Quick Actions on Threat Data
You can perform the following actions on a threat data object.
Note
Read-only users cannot access some of the quick actions as they do not have access to update details on threat data.
Go to Main Menu > Collection > Threat Data.
Select an object.
From the Quick Actions panel on the right side of the screen, select the following actions:
False Positive: Mark the indicator as a false positive if you think it is not malicious. You can also unmark it and remove it from the false positive status.
Indicator Allowed: Enter a reason and add the indicator to your allowed list. You can also remove the indicator from the allowed list.
Add to Watchlist: Add the threat data object as a keyword in the watchlist. You can view details and occurrences of the keyword in the Watchlist under My Org.
Deprecate: Deprecate the indicator if you no longer find it useful. You can also undeprecate the indicator.
Manual Review: Mark the indicator for a manual review by the analyst.
View in Threat Investigations: Opens a canvas for the threat data object in Threat Investigations.
View in Sandbox: Opens the analysis report of the threat data object in Sandbox. This is only available for the Report object type.
New Note: Create a new note and include any additional information to associate with the threat data object. You can see these notes in Global Notes under Collections.
New Task: Create a new task for this indicator. Open the tasks tab to view information on tasks on this indicator.
Create CFTR Case: Create a CFTR case from CTIX for the threat data object to perform a detailed investigation.
Run Rule: Runs a rule manually from Threat Data. As you select this option, CTIX displays the list of rules created with the Run Rule Manually Only option. You can choose the rule to run on the selected objects of type indicator, malware, threat actor, vulnerability, attack pattern, campaign, course of action, identity, infrastructure, intrusion set, location, tool, report, observable, incident, and note.
Delete: Delete this object.
Note
You must have delete permission for threat data to delete the objects.
Tags: Click Add Tags from Tags. Select a tag and apply it to the threat data object.
What happens when you delete a threat data object?
When you delete a threat data object:
The associated notes, tasks, and the relationship with other objects are also deleted.
The object is removed from the threat investigation canvas.
When you delete a published object, the object is revoked from all published collections and a flag revoked = true is sent to the collections.
Note
If all the related threat data objects of a report object are deleted then the report object exists in the platform without any related object. You can delete the empty report object manually.
Revoke Intel
Notice
This feature is available in CTIX from the release version v3.4.0 and later.
Revokes a published indicator in the platform if it is unintentionally published to the collections or is now marked as a false-positive. After revoking an indicator, the platform re-publishes the indicator to all the published collections with a flag conveying that the indicator is revoked. CTIX re-publishes this information in STIX 1.x and STIX 2.x formats.
If the platform receives the revoked indicator from any source, the platform resets the status of the indicator automatically.