Components installed with Threat Intelligence Security Center
Several types of components are installed when you download and activate the Threat Intelligence Security Center application, including user roles and properties.
Properties installed
Role required: sn_sec_tisc.admin
Users with the Security Administrator [sn_sec_tisc.admin] role can modify them.
| Property | Usage |
|---|---|
| Properties for Threat Intelligence Security Center | |
| This will disable all the correlation rules. If we just need to disable selected correlation rules, use "active" field on correlation rule instead. sn_sec_tisc.disable_correlation_rules |
|
| This property is used to enable/disable processing of aggregates in threat score calculator feature. sn_sec_tisc.aggregates_for_calculator |
|
| The number of rows of raw data that will be saved when a Sighting Search is performed. Range 0 - 100 sn_sec_tisc.sighting_search_raw_data_rows |
|
| Associate Sighting Search results with CIs in the CMDB. sn_sec_tisc.associate_ci_with_sighting_search |
|
| This will control whether URLs from lists will be defanged or not sn_sec_tisc.sn_sec_tisc_case.defang_record_list_urls |
|
| This property will enable the MITRE Technique(s), to be rolled up to case(s) from the associated objects or security incidents automatically. sn_sec_tisc.auto_rollup_mitre_data |
|
| If true, shows all tactics (including the tactics which doesn't have any techniques associated to the case) for the MITRE lists rendered in the report. sn_sec_tisc.show_all_tactics_reporting |
|
| Sys ID of the email client template for the Case (sn_sec_tisc_case) table which will be used in share report. sn_sec_tisc.reporting_email_template_sn_sec_tisc_case |
|
| Default TLP level is applied when creating a new record. If not set manually on the form, this value will be used. sn_sec_tisc.tlp_default_value |
|
| Logging level-debug,info,warn,error sn_sec_tisc.logging.verbosity |
|
| Properties for Threat Intelligence Feeds | |
| Maximum time in seconds an outbound HTTP connection waits to fetch TAXII collection data sn_sec_tisc.taxii.http.max_timeout |
|
| Maximum number of objects retrieved in one REST call from a TAXII server (Applicable only for TAXII versions 2.0 and 2.1) sn_sec_tisc.taxii.max_page_size |
|
| Maximum number of retries for a failed TAXII2. X REST call sn_sec_tisc.taxii2.retry_count |
|
| Maximum number of objects retrieved in one REST call from Cyware TAXII server sn_sec_tisc.cyware_taxii.max_page_size |
Note:
Specifies the page size used when fetching data from TAXII collections related to the Cyware TAXII Feed. For all other TAXII collections, the page size retrieved from the TAXII collection defaults to the value
defined in the corresponding property: |
| Number of records to fetch at a time from CrowdStrike. Higher the number, more the memory would consumed for processing the payload. sn_sec_tisc.crowdstrike_api_limit |
|
| Denotes the number of indicators to be pulled in a single API call. Note: This is applicable only when the integration doesn't find the necessary present in the
system. sn_sec_tisc.crowdstrike_indicator_batch_size |
|
| Denotes the number of actors to be pulled in a single API call. Note: This is applicable only when the integration doesn't find the necessary present in the
system. sn_sec_tisc.crowdstrike_actor_batch_size |
|
| Denotes the number of reports to be pulled in a single API call. Note: This is applicable only when the integration doesn't find the necessary present in the
system. sn_sec_tisc.crowdstrike_report_batch_size |
|
| The allowed total of offset and limit from CrowdStrike API. sn_sec_tisc.crowdstrike_offset_limit_total |
|
| Properties for REST APIs | |
| Defines the maximum page size (max number of observables returned as part of the response) for Observables Fetch API. Not recommended to increase to high value as it may affect API response
time. sn_sec_tisc.api_maximum_page_size_limit |
|
| Defines the maximum number of observables that can be sent in the request body for Observables Add API. Not recommended to increase to high value as it may affect API response
time. sn_sec_tisc.add_obs_api_max_records |
|
| Properties for Webhooks | |
| Maximum number of events to send as part of one webhook request. The batch size will be limited to 2000 even if a higher value is set in this property. sn_sec_tisc.webhook_max_event_batch_size |
|
| Number of times a failed request should be retried before marking it as error and moving on to next batch of events. The retry count will be limited to 10 even if a higher number is set in this
property. sn_sec_tisc.webhook_retry_count |
|
| Number of seconds to wait before re-attempting a failed batch. This will exponentially increase based on the retry count. For eg, if retry_count is 3 and retry_interval is 30, retries are fired after 30, 60 and 120s.
