Set Threat Intelligence properties

Threat Intelligence properties allow you to control how different aspects of the system function, including the setting of API keys.

Before you begin

Role required: sn_ti.admin

Procedure

  1. Navigate to Threat Intelligence > Administration > Properties.
  2. Set the following properties, as needed.
    Table 1. Properties for Threat Intelligence
    Property Description
    The domain name to retrieve additional information for IP addresses/URLs

    sn_ti.ip_lookup.web_site

    The domain name to use for retrieving additional information into your IoC database. This property is used by the ThreatAdditionalInfo script include to populate additional information on the Observables form.
    • Type: String
    • Default value: http://api.ipinfodb.com/v3/ip-country/
    • Location: Threat Intelligence > Administration > Properties
    Note: The pinfodb.com third-party API is available at no extra charge and used in many commercial software programs. If you replace it with a different domain name, you must also provide the API key in the next field.
    The API key to be used for the domain, if any

    sn_ti.ip_lookup.api_key

    The API key to use for retrieving additional information into your IoC database. This property is used (along with the sn_ti.ip_lookup.web_site property) by the ThreatAdditionalInfo script include to populate additional information on the Observables form.
    • Type: String
    • Default value: none
    • Location: Threat Intelligence > Administration > Properties
    Lookup local IoC tables before sending to remote scanner

    sn_ti.scan_ioc_before_sending

    If set to True, the Observable [sn_ti_observable] table is checked against the lookup request for a matching value. If a match is found (that is, the same IP address, URL, or hash file value exists), the lookup result is populated from information in the Observable [sn_ti_observable] table. This setting prevents unneeded lookups. In the lookup request, the State field is set to Complete, the Result field is set to Failed, and the Internally populated field is set to True.

    If a matching value or attachment is not found in the Observable [sn_ti_observable] table, the lookup proceeds normally.

    • Type: Yes | No
    • Default value: Yes
    • Location: Threat Intelligence > Administration > Properties
    Number of days local Observables are considered

    sn_ti.scan_ioc_num_days

    If the Lookup local IoC tables before sending to lookup source property is set to True, observables that were updated in the past number of days specified in this property is compared with the value in the lookup.

    If a match is found within the specified number of days, or if an attachment in the lookup exists in an IoC observable, the lookup is not performed. The State field is set to Complete, and the Result field is set to Failed.

    If a matching value or attachment is not found in the Observable [sn_ti_observable] table, the lookup proceeds normally.

    • Type: integer
    • Default value: 30
    • Location: Threat Intelligence > Administration > Properties
    When an attack mode/method has not been received from any source for the specified number of days, mark it as inactive

    sn_ti.attack_mode_inactivate_days

    Number of days from when an attack mode/method was last received for the record to be marked inactive.

    • Type: integer
    • Default value: 360
    • Location: Threat Intelligence > Administration > Properties
    Note: The Active check box is not visible on the Attack mode/method form by default. However, you can add it. When attack modes/methods are inactive, they cannot be selected on other forms.
    When an indicator has not been received from any source for the specified number of days, mark it as inactive

    sn_ti.indicator_inactivate_days

    Number of days from when an indicator was last received for the record to be marked inactive.

    • Type: integer
    • Default value: 180
    • Location: Threat Intelligence > Administration > Properties
    Note: The Active check box is not visible on the Indicator form by default. However, you can add it. When indicators are inactive, they cannot be selected on other forms.
  3. Click Save.