Current ThreatQ Version Filter
 

About Indicators

THREATQ REQUIRED PERMISSIONS

Default ThreatQ Role: Administrative, Maintenance, or Primary Contributor
Custom Role - Action Permissions: Objects & Context - Objects, Individual Object Context & Actions

Note: If a user has View Only permission for Sources, system object creation modals default to the user’s login as the object source.

An Indicators is information that describes or identifies methods used to defeat security controls, exploit vulnerabilities, and gain unauthorized access to an internal network. Indicators can also describe malicious reconnaissance to gather technical information, malicious cyber command and control, and any other attribute of cyber security whose disclosure is prohibited by law.

Indicators can be scored to allow you to apply weighting using contextual information, such as sources, attributes, and indicator types, as they are added to ThreatQ. You can also set a manual score per indicator.

You can also apply expiration dates to an indicator to when it is determined to pose less of a threat to your infrastructure than other indicators.

Adding an Indicator

  1. Click on Create > Indicator.

    The Add Indicators window is displayed.
    Add Indicators Dialog Box

  2. Enter a value in the Value field.
  3. Select the Type of Indicator.
  4. Select a Source from the provided dropdown list.
    You can also click the Add a New Source option if the desired source is not listed in the drop-down list. If administrators have enabled TLP view settings, you can select a TLP label for the new source in the dropdown list provided. See the Traffic Light Protocol (TLP) topic for more information on TLP schema.
  5. Select a Status for the indicator.
  6. Select any Related Objects you need to link to the indicator. This field is optional.
  7. Click Add Indicator.

Adding Context

See the About Object Details section and its topics for details on adding context to an object such as adding sources, attributes, and related objects.

Editing Indicators

  1. Locate and click on the indicator.

    The Indicator Details page opens.
    Indicator Details Page

  2. Click on Edit next to the Indicator name.

    The Edit Indicator dialog box opens.
    Edit Indicator Dialog box

  3. Make the desired change to the indicator Value and Type.
  4. Click on Save Indicator.

Deleting an Indicator

  1. Locate and click on the Indicator.

    The Indicator Details page opens.
    Actions Menu - Delete Indicator

  2. Click on Delete this Indicator located to the top right of the page.

    A confirmation dialog box appears.
    Delete Indicator Confirmation

  3. Click on Delete Indicator.