Update Threat Intel
You can perform the following activities to update a threat intel IOC:
Update status
Update TLP
Update IOC details using the terminal
Enrich IOC
Update Indicator Status
The STATUS column on the Threat Intel listing page displays the status of an indicator. The types of status for an indicator are:
Clean
Blocked
Malicious
False Positive
Whitelisted
If the status of an indicator is not updated yet, then the default status None is automatically applied. To update the status:
Open an indicator from the Threat Intel listing page. The indicator details page appears.
On the top-right corner, from the status drop-down list, select a status. A confirmation message appears.
Click Yes, Proceed.
Update Indicator TLP
The indicators are categorized into four TLP colors based on their severity to impact an organization. The definitions of these TLP colors are:
Red TLP: IOCs marked with RED TLP are not allowed to be disclosed to others except with the specified participants. RED TLP can also be used if the respective IOC could lead to major impacts on the organizational property, reputation, or operations if misused.
Amber TLP: IOCs marked with AMBER TLP can be shared within the organization only as it carries risks to privacy, reputation, or operation if shared outside the organization.
Green TLP: IOCs marked with GREEN TLP can be shared within a specific community only. However, it should also be considered as a limited disclosure indicator, as this information is shared as awareness within peers and communities.
White TLP: White TLP IOCs can be shared without any restrictions.
All IOCs identified in CFTR are by default assigned with WHITE TLP. To update the TLP:
Open an indicator from the Threat Intel listing page. The indicator details page appears.
On the right pane, under the Overview section, in the TLP field, click the Edit icon. The TLP color codes appear.
Select a TLP color.
The indicator TLP color is updated.
Note
You can also update the status and TLP of an indicator from the Threat Intel listing page. Select the indicators that you want to update and click the Update Fields or Update Status button.
Terminal
Using the Terminal tool you can interact with the integrated applications and Playbooks configured in Orchestrate. CFTR users with appropriate permissions can use commands based on a fixed format in the Command Line Interface (CLI) of the Terminal to interact with various applications and Playbooks to retrieve important information and perform certain tasks for the indicator. Also, if your application is running on multiple instances, then you can select the required application instance in which you want to perform the actions. Follow the Terminal prompt and enter the required inputs, and then press Enter. The Terminal executes the commands and performs the task automatically.
Enrich Intel
Intel Enrichment enables you to enrich threat intel indicators using the enrichment apps configured in your Orchestrate application. When you enrich an indicator using an enrichment app, the app retrieves the enrichment details and displays the data in tabular and raw formats.
You can enrich indicators using the following enrichment apps that are configured in Orchestrate:
X-Force
Shodan
Whois
CTIX
VirusTotal
Before you Start
Ensure that Orchestrate is integrated and enabled in CFTR.
Ensure that at least one of the above-mentioned enrichment apps is configured and enabled in Orchestrate.
Steps
To enrich an indicator, do the following:
Go to Menu > Threat Intel and open an IOC.
Go to Intel Enrichment and click Sync.
CFTR retrieves and displays the enrichment details in tabular and raw formats.