator’s Confidence Rating should decrease if it has not been updated during the specified interval.
   • Percentage: If this checkbox is selected, the specified amount should be applied as a percentage of an Indicator’s Confidence Rating (e.g., if the amount is 2, then the Indicator’s Confidence Rating will be decreased by 2% after the specified interval). If this checkbox is cleared, the specified amount should be applied directly (e.g., if the amount is 2, then the Indicator’s Confidence Rating will be decreased by 2 points after the specified interval).
   • Recurring: If this checkbox is selected, the deprecation rule will be applied on a recurring basis. If this checkbox is cleared, the deprecation rule will be applied only once.
   • Action at Minimum: The value in this column specifies the action that will be taken if an Indicator’s Confidence Rating drops to 0.
   • Options: Use the options in this column to edit or delete a deprecation rule.

Creating Organization Confidence Deprecation Rules

Follow these steps to create and configure an Indicator confidence deprecation rule in an Organization:

1. Hover over Settingson the top navigation bar and select Org Config.
2. Select the Deprecation Rules tab on the Organization Configscreen (Figure 1).
   Note

   If you have a System role of Administrator, Operations Administrator, or Super User, you can use the selector to the right of the Organization Config header to select a different Organization if desired.
3. Click + NEW at the top left of the Deprecation Rules screen.
4. Fill out the fields on the Create/Edit Deprecation Rule window (Figure 2) as follows:

    

   • Apply Template: (Optional) This dropdown will be displayed if at least one System Indicator confidence deprecation rule exists in your ThreatConnect instance. Select a System Indicator confidence deprecation rule to apply as a template. All parameters in the Create/Edit Deprecation Rule will be configured to match the selected rule, but you may edit each option if desired.
     Note

     This dropdown is available only for new deprecation rules. It is not available if you are editing an existing deprecation rule.
   • Indicator Type: Select the Indicator type to which the deprecation rule will apply.
   • Confidence: Enter the amount by which the Confidence Rating for Indicators of the selected type should decrease if they have not been updated during the specified Interval.
   • Percentage: (Optional) Select this checkbox to use the Confidence parameter as a percentage instead of a numerical value. For example, if the Confidence parameter is 5 and the Percentage checkbox is cleared, the Confidence Rating will drop by 5 points (e.g., from 60 to 55) when it is deprecated. If the Confidence parameter is 5 and the Percentagecheckbox is selected, the Confidence Rating will drop by 5% (e.g., from 60 to 57).
     Note

     When a percentage corresponds to a fractional number of points, the final result will be rounded to the nearest whole number. For example, a Confidence Rating of 35 being deprecated by 4% (1.4 points) will be calculated as 33.6 and then rounded up to 34. If that value is the same as the original Confidence Rating, then the value will be decreased by 1. For example, a Confidence Rating of 2 being deprecated by 2% (0.04 points) will be calculated as 1.96 and then finalized as 1.
   • Action at Minimum: Select one of the following actions to take when the Confidence Rating for an Indicator of the selected type drops to 0:
     • None: Select this option to take no action when the Confidence Rating for an Indicator of the selected type drops to 0.
     • Set Inactive: Select this option to set the status of an Indicator of the selected type to inactive when its Confidence Rating drops to 0. When this option is selected, a CAL Status Lock checkbox will be displayed. Select this checkbox to prevent CAL™ from changing the Indicator’s status back to active at any point.
     • Delete: Select this option to delete an Indicator of the selected type from the Organization when its Confidence Rating drops to 0.
   • Interval: Enter the number of days after which the Confidence Rating should decrease if it has not been updated.
   • Recurring: (Optional) Select this checkbox for the deprecation rule to be applied on a recurring basis instead of just once.
   • Initialize Deprecation from: Select one of the following initialization points for the deprecation rule:
     • Last Modified Date: Select this option to initialize confidence deprecation from the date when each Indicator of the selected type was last modified. For each existing Indicator, confidence deprecation will occur retroactively from its “last modified” date.
     • Time of Save: Select this option to initialize confidence deprecation from the time the rule is saved. For all existing Indicators, confidence deprecation will occur from that time.
5. Click SAVE on the Create/Edit Deprecation Rule window to save the deprecation rule.

ThreatConnect^® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.

20039-03 v.14.A