Indicator Status

Last Updated: Nov 20, 2019 01:29PM EST
None for viewing Indicator Status. Indicator Status change must be enabled by a System Administrator for users to be able to change Indicator Status.


Indicator Status categorizes Indicators in ThreatConnect® as being in one of two states:

  • Active: The Indicator is considered to be an Indicator of Compromise (IOC) at the current time and should be treated in accordance with its ThreatAssess score.
  • Inactive: The Indicator is not currently considered an IOC, but is being kept in ThreatConnect for historical accuracy rather than being deleted.

    NOTE: Inactive Indicators are not returned via API queries made against ThreatConnect.

Knowledge of whether an Indicator is active or not allows ThreatConnect users to make more informed analytical choices and helps prevent them from wasting time and resources on Indicators that do not have any recent activity or are outdated. Each Indicator in ThreatConnect has a systemwide Indicator Status that provides information on whether the Indicator is active or not and whether the status was set by ThreatConnect (i.e., any user in the ThreatConnect instance) or by ThreatConnect’s Collective Analytics Layer (CAL™). For more information on CAL, see ThreatAssess and CAL.

Viewing and Setting Indicator Status for Existing Indicators

  1. From the top navigation bar (Figure 1), place the cursor over Browse and then over the Indicators option. Click on one of the options (Host Indicator in this example) to display a results table (Figure 2).
  2. Click on one of the entries, and the Details drawer for that entry will be displayed (Figure 3).
  3. The Indicator Status is provided at the top left corner of the drawer. In this example, the orange checkmark  icon denotes that the Indicator is active. The ThreatConnect  icon in the statement after the checkmark denotes that the status has been set by ThreatConnect (i.e., by a user with requisite permissions to change Indicator Status on the user’s ThreatConnect instance).
  4. Figure 4 shows the Details drawer for an inactive Indicator whose status has been set by ThreatConnect. An inactive Indicator Status is denoted by an orange circle with a white line in the center ().
  5. Figure 5 shows the Details drawer for an active Indicator whose status has been set by CAL. The CAL  icon in the statement after the checkmark denotes that the status has been set by CAL.
  6. If an Indicator Status has not been set for an Indicator, then no status information will appear at the top of the drawer.
  7. Click on the Details  icon at the top right corner of the drawer (the Indicator in Figure 3 is used in this example), and the Overview tab of the Details screen will be displayed (Figure 6). Alternatively, hover over the Indicator’s entry in the table in Figure 2 and click on the Details icon that appears on the right side of its Summary cell to go straight to the Overview tab of the Details screen.
  8. Indicator Status is shown via the Active checkbox at the top right of the screen, which can be checked or unchecked by users if the System Administrator has enabled this functionality. The icon to the right of the Active checkbox indicates whether ThreatConnect or CAL has set the status.
  9. Check the CAL Status Lock box to prevent CAL from being able to change the Indicator Status. See the next section, “CAL and Indicator Status,” for more information.

CAL and Indicator Status

ThreatConnect users may wish to leverage CAL analytics by having CAL set Indicator Status for Indicators on their instance. CAL Status Lock can be used on a per-Indicator basis when users want to override CAL’s recommendation for particular Indicators. If CAL Status Lock is not enabled for a given Indicator, ThreatConnect users can still set that Indicator’s status, but if CAL generates updated information for that Indicator, it will change the Indicator’s status accordingly.

Setting Indicator Status During Indicator Import

Structured Import

When importing Indicators via ThreatConnect’s Structured Indicator Import, set Indicator Status by creating an Active column in the CSV file. Each Indicator will be imported with its own individual status as indicated by the value provided in the Active column for that Indicator. Possible values for data in the Active column are 0 or false (sets Indicator Status to inactive; applies to both new Indicators and existing Indicators), 1 or true (sets Indicator Status to active; applies to both new Indicators and existing Indicators), and blank (no value provided; sets Indicator Status to active for new Indicators and leaves Indicator Status unchanged for existing Indicators). If no column for Indicator Status is provided, then all new Indicators will be imported as active, while the status for all existing Indicators will be left unchanged.

Unstructured Import

When importing Indicators via ThreatConnect’s Unstructured Indicator Import, Indicator Status is set on the Optional Data tab of the Import Indicators - Unstructured screen (Figure 7).

Check the Active box to set the Indicator Status as active. Check the Update Existing Status box to change the status of any imported Indicators that already exist in ThreatConnect to the status provided during the unstructured import. Leave the Update Existing Status box unchecked to retain the original (pre-import) status of any imported Indicators that already exist in ThreatConnect.
NOTE: The Indicator Status set during an unstructured import is the same for all imported Indicators. Unlike in a structured import, there is no way to set the status for individual Indicators in an unstructured import.

CAL™ is a trademark of ThreatConnect, Inc.

20074-02 EN Rev. A

Contact Us

  • ThreatConnect, Inc.
    3865 Wilson Blvd.
    Suite 550
    Arlington, VA 22203

    Toll Free:   1.800.965.2708
    Local: +1.703.229.4240
    Fax +1.703.229.4489

    Email Us
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
Invalid characters found