Define an Indicator

  • 릴리스 버전: Australia
  • 업데이트 날짜 2026년 03월 12일
  • 소요 시간: 13분

    • Define an Indicator.

    시작하기 전에

    Role required: sn_sec_tisc.analyst

    프로시저

    1. Navigate to Workspaces > Threat Intelligence Security Center > Threat Intel Library > Indicators.
    2. Select Indicator.
    3. Click New.
      주:
      Whenever you create new object records for observables, indicators, entities or objects a source record is created and a prompt message is displayed that the new object record is created and then the user is redirected to the aggregated record.
    4. On the form, fill in the fields.
      표 1. Details section
      Field Description
      ID Unique ID of the indicator.
      Description Description of the indicator.
      Name Name of the indicator.
      Pattern The detection pattern for this Indicator may be expressed as a STIX Pattern.
      Pattern Type The pattern language used in this indicator.
      Pattern Version

      The version of the pattern language that is used for the data in the pattern property which must match the type of pattern data included in the pattern property.
      Valid From The time from which this Indicator is considered a valid indicator of the behaviors it is related or represents.
      Valid Until The time after which this Indicator should no longer be considered a valid indicator of the behaviors it is related to or represents.
      IOC Classification The IOC classification of the indicators.
      Indicator Types Indicates the various categories of the indicator.
      Status Indicates the status of the indicators.
      Platforms Defines the platforms for which this indicator is applicable for.
      TLP Unique value that indicates the Data sensitivity setting per TLP.
      Attack Phases Represents attack phase in a kill chain such as LM, MITRE ATT&CK.
      Confidence Enter the confidence for this indicator record.

      The confidence property identifies the confidence that the creator has in the correctness of their data. The confidence value MUST be a number in the range of 0-100.
      Threat Level Indicates the threat level of the indicator record.
      Expiration Time Specifies the expiration time of the indicator record.
      Threat Severity Indicates the threat severity of the indicator record.
      Usage Categories Categories that the observable falls under, such as botnet or phishing.
      First Seen The time that this indicator record was first seen performing malicious activities.
      Last Seen The time that this indicator record was last seen performing malicious activities.
      Source Specifies the threat source from which this record is created.
      Revoked Indicates that the revoked objects are no longer considered valid by the object creator.
      표 2. Insights
      Field Description
      Notes Add any additional notes for an indicator.
      표 3. Additional Information
      Field Description
      Additional Context Add any additional context for this indicator.
      Spec Version The version of the STIX specification used to represent the indicator.

      The value of this property must be 2.1 for STIX Objects defined according to this specification.
      Lang This property identifies the language of the text content in this object.
      Created Specifies the time when the indicator is created in system.
      Updated Specifies the time when the indicator is updated in system.
      Extensions Indicates the extensions of indicator.
      Processing Status Represents the processing status of this indicator.
    5. Click Save.
      After you save, a prompt message is displayed indicating that A new observable record is created. Click Continue to edit the record and create new relationships.
    6. Click Continue.
      중요사항:
      After you create a new observable record, Prevent System Updates check box is displayed.

      Select this check box to prevent any updates from the system after the observable or indicator or STIX objects records are created.

      표 4. Tags&Taxonomies
      Field Description
      Tags
      Select Tags Select the tags that are associated with an indicator.
      Add Tags Add new tags.
      Taxonomies
      Select Taxonomy Select the Taxonomy that is associated with an indicator.
      Add Taxonomy Values Add the Taxonomy values that are associated with an indicator.
      표 5. Source Records
      Field Description
      The source records details for an indicator are displayed, if any.

    다음에 수행할 작업

    You can now click any of the following related lists to view additional information about objects associated with the indicators.
    표 6. Related Records
    Related List Description
    MITRE Techniques Lists the MITRE techniques related to this indicator.
    Attack Patterns Lists the Attack Patterns source that describe the methods that adversaries attempt to compromise targets that are related to this indicator.
    Campaigns Lists the Campaigns Source that describe a set of malicious activities or attacks that occur over time against a specific set of targets that are related to this indicator.
    Courses of Action Lists the courses of action related to this indicator.
    Data Sources Lists the data sources related to this indicator.
    Data Components Lists the data components related to this indicator.
    Identities Lists the identities that are related to this indicator.
    Indicators Lists the indicators that are related to this indicator.
    주:
    This section also contains the potential relationships between two indicators. For more information, see Confirm indicator-indicator potential relationshipsand see Define indicator-indicator relationships for the confirmed relationships between the two observables.
    Infrastructure Lists the Infrastructure Source that describe any systems, software services, and any associated physical or virtual resources intended to support some purpose of an attack that are related to this indicator.
    Intrusion Sets Lists a set of adversarial behaviors and resources with common properties that are related to this indicator.
    Locations Lists the geographical locations associated with the object.
    Malware Lists malware source records that are related to this indicator.
    Marking Definitions Lists the marking definitions associated with this object.
    Malware Analysis Lists the metadata and results of a particular static or dynamic analysis performed on a malware instance associated to this indicator.
    Observables Lists the related observable records that are related to this indicator.
    Observed Data Lists the observed data that are cyber security related entities such as files, systems, and networks and associated with this indicator.
    Sightings Lists sightings source records associated with this object.
    Threat Actors Lists changes associated with the observable.
    Threat Events Lists the event or situation that has the potential for causing undesirable consequences or impact that are associated with the indicator.
    Threat Groupings Lists the threat groupings as objects that have a shared context.
    Threat Notes Lists the threat notes that convey information to provide further context or analysis that are associated with the indicator.
    Threat Opinions Lists the threat opinions as an assessment of the accuracy of the information that are associated with the indicator.
    Threat Reports Lists the threat reports associated with this indicator.
    Tools Lists the tool associated with this object.
    Vulnerabilities If the observable is an IP address, this list shows any resources (configuration items) that have a matching IP address.
    Related Cases Lists the related cases that are associated with this indicator.
    Related Case Tasks Lists the related case tasks that are associated with this indicator.
    Related Canvases Lists the related canvases that are associated with this indicator.
    Indicators References List of external references that describes this indicator.
    주:
    1. You can link and unlink the related records associated with this object. For more information, see Link Threat Intel Related Records.
    2. Also, from the Related Records section, you can confirm the relationships between two Observables using the Potential Relationships section available on the Indicators form view. For more information on see, Confirm Potential Relationships from Related Records.
    3. You can add indicators to cases. For more information, see Add to Case.