Current ThreatQ Version Filter
 

Configuring Indicator Parsing Presets

THREATQ REQUIRED PERMISSIONS

Default ThreatQ Role: Administrative or Maintenance
Custom Role - Action Permissions: Administrative Functions - Edit System Configurations

Users with Maintenance and Administrator roles can configure the default state of the Normalize URL Indicator and Parse for FQDNs checkboxes for the Parse for Indicators option of the Add Indicators dialog box.

Setting these default states does not lock the checkboxes. Users can select and deselect each option when parsing for an indicator in the Parse for Indicators dialog box.

  1. Navigate to Settings Settings Icon > System Configurations.
  2. Click the General tab.

    The General tab loads.
    General Tab

  3.  In the Indicator Parsing section, set the following options:
    Option Description
    Normalize URL Indicators When checked, parsed URLs will have ports and leading protocol adjusted, as well as unneeded quotes and spaces removed.
    Parse for FQDNs When checked, the Indicator Parser will parse FQDNs from the text and derive FQDN indicators from URLs in the text.
    Example (checked): URL: https://tqexample.com/table.jspa?query_string_example
    Indicators created:
    • tqexample.com/table.jspa (the URL)
    • tqexample.com (the derived FQDN from the URL)
    When unchecked, the Indicator Parser will not generate FQDN indicators from the parsed text.
    Example (unchecked): URL: https://tqexample.com/table.jspa?query_string_example
    Indicator created:
    • tqexample.com/table.jspa (the URL)
  4. Click the Save button.