Fill Indicator Details
An indicator contains a pattern that can be used to detect suspicious or malicious cyber activity.
Basic Details
Field Name | Required | Description |
---|---|---|
Name | Mandatory | Specify the name for the indicator. |
Description | Optional | Specify the description that best describes the key details of the indicator. |
Indicator Types | Optional | Specify the type of indicators, such as anonymization, C2, compromised PKI certificate, domain watchlist, and more. The indicator type list is built on standard STIX package observable patterns. |
Pattern Type | Mandatory | Specify the detection pattern to provide additional context about the Indicator. STIX patterns are expressions that represent Cyber Observable objects within a STIX Indicator SDO. This pattern type adds an additional tab to the indicator STIX component tabs. |
Start Date* | Mandatory | Specify the start date from which the indicator is considered valid of its behaviors. |
End Date* | Mandatory | Specify the end date till which the indicator is considered valid of its behaviors. |
*For more details on dates across the platform, see General FAQs.
Custom Fields
Field Name | Description |
---|---|
Tags | Specify the tags for the indicator. Tags help in group-related information in CTIX. |
TLP | Specify the TLP value for the indicator, such as RED, AMBER, GREEN, WHITE, and NONE. |
Created by Reference | Specify the entity that created the CTIX object. |
Revoked | Select this option to mark the component as revoked or invalid. |
Custom Attributes
Field Name | Description |
---|---|
Add Custom Attribute | Specify the additional information that helps in improving the threat intelligence details. CTIX displays custom attributes created in Administration > Custom Entities Management. You can create multiple custom attributes for an indicator. |
Kill Chain Phases
Include the kill chain phases for which this object can be used.
Field Name | Description |
Kill Chain Name | Choose the kill chain name to associate with this object. You can choose Lockheed Martin or MITRE kill chains. You can also create and add custom kill chains in Administration > Custom Entities Management and associate them here. |
Kill Chain Phase | Choose the kill chain phase associated with the kill chain. |
STIX
STIX patterns are expressions that represent Cyber Observable objects within a STIX Indicator object. If the Pattern Type is selected as STIX, enter the following values.
Field Name | Description |
---|---|
Type | Select the type of the observable expression for the indicator. |
Name | Enter the value of the observable expression for the indicator. |
Comparator | Select AND or OR condition. |
Add More | Click to add more observable expressions. |
If you selected the Pattern Type as YARA, enter the YARA rule that represents the Cyber Observable objects for this indicator in the console.
External References
Use external references to include any non-STIX information that you may want to associate with this object.
Field Name | Description |
---|---|
Source Name | Enter a source name. |
Description | Enter a description. |
External ID | Enter an external ID. |
URL | Enter the URL of the external reference. |
Hash Type | Select the hash type. |
Hash Value | Enter the hash value. |