Configuring Indicator Confidence Deprecation
  • 18 Oct 2023
  • 5 Minutes to read
  • Dark
    Light

Configuring Indicator Confidence Deprecation

  • Dark
    Light

Article Summary

Minimum Role: Organization role of Organization Administrator for creating and configuring deprecation rules in an Organization; System role of User and Community role of Editor for creating and configuring deprecation rules in a Community or Source

Prerequisites: Confidence deprecation enabled for an Organization, Community, or Source. See ThreatConnect Account Administration Guide for more information.

Overview

Indicator confidence deprecation is a great way to allow ThreatConnect® Indicators to drop in Confidence Rating over time or be deleted if the Confidence Rating is not being maintained and updated. Confidence deprecation is used in the case of an Indicator, such as an IP Address, that is no longer being used for any malicious activity for a certain amount of time. Depending on the confidence deprecation rule, ThreatConnect will drop the Confidence Rating or delete the Indicator, assuming that the Indicator is dormant or that the threat actor has ceased using it. ThreatConnect allows the creation of confidence deprecation rules at the System, Organization, Community, and Source levels. This article covers Organization and Community/Source confidence deprecation rules. See the “Deprecation Rules” section of ThreatConnect Account Administration Guide for more information about System-level confidence deprecation rules.

Note
The only factor that affects Indicator confidence deprecation is Confidence Rating. If the Confidence Rating for an Indicator is not updated within the amount of time configured in the applicable deprecation rule, then the Confidence Rating will be deprecated accordingly.
Note
Indicator confidence deprecation rules apply only to the Organization, Community, or Source for which they are configured. For example, a rule that is configured for a given Organization will not be automatically applied to any Sources that belong to that Organization. Instead, the rule must be created for each Source as well as for the Organization.
Note
You can create only one confidence deprecation rule per Indicator type per owner. Any rule created at the Organization, Community, or Source level will override a System-level deprecation rule for a given Indicator type if a System-level deprecation rule for that Indicator type exists.

Configuring Indicator Confidence Deprecation for an Organization

  1. On the top navigation bar, hover the cursor over Settings A picture containing text, clipart, light  Description automatically generatedand select Org Config. The Attribute Types tab of the Organization Config screen will be displayed.
  2. Click the Deprecation Rules tab. The Deprecation Rules screen will be displayed (Figure 1). Graphical user interface, application  Description automatically generated

     

  3. Click the + NEW button to create a new deprecation rule, or click Edit Icon  Description automatically generatedto modify an existing deprecation rule. The Create/Edit Deprecation Rule window will be displayed (Figure 2). Graphical user interface  Description automatically generated

     

    • Apply Template: This option will be displayed only if at least one System-level deprecation rule exists in your ThreatConnect instance. Select a System-level deprecation rule to apply as a template. All options in the Create/Edit Deprecation Rule will be configured to match the selected rule, but you may edit each option if desired. Once you edit an existing deprecation rule, the Apply Template dropdown will be grayed out. For more information on System-level deprecation rules, see the “Deprecation Rules” section of ThreatConnect Account Administration Guide.
    • Indicator Type: Select the type of Indicator to which the deprecation rule is to apply.
    • Confidence: Enter the amount by which the Confidence Rating for Indicators of the selected type should decrease if not updated by a ThreatConnect user.
    • Percentage: Select this checkbox to use the value entered in the Confidence box as a percentage instead of a numerical value. For example, if the Confidence is 5 and the Percentage checkbox is cleared, the Confidence Rating will drop by a value of 5 (e.g., from 60 to 55) when it is deprecated. If the Confidence is 5 and the Percentage checkbox is selected, the Confidence Rating will drop by 5% (e.g., from 60 to 57).
    • Action at Minimum: Select the action to take when the Confidence Rating for an Indicator of the selected type drops to 0. Available options include the following:
      • None: Select this option to take no action when the Confidence Rating for an Indicator of the selected type drops to 0.
      • Set Inactive: Select this option to set the status of an Indicator of the selected type to inactive when its Confidence Rating drops to 0. When this option is selected, a CAL Status Lock checkbox will be displayed. Select this checkbox to prevent CAL™ from changing the Indicator’s status back to active.
      • Delete: Select this option to delete an Indicator of the selected type when its Confidence Rating drops to 0.
    • Interval: Enter the number of days after which the Confidence Rating should decrease if not updated by a ThreatConnect user (i.e., the number of days after the date when the Indicator was last modified).
    • Recurring: Select this checkbox for the deprecation rule to be applied on a recurring basis instead of just once.
    • Initialize Deprecation from: Select when to initialize the confidence deprecation rule. Available options include the following:
      • Last Modified Date: Select this option to initialize confidence deprecation from the date when Indicators of the selected type were last modified. For existing Indicators, confidence deprecation will occur retroactively from that date.
      • Time of Save: Select this option to initialize confidence deprecation from the time the rule is saved. For existing Indicators, confidence deprecation will occur from that time.
    • Click the SAVE button to create the new deprecation rule or save any changes made to an existing deprecation rule.

Configuring Indicator Confidence Deprecation for a Community or Source

  1. On the top navigation bar, click Posts. The Posts screen will be displayed (Figure 3). Graphical user interface, application, Teams  Description automatically generated

     

  2. Select a Community or Source from the Home dropdown menu at the upper-right corner of the screen or from the Communities or Intelligence Sources menus on the left side of the screen. The Community Profile or Source Profile screen will be displayed. This example uses a Source (Figure 4). Graphical user interface, application, Teams  Description automatically generated

     

  3. Click Community Config or Source Config Icon  Description automatically generated at the upper-right corner of the Community or Source card. The Attributes Type tab of the Community Config or Source Config screen will be displayed for the selected Community or Source.
  4. Click the Deprecation Rules tab. The Deprecation Rules screen will be displayed (Figure 5). Graphical user interface, application  Description automatically generated

     

  5. Click the + NEW button to create a new deprecation rule, or click Edit to modify an existing deprecation rule. The Create/Edit Deprecation Rule window will be displayed (Figure 2 for a Source; Figure 6 for a Community). For a Source, configure the deprecation rule as described in Step 3 of the “Configuring Indicator Confidence Deprecation for an Organization” section. For a Community, the Action at Minimum dropdown menu will be grayed out, and the Recurring checkbox will be selected and grayed out so that it may not be cleared (Figure 6). Unlike in Organizations and Sources, Indicators in Communities do not have a single Confidence Rating; rather, each Indicator has a user-assigned Confidence Rating and an overall (Community-wide) Confidence Rating. Therefore, Action at Minimum is disabled because there is no single Confidence Rating to trigger a change in Indicator Status or the deletion of an Indicator.  Graphical user interface  Description automatically generated

     


ThreatConnect® is a registered trademark of ThreatConnect, Inc.
 CAL™ is a trademark of ThreatConnect, Inc.

20039-01 v.13.C


Was this article helpful?