Allowed Indicators
Allowed indicators refer to the known, established, and trusted indicators, including IP addresses, URLs, file hashes, email addresses, domain names, and various other elements. Categorizing indicators as allowed empowers organizations to distinguish benign and non-malicious entities from the incoming indicators, thereby preventing inadvertent actions on trusted indicators.
How does it work?
When indicators are ingested into CTIX, they undergo a series of steps, including processing, enrichment, analysis, and dissemination. This comprehensive process ensures that precautionary measures are taken against malicious indicators before they pose a threat to your organization. To safeguard your trusted indicators from undergoing the standard processing in CTIX, you mark them as allowed indicators within the platform. This action ensures that the allowed indicators are exempted from the extensive list of incoming indicators, preventing any inadvertent actions.
How to manage allowed indicators?
In CTIX, you can manage indicators using the following methods:
Add Indicators to the Allowed Indicators List: As an analyst, you can include indicators in the Allowed Indicators list based on your analysis and findings. This step ensures that indicators specific to your organization, domain, or those you trust are not mistakenly classified as threats.
Use Third-Party Repositories of Allowed Indicators: CTIX seamlessly integrates with popular third-party repositories such as Majestic Million, offering access to an extensive collection of widely recognized and trusted indicators.
Note
Read-only users can view the allowed indicators but cannot modify them. For more information, see User Groups Permission Set.
Feature Availability Matrix
Feature | CTIX Enterprise | CTIX Lite | CTIX Spoke |
|---|---|---|---|
My Allowed Indicators | Yes | Yes | No |
Third-Party Indicators | Yes | No | No |