Update Threat Actor
After a threat actor is added, you can access the threat actor from Menu > Threat Actors. Search and click the threat actor title to open the threat actor. To get a quick overview of the threat actor, click Show Overview on the right. Overview displays some basic details of a threat actor, such as threat actor ID, created and last updated dates, labels added to the action to categorize it, connected modules, and added notes. Use the following CFTR features to update the threat actor:
Summary: Displays the details of the threat actor, such as threat actor description, threat actor type, motivation, role, and more.
Notes: Add notes of the actions performed on the threat actor.
Activity Logs: Displays a list of all the threat actor updates.
Connect the Dots: Connect other CFTR modules that are related to the threat actor to gain contextual information. For more information, see Connect the Dots.
Threat Intel: Connect various indicator types that are related to the threat actor to gain contextual information.
Actions: Add actions for the tasks that are required for the threat actor. For more information, see Create Action.
PIRs: Add PIRs for the tasks that are required for the threat actor. For more information, see Create PIR.
Enhancements: Add enhancements for the tasks that are required for the threat actor. For more information, see Create Enhancement.
Attachments: Upload the external files that are related to the threat actor. For more information, see Add Attachments.
To update a threat actor, do the following:
Open a threat actor from the Threat Actors listing page. The threat actor details page appears.
Hover the cursor over a field and click the Edit icon.
Update the field and click the Save icon.
To view the updated history of a field, hover the cursor over a field and click the History icon.
Add Indicators
Under the Indicators tab, you can connect indicators that are related to the threat actor, such as domains, IP addresses, emails, URLs, and so on. To add indicators to a threat actor:
On a threat actor details page, click the Indicators tab.
On the Indicators section, click Connect Now. Add Indicators page appears.
Select the indicator type from the left panel.
On the right panel, under Update <indicator_type>section, enter the indicator details in separate lines.
Click Save.
The added indicators appear on the Indicators tab.
Update Threat Actor Status
To update the status of a threat actor:
Open a threat actor from the Threat Actors listing page. The threat actor details page appears.
On the top-right corner, from the status drop-down list, select a status of the threat actor. A confirmation message appears.
Click Yes, Proceed.