Threat Data
If an object isn’t listed in Threat Data, it’s likely associated with a restricted tag, and your user group doesn’t have the necessary permissions to access it.
The object ID in Intel Exchange is a unique identifier that is automatically generated for each threat data object. If a threat data object is deleted and re-ingested, a new object ID is assigned. This ensures data integrity and maintains uniqueness for all threat data objects in the system.
If a tag exists in the platform and the search does not list the tag, then either the tag is disabled or the tag is a privileged access tag and you do not have permission to add or remove privileged access tags.
If the tag exists but doesn’t appear in the search results, it might be disabled or marked as a privileged access tag that your user group doesn’t have permission to use.
If a privileged access tag exists but is not searchable or accessible, it might be disabled or configured as a restricted tag for your user group. In this case, your group cannot access or manage it despite your permission.
Threat objects are set to deprecate by default after six months unless they are reported by another source during this time.
Consider the following scenarios for IOC deprecation:
Manual Deprecation: When an IOC no longer serves the purpose and is taking up space in the database, you can deprecate it from Threat Data.
Automatic Deprecation: As an analyst, you can identify the IOCs that no longer serve the purpose and can write a rule to deprecate the IOCs automatically.
Valid Until Surpassed: If an IOC has surpassed its expiration date marked by an analyst, the application will automatically mark the IOC as deprecated.
6 Months Old Unmodified Data: If an IOC is not modified or reported again over a period of 6 months, the application will automatically mark the IOC as deprecated.
Consider the following scenarios to undeprecate an IOC:
You can manually undeprecate an IOC for a set period of time.
If you receive the intel that a deprecated IOC is malicious, CTIX automatically undeprecates it.
System Created Date: The date and time when an object is first received from any source or imported manually in CTIX. For example, CTIX receives an indicator on May 28, 2023, at 11:30 AM for the first time, then the platform displays May 28, 2023, 11:30 AM as the System Created Date.
System Modified Date: The date and time when the details of an object are modified in CTIX. For example, CTIX automatically deprecates an object using a rule on May 31, 2023, at 4:00 AM, then the platform displays May 31, 2023, 4:00 AM as the System Modified Date.
CTIX updates the System Modified Date for an object based on the following scenarios:
When any manual or automated action impacts an object.
When we receive the same object from a different source.
When we receive additional data, such as TLP, tags, and more, from various sources.
No. CTIX supports parsing of expanded IPv6 only. Compressed IPv6 indicators must be converted to the expanded version to ingest into CTIX.
Supported: 2603:1040:0000:0000:0000:0000:0000:0248 (Expanded IPv6)
Unsupported: 2603:1040::248 (Compressed IPv6)