Third-Party Allowed Indicators
Notice
This feature is available from the release version 3.4.3 and later that are deployed on Cyware Cloud.
CTIX seamlessly integrates with popular third-party repositories like Majestic Million, offering access to an extensive collection of widely recognized and trusted indicators. Any indicator that is ingested in the platform is then verified against the third-party repository. If an indicator is found within this repository, it is automatically marked as allowed. The platform resets the confidence score of these allowed indicators to zero, confirming their trustworthiness. This ensures that the well-known and potentially non-malicious indicators are not inadvertently blocked.
However, if you come across a suspicious indicator listed in the third-party allowed list either through external feeds or your own investigation, you can add the indicator to the third-party ignored list. Adding an indicator to the third-party ignored list effectively revokes its status as an allowed indicator. The platform recalculates and updates the confidence score of the indicator.
Note
Currently, indicators ingested from the API feed sources are not automatically verified with the third-party-allowed indicator list.
You can search and retrieve an indicator from the third-party allowed indicator repository, but cannot view the whole list of third-party allowed indicators in the platform.
Add Indicators to Third-Party Ignored List
If an allowed indicator of the third-party repositories is identified as suspicious, you can add the indicator to the third-party ignored list.
Note
You can add a maximum of 1000 indicators to the third-party ignored list.
Before you Start
Your user group must have View Indicators Allowed, View Third-Party Indicators, Create Third-Party Indicators, Create Indicators Allowed, Update Third-Party Indicators, and Update Indicators Allowed permissions.
You must turn on the toggle for Third Party Indicators Allowed under Administration > Configurations > General Settings. For more information, see Configure General Settings.
Steps
To add an indicator to the third-party ignored list, do the following:
Go to Main Menu > My Org > Indicators Allowed and select Third-Party Indicators.
Enter the indicator value to search in the third-party repository. Enter the exact match of the indicator value as searching in the third-party repository is case-sensitive. For example,
qq.com.If the indicator is found in the third-party repository, click Add to Ignored List.
After you add an indicator to the ignored list, the platform performs the following:
Adds the indicator to the third-party ignored list
Treats the indicator as potentially malicious and performs any actions required
Recalculates and updates the confidence score of the indicator
Note
If an indicator is added to both the allowed indicator list and the third-party ignored list, the platform gives priority to the third-party ignore status.
Manage Third-Party Ignored Indicators List
You can perform the following functions to manage third-party ignored indicators:
Search: Search for indicators using their title.
Filter: Filter indicators based on their type, created by, modified by, created range, and last modified range.
You can perform the following action individually or in bulk for the third-party ignored indicators:
Remove: Remove indicators from the third-party ignored list based on your analysis. After you remove it from the list, the platform automatically resets the confidence score to zero and no longer treats it as potentially malicious.