Skip to main content

Cyware Threat Intelligence eXchange

Allowed Indicator List

If an indicator is identified as safe based on your analysis, you can manually add such indicators to the Allowed Indicators list. The platform automatically updates the confidence score of allowed indicators to zero.

You can add an indicator to the Allowed Indicator List using the following methods:

  • Mark an indicator as an Allowed Indicator using the quick actions in threat data. For more information, see Quick Actions.

  • Directly add an indicator to the Allowed Indicator List. For more information, see Add Indicator to Allowed List.

  • Import indicators in bulk and add them as allowed indicators. For more information, see Import Allowed Indicators.

Add Indicator to Allowed List

You can add your trusted and potentially non-malicious indicators to the Allowed Indicator List to ensure that they are not inadvertently blocked.

Note

  • In CTIX applications deployed on the Cyware Cloud platform, you can add a maximum of 100,000 indicators to the allowed list.

  • In CTIX applications deployed on non-Cyware Cloud platforms, you can add a maximum of 11,000 indicators to the allowed list.

Before you Start

You must have View Indicators Allowed, Create Indicators Allowed, and Update Indicators Allowed permissions.

Steps

To add an indicator to the Allowed Indicator List, do the following:

  1. Go to Main Menu > My Org > Indicators Allowed.

  2. From My Allowed Indicators, click Add to Allowed Indicators.

  3. Enter the following details:

    • Select Type: Select the type of indicator to add. You can choose from Ipv4, Ipv6, MD5, SHA1, e-mail, and other supported types.

      • If you select the Ipv4 indicator type, you can turn on the Include URLs toggle to automatically mark the incoming URLs as allowed indicators that include the added IP address. For example, if you add the IP address 1.1.1.1 and turn on the Include URLs toggle, then the incoming URL https://1.1.1.1/users will also be marked as an allowed indicator.

      • If you select the Domain indicator type, you can turn on the Include Sub-Domains, Include Emails, and Include URLs toggles to automatically mark the incoming sub-domains, email addresses, and URLs as allowed indicators that include the added domain. For example, if you add the domain google.com and turn on the Include Sub-Domains, Include Emails, and Include URLs toggles, then the incoming sub-domain cloud.google.com, email address john.doe@google.com, and URL https://www.google.com/mail will also be marked as allowed indicators.

    • Indicators: Enter the list of indicator values separated by commas or spaces to add to the allowed list. For example, 1.1.1.1 2.3.1.4,6.5.2.7.

    • Reason: Enter the reason for adding the indicators to the allowed list for reference.

  4. Click Add.

After you add indicators to the allowed list, the platform performs the following:

  • Displays the number of parsed, invalid, and duplicate indicators

  • Adds the parsed indicators to the allowed list

  • Updates the added indicators in Threat Data as allowed indicators

  • Sets the confidence score of the allowed indicators to zero

Import Allowed Indicators

You can import your existing list of allowed indicators in bulk and add them to the allowed indicators list in CTIX. This reduces the time and effort of manually adding them individually to the allowed indicators list. Currently, CTIX supports importing allowed indicators in CSV format only.

Before you Start

You must have View Indicators Allowed, Create Indicators Allowed, and Update Indicators Allowed permissions.

Steps

To import allowed indicators in bulk, do the following:

  1. Go to Main Menu > My Org > Indicators Allowed.

  2. On the upper right, click Import and select Download Template to download the import template in CSV format. The template includes the indicator types and the respective example values.

  3. Update the import template with the indicators. Do not update the key of the indicator types, such as ipv4-addr, ipv6-addr, and more, or update the style of the template.

  4. Go to the CTIX application and on the upper right, click Import and select Import File.

  5. Select the CSV file that you updated. The size of the file must be less than or equal to 10 MB.

  6. Click Open.

The platform processes the import file to verify the indicators and adds the indicators to the allowed list. After the processing is completed, you will receive an email with a report of the import as an attachment. The report includes the import details, such as the list of valid and invalid indicators, and the import status.

Manage Allowed Indicator List

You can perform the following actions to manage allowed indicators:

  • Filters: Filter indicators based on creator, created date range, last modified date range, modified user, and the type of indicator.

  • Search: Search for indicators using their title.

  • Export: Export a CSV file with the details of indicators added to the allowed list.

You can perform the following actions on an allowed indicator:

  • Edit: Modify the existing reason added for the indicator.

  • Remove: Remove indicators that are no longer identified as safe. The platform recalculates the confidence score of the removed indicator accordingly.

  • View/Add Reason: View the existing reason or add a new reason to add the indicator to the allowed list.

You can perform the following bulk actions for allowed indicators:

  • Remove: Bulk remove the indicators that are no longer identified as safe. The platform recalculates the confidence score of the removed indicator accordingly.