Indicator Status
Default ThreatQ Role: Administrative, Maintenance, or Primary Contributor
Custom Role - Action Permissions: Objects & Context - Individual Object Context & Actions - Status
All Indicators in the system have statuses.
Most exports in ThreatQ are configured to use the Active status to signal deployment to external devices. However this can be modified and each status can be used however your organization sees fit.
Default Statuses
The default statuses that ship with a standard installation of ThreatQ are as follows:
| Status | Description |
|---|---|
| Active | Poses a threat and is being exported to detection tools. |
| Indirect | Associated to an active indicator or event (i.e. pDNS). |
| Review | Requires further analysis. |
| Whitelisted | Poses NO risk and should never be deployed. |
| Expired | Indicator has reached its expiration and has been is deemed by an analyst to pose less of a threat to their infrastructure than other indicators. |
Custom Statuses
You can create custom statuses for use in your ThreatQ instance. See the Indicator Statuses topic for more details.
Changing the Status of an Individual Indicator
Changing an indicator’s status is straightforward, except in the case of whitelisting CIDR Block indicators. When Whitelisting a CIDR Block indicator, this process generates a whitelisting rule. See the Whitelisted Indicators topic for more information.
- Locate and click the indicator to open its details page.
- Click the status dropdown menu, and select the desired status.
The status will be updated.
If an Administrator or the Primary Contributor are whitelisting a CIDR BLOCK indicator, there is a different process, as this actually generates a whitelisting rule. For more information, see the Creating a Whitelist Rule section of the Whitelisted Indicators topic.
Changing the Status for Multiple Indicators
You can change the status for multiple indicators using the Bulk Status Change. See the Bulk Actions topic for more information.