The initial retry interval will be limited to 300 seconds even if a higher value is set in this property. sn_sec_tisc.webhook_retry_interval |
|
| Ignore webhook events triggered by threat score re-apply sn_sec_tisc.webhook_ignore_threat_score_reapply |
|
| Properties for Investigation Canvas | |
| Setting the value to true adds new nodes to the top left corner; false adds them to the center of the canvas. sn_sec_tisc.canvas_suspend_reLayout |
|
| Properties for export in CTI formats | |
| Maximum number of rows that can be exported to a STIX 2.1 file sn_sec_tisc.stix_export_limit |
|
| Include Journal type fields in export file. sn_sec_tisc.export_journal_fields |
|
Scheduled Jobs
The following table describes the scheduled jobs:
| Job | Description |
|---|---|
| Aggregate Indicator Source Records | Aggregates Indicator source records. |
| Aggregate Object Source Records | Aggregates Object source records. |
| Aggregate Observable Source Records | Aggregates Observable source records. |
| Cleanup of Stale Imports | Cleans up stale import job records. |
| Cleanup of unused new nodes of canvas | Cleans up unused new nodes of canvas. |
| Cleanup Secure File Download Records | Cleans up secure file download records. |
| De-duplicate Indicator Source Records | Deduplicates Indicator source records. |
| De-duplicate Object Source Records | Deduplicates Object source records. |
| De-duplicate Observable Source Records | Deduplicates Observable source records. |
| Inactivate Expired Indicators | Inactivates expired indicator records. |
| Inactivate Expired Objects | Inactivates expired object records. |
| Inactivate Expired Observables | Inactivates expired observable records |
| Migrate Data from TI to TISC | Processes pending migration job run records |
| Populate aggregated records for indicator source records | Identifies parent aggregated record for newly created indicator source records |
| Populate aggregated records for object source records | Identifies parent aggregated record for newly created object source records. |
| Populate aggregated records for observable source records | Identifies parent aggregated record for newly created observable source records. |
| Populate TISC Reference in TI | Populates reference of TISC aggregated observable in TI observable record. |
| Process Approved Imports | Processes approved import jobs. |
| Process Imported MISP Dsm Queue Records | Processed staged MISP feed ingestion queue records. |
| Process Imported MISP Indicator Import Queue Records | Processes staged MISP data ingested from import intelligence |
| Process Imported STIX Import Queue Records | Processes staged STIX data ingested from import intelligence |
| Process Imported STIX Import Queue Records - Ingestion | Processes staged STIX data ingested from threat feeds. |
| Process Pending Case Artifacts Migration | Migrates case artifacts from Threat intelligence application to Threat Intelligence security center. |
| Process pending threat source ingestion Queue Records | Processes pending source ingestion queue records. |
| Process Queued Entities For Threat Score Calculator | processes pending threat calculator queue entries |
| Process Queued MISP Dsm Queue Records | Processes queued MISP data ingested from threat feed |
| Process Queued MISP Indicator Import Queue Records | Processes queued MISP data ingested from import intelligence |
| Process Queued STIX Import Queue Records - Ingestion | Processes queued STIX data ingested from threat feeds. |
| Process Queued STIX Indicator Import Queue Records | Processes queued STIX data ingested from import intelligence |
| Process Webhook Queue | Processes pending webhook queue records. |
| Re-Aggregate Source Records | Re-aggregates source records for which aggregated records are deleted. |
| Remove filtered source record | Cleans up filtered source records |
| Resume CrowdStrike Integration Process Checker / Reprocess CrowdStrike Source Records | Resumes CrowdStrike feed integration runs waiting for rate limit / Reporcess source records for aggregating relationships |
| Sync False Positive Observables Count | Synchronizes observable false positive counts with flase positive counts per source |
| TISC Create Webhook Batches | Created batches for queued webhook queueu entries for processing |
| TISC Fire Webhooks | Executes pending webhook batches |
| Updating Relationship Archived Column | Updates relationship source and target records archival status |