ThreatQ Statuses Transcript 1 00:00:10.366 --> 00:00:20.333 The Indicator Statuses tab, located under the Object Management page, allows you to view, add, edit, and delete available system-wide indicator statuses. 2 00:00:21.766 --> 00:00:27.566 To access the indicator status tab, click on the settings gear icon and select object management. 3 00:00:29.033 --> 00:00:33.833 The object management page will load with the Indicator Statuses tab selected by default. 4 00:00:34.966 --> 00:00:43.100 The tab will display the statuses available, a description for the status, and whether the protect from feed override option is enabled. 5 00:00:43.566 --> 00:00:49.066 Enabling this option for a status prevents feeds from automatically updating the indicator’s status. 6 00:00:50.900 --> 00:00:53.966 You can also view the number of indicators assigned to a status. 7 00:00:56.800 --> 00:01:00.200 The ThreatQ platform provides the following default statuses. 8 00:01:00.966 --> 00:01:03.500 These statuses cannot be edited or deleted. 9 00:01:04.833 --> 00:01:09.566 Active - the indicator poses a threat and is being exported to detection tools. 10 00:01:10.666 --> 00:01:14.166 Expired - the indicator no longer poses a serious threat. 11 00:01:14.733 --> 00:01:17.933 Review - the indicator requires further analysis. 12 00:01:18.500 --> 00:01:22.600 Watchlist - the indicator poses NO risk and should never be deployed. 13 00:01:23.266 --> 00:01:27.833 And Indirect - the indicator is associated with an active indicator or event. 14 00:01:28.766 --> 00:01:35.000 When you set up a default status of Indirect, the system assigns this status to indicators in the following scenarios: 15 00:01:36.000 --> 00:01:40.133 A status or status_id field is not provided for the parent object. 16 00:01:41.133 --> 00:01:46.500 A status or status ID is not provided for the additional indicator relations of the object. 17 00:01:47.133 --> 00:01:53.466 The JSON request body includes duplicate indicators and one of the duplicates has a default status ID. 18 00:01:53.866 --> 00:01:59.866 If none of the duplicates has a default status ID, the system uses the status ID of the last duplicate. 19 00:02:00.966 --> 00:02:03.966 You can add a new status by clicking on the Add New Status button. 20 00:02:05.100 --> 00:02:09.366 Enter a Status Name and description when prompted and then click on Add Status. 21 00:02:12.966 --> 00:02:17.000 The status will be created and will now be able for use in the ThreatQ platform. 22 00:02:18.100 --> 00:02:22.033 You can also enable the Protect from Feed Override option for the new status. 23 00:02:22.900 --> 00:02:30.500 Once again, you cannot edit system default statuses, but you can edit custom statuses that you and other analysts have created. 24 00:02:31.433 --> 00:02:35.566 Those statuses will have an edit link located to the far right of the status row. 25 00:02:36.800 --> 00:02:39.066 To edit a custom status, click on the edit link. 26 00:02:40.700 --> 00:02:44.700 Update the Status name and/or description and click Save Changes. 27 00:02:49.133 --> 00:02:55.866 Similar to the edit status option, you cannot delete system default statuses but you can delete custom statuses. 28 00:02:57.166 --> 00:03:02.400 Additionally, custom statuses cannot be deleted if they are currently assigned to system indicators. 29 00:03:04.300 --> 00:03:10.666 Select the checkbox next to the status to delete and click on the red trash icon located next to the Add New Status button. 30 00:03:11.333 --> 00:03:13.933 Click on Delete Statuses to confirm deletion. 31 00:03:16.033 --> 00:03:19.166 There are several ways to set and update indicator statuses. 32 00:03:20.200 --> 00:03:25.033 You can manually change an individual indicator’s status from its object details page. 33 00:03:25.966 --> 00:03:30.533 Click on the Status dropdown, located to the top-right of the page, and select a new status. 34 00:03:31.766 --> 00:03:35.733 You can perform a bulk action to update the status for a set of indicators. 35 00:03:36.766 --> 00:03:40.100 Navigate to the Threat Library and perform an advanced search. 36 00:03:41.433 --> 00:03:46.000 Click on the Actions button and select All Indicators under the Bulk Changes heading. 38 00:03:55.066 --> 00:03:59.366 The system will notify you that the job has been queued and when it has completed the process. 39 00:04:01.966 --> 00:04:05.833 You can set default statuses for indicators ingested by installed feeds. 40 00:04:07.000 --> 00:04:10.200 Navigate to the feed’s details page under the integrations tab. 41 00:04:11.466 --> 00:04:15.300 The default status can be set under the Configuration tab for the feed. 42 00:04:17.733 --> 00:04:22.000 You can also assign a default status when parsing imported files for indicators. 43 00:04:42.366 --> 00:04:45.900 See the ThreatQ Help Center for more information on indicator statuses.