Indicator Confidence Deprecation is a great way to allow ThreatConnect® Indicators to drop in Confidence Rating over time if the Confidence Rating is not being maintained and updated. Deprecation is used in the case of an Indicator, such as an IP Address, that is no longer being used for any malicious activity for a certain amount of time. ThreatConnect will drop the Confidence Rating, assuming that the Indicator is dormant or that the threat actor has ceased using it.
NOTE: The only factor that affects Indicator Confidence Deprecation is Confidence Rating. If the Confidence Rating for an Indicator is not updated within the amount of time configured in the applicable Deprecation Rule, then the Confidence Rating will be deprecated accordingly.
- On the top navigation bar (Figure 1), hover the cursor over the Settings icon and select ORG CONFIG from the dropdown menu (Figure 2).
- The Organization Config screen will appear (Figure 3).
- Click the Deprecation Rules tab, and the Deprecation Rules screen will appear (Figure 4).
- To create a new Deprecation Rule, click the + NEW button, and the Create/Edit Deprecation Rule pop-up screen will appear (Figure 5).
- Indicator Type: Use the dropdown menu to choose the type of Indicator to which the Deprecation Rule is to apply.
- Confidence: Use the plus and minus buttons to enter the amount by which the Confidence Rating should decrease if not updated by a ThreatConnect user. The number may also be entered manually.
- Percentage: Check this box to use the value entered in the Confidence box as a percentage instead of a numerical value. For example, if the Confidence is 5 and Percentage is unchecked, the Confidence Rating will drop by a value of 5 (e.g., from 60 to 55) when it is deprecated. If the Confidence is 5 and Percentage is checked, the Confidence Rating will drop by 5% (e.g., from 60 to 57).
- Action at Minimum: Use the dropdown menu to select the action that should be taken when the Confidence Rating of the Indicator drops to 0. The options are None, Set Inactive (see Indicator Status for more information), and Delete.
- Interval: Use the plus and minus buttons to enter the number of days after which the Confidence Rating should decrease if not updated by a ThreatConnect user. The number may also be entered manually.
- Recurring: Check this box for the Deprecation Rule to be applied on a recurring basis instead of just once.