Threat Data
If Threat Data does not list an existing object, then the object must be associated with a restricted tag and your user group does not have permission to access the object.
If a tag exists in the platform and the search does not list the tag, then either the tag is disabled or the tag is a privileged access tag and you do not have permission to add or remove privileged access tags.
If a privileged access tag exists in the platform and the search does not list the tag even if you have permission to add or remove privileged access tags in threat data objects, then either the tag is disabled or the tag is added as a restricted tag in your user group configuration and cannot be accessed by your user group.
Yes. The default deprecation time is of six months provided the deprecated object is not reported by any other source.
Consider the following scenarios for IOC deprecation:
Manual Deprecation: When an IOC no longer serves the purpose and is taking up space in the database, you can deprecate it from Threat Data.
Automatic Deprecation: As an analyst, you can identify the IOCs that no longer serve the purpose and can write a rule to deprecate the IOCs automatically.
Valid Until Surpassed: If an IOC has surpassed its expiration date marked by an analyst, the application will automatically mark the IOC as deprecated.
6 Months Old Unmodified Data: If an IOC is not modified or reported again over a period of 6 months, the application will automatically mark the IOC as deprecated.
Consider the following scenarios to undeprecate an IOC:
You can manually undeprecate an IOC for a set period of time.
If you receive the intel that a deprecated IOC is malicious, CTIX automatically undeprecates it.
System Created Date: The date and time when an object is first received from any source or imported manually in CTIX. For example, CTIX receives an indicator on May 28, 2023, at 11:30 AM for the first time, then the platform displays May 28, 2023, 11:30 AM as the System Created Date.
System Modified Date: The date and time when the details of an object are modified in CTIX. For example, CTIX automatically deprecates an object using a rule on May 31, 2023, at 4:00 AM, then the platform displays May 31, 2023, 4:00 AM as the System Modified Date.
CTIX updates the System Modified Date for an object based on the following scenarios:
When any manual or automated action impacts an object.
When we receive the same object from a different source.
When we receive additional data, such as TLP, tags, and more, from various sources.
No. CTIX supports parsing of expanded IPv6 only. Compressed IPv6 indicators must be converted to the expanded version to ingest into CTIX.
Supported: 2603:1040:0000:0000:0000:0000:0000:0248
(Expanded IPv6)
Unsupported: 2603:1040::248
(Compressed IPv6)