Define an IoC

IoCs, sometimes referred to as indicators, are often retrieved from a threat data source as STIX data; however, you can create new IoCs, as needed.

Before you begin

Role required: sn_ti.write

Procedure

  1. Navigate to Threat Intelligence > IoC Repository > Indicators.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Field Description
    Title Enter a descriptive name for this indicator.
    First Seen Used to show the first date this indicator was observed in the system.
    Last Seen Used to show the most recent date this indicator was observed in the system.
    Encountered count Displays the number to times the indicator has been encountered.
    Sourced count Displays the number to times the indicator was imported from defined threat sources.
    Notes Enter any additional notes about the indicator.
  4. After clicking Save, you can click any of the following related lists to view additional information.
    Related List Description
    Related Observables Lists observables that are linked to the current indicator.
    Related Attack mode/method Lists related attack modes/methods that have been identified as related to this indicator.
    Associated Type Lists other indicator types that are associated with this IoC.
    Indicator Sources Lists the sources of this indicator, along with the confidence level of the source.
    Associated Tasks Lists all tasks, changes, and incidents associated with the IoC.