The settings page for TC Exchange™ has a Feeds tab that lists all feeds available to an instance of ThreatConnect®. System Administrators can use the metrics provided for the feeds, including a report card for each feed, to determine which feeds they want to provide to their ThreatConnect instance. The metrics are derived from information gathered from ThreatConnect’s Collective Analytics Layer (CAL™). For more information about CAL, see ThreatAssess and CAL.
NOTE: Report cards are available only for select feeds on which CAL gathers data. CAL does not currently gather data on premium feeds, custom feeds, and certain open-source feeds, so report cards for these feeds are not provided.
NOTE: CAL must be enabled in two places in order to get report card data. First, it must be enabled in System Settings. (See the ThreatConnect System Administration Guide for more information.) Second, the System Organization must be given permission to enable CAL data. To do so, navigate to the Account Settings screen, click the pencil icon for the System Organization, click on the Permissons tab of the Organization Information window, and ensure that the box for Enable CAL Data is checked.
- Log in with a System Administrator account.
- On the top navigation bar (Figure 1), hover the cursor over the Settings icon and select TC Exchange Settings from the dropdown menu (Figure 2).
- The TC Exchange Settings screen will be displayed (Figure 3).
- Click the Feeds tab, and the Feeds screen will be displayed (Figure 4).
NOTE: System Administrators can still choose to manage their own feeds. However, this tab allows feed ingestion to be set up with a single click and produces historical data curated by the ThreatConnect Research team.
- In addition to the Active column, which contains a slider by which feeds are activated and deactivated, each feed has six columns that provide information and metrics about the data provided by the feed:
- Name: This column provides the name of the feed.
- Description: This column provides a description of the feed.
- Reliability Rating: This column provides a letter grade indicating how reliable the feed is, from F (worst) to A+ (best). It is derived from the number of false positives found in the feed, among other things, and is a measure of how likely a feed is to yield large numbers of negatively impactful false positives.
- Unique Indicators: This column provides the percentage of Indicators in this feed that are unique (i.e., that are not found in other feeds on which CAL gathers data as well). For example, a score of 28% means that 28% of the Indicators in the feed are not found in other feeds (and, consequently, that 72% of the Indicators appear in other feeds).
- Daily Indicators: This column provides an estimate of the number of Indicators the feed pulls in per day.
- Report Card: When the cursor is hovered over the report card icon, a graphic showing information containing metrics from the other columns and how they compare with aggregated metrics from other feeds is displayed. See the next section, “Report Card,” for more information.
Figure 5 shows the report card for the Malware Domain Blocklist feed.
The top right-hand side of the report card provides a list of Common Classifiers from CAL that apply to the feed.
The six bullet charts provide data on the following metrics:
- Reliability Rating: This metric is the same as the Reliability Rating on the Feeds screen.
- Unique Indicators: This metric is the same as Unique Indicators on the Feeds screen.
- First Reported: This metric is a measure of how often a feed is the first feed to report a particular Indicator when that Indicator is observed in other feeds as well.
- Scoring Disposition: Like ThreatAssess (see ThreatAssess and CAL), CAL produces a score for each Indicator that measures how dangerous the Indicator is, on a scale of 0 (benign) to 1000 (very dangerous). The Scoring Disposition metric is a weighted average of the CAL scores for the Indicators in the feed.
- Classifier Coverage: This metric indicates the percentage of Indicators in the feed that have at least one Classifier applied by CAL’s analytics. It is a measure of how well existing analytics can qualitatively understand the data from the feed.
- Indicator Status Coverage: This metric indicates the percentage of Indicators in the feed that have a definitive Indicator Status set by CAL. It is a measure of how conclusively CAL’s analytics can provide quantitative statements of the data from the feed.
The bullet charts use four visual elements to put the data for the feed in context with the other feeds:
- Horizontal Black Line: The horizontal black line represents the value of the metric for the particular feed. For example, in Figure 5, for Unique Indicators, the black line represents a value of 44%, where the left side of the chart is a value of 0% and the right side of the chart is a value of 100%.
- Vertical Orange Line: The vertical orange line represents the target value of the metric across all feeds. The target value is computed by CAL and ThreatConnect analysts to help determine which feeds have the most impact. In this example, the 44% value for Unique Indicators for the Malware Domain Blocklist is a lot less than the target value of this metric across all feeds, indicating that, on average, this feed provides a lesser number of unique Indicators than other feeds do.
- Colored Bands: The red, yellow, and green bands represent algorithmically derived segments of quality, where red is a “bad” range, yellow is a “medium” range, and green is a “good” range. For the Malware Domain Blocklist, its Unique Indicators value, at 44%, falls in the “bad” range, while its First Reported value, at 92%, falls in the “good” range.
- Value: The value for each metric is given to the right of the bullet chart.
The Daily Indicators graph, which appears below the four bullet charts, is a sparkline depiction of the number of Indicators the feed is bringing in per day over the last 30 days. The value to the right of the graph indicates the total number of Indicators in the feed added in the last 30 days. Hovering the cursor over the graph will display the number of Indicators pulled in for the day represented by that area of the graph (Figure 6).
CAL™ and TC Exchange™ are trademarks of ThreatConnect, Inc.