Indicator confidence deprecation is a great way to allow ThreatConnect® Indicators to drop in Confidence Rating over time if the Confidence Rating is not being maintained and updated. Deprecation is used in the case of an Indicator, such as an IP Address, that is no longer being used for any malicious activity for a certain amount of time. ThreatConnect will drop the Confidence Rating, assuming that the Indicator is dormant or that the threat actor has ceased using it. Deprecation rules can be created and configured to customize the terms for which the Confidence Rating of a particular Indicator type will be deprecated within a selected Organization, Community, or Source.
NOTE: The only factor that affects Indicator confidence deprecation is Confidence Rating. If the Confidence Rating for an Indicator is not updated within the amount of time configured in the applicable deprecation rule, then the Confidence Rating will be deprecated accordingly.
NOTE: Indicator confidence deprecation rules apply only to the Organization, Community, or Source for which they are configured. For example, a rule that is configured for a given Organization will not be automatically applied to any Sources that belong to that Organization. Instead, the rule must be created for each Source as well as for the Organization.
Configuring Indicator Confidence Deprecation for an Organization
- On the top navigation bar (Figure 1), hover the cursor over the Settings icon and select Org Config from the dropdown menu (Figure 2).
- The Organization Config screen will be displayed with the Attributes Types tab selected (Figure 3).
- Click the Deprecation Rules tab, and the Deprecation Rules screen will be displayed (Figure 4).
- To create a new deprecation rule, click the + NEW button, and the Create/Edit Deprecation Rule window will be displayed (Figure 5).
- Indicator Type: Use the dropdown menu to choose the type of Indicator to which the deprecation rule is to apply.
- Confidence: Use the plus and minus buttons to enter the amount by which the Confidence Rating should decrease if not updated by a ThreatConnect user. The number may also be entered manually.
- Percentage: Check this box to use the value entered in the Confidence box as a percentage instead of a numerical value. For example, if the Confidence is 5 and Percentage is unchecked, the Confidence Rating will drop by a value of 5 (e.g., from 60 to 55) when it is deprecated. If the Confidence is 5 and Percentage is checked, the Confidence Rating will drop by 5% (e.g., from 60 to 57).
- Action at Minimum: Use the dropdown menu to select the action that should be taken when the Confidence Rating of the Indicator drops to 0. The options are None, Set Inactive (see Indicator Status for more information), and Delete.
- Interval: Use the plus and minus buttons to enter the number of days after which the Confidence Rating should decrease if not updated by a ThreatConnect user. The number may also be entered manually.
- Recurring: Check this box for the deprecation rule to be applied on a recurring basis instead of just once.
Configuring Indicator Confidence Deprecation for a Community or Source
- On the top navigation bar (Figure 1), click Posts. The Posts screen will be displayed (Figure 6).
- From the HOME dropdown menu, or from the Communities or Intelligence Sources menu on the left-hand side of the page, select a Community or Source, and the Community Profile or Source Profile screen will be displayed. This example uses a Source (Figure 7).
- Click on the Config icon, and the Config screen will be displayed for the Community or Source with the Attribute Types tab selected (Figure 8).
- Click the Deprecation Rules tab, and the Deprecation Rules screen will be displayed (Figure 9).
- To create a new deprecation rule, click the + NEW button, and the Create/Edit Deprecation Rule window will be displayed (Figure 5). Configure the new deprecation rule as described previously in this article for Organizations.
NOTE: For a Community, the Action at Minimum dropdown menu will not be available, and the Recurring checkbox will be checked and grayed out so that it may not be unchecked (Figure 10). Unlike in Organizations and Sources, Indicators in Communities do not have a single Confidence Rating; rather, each Indicator has a user-assigned Confidence Rating and an overall (Community-wide) Confidence Rating. Therefore, Action at Minimum is disabled because there is no single Confidence Rating to trigger a change in Indicator Status or deletion of an Indicator.
NOTE: For an Indicator in a Community, the Last Modified field displayed on the Details drawer and the Overview tab of the Details screen for the Indicator is not updated when the Indicator is deprecated.