You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/work-with-threat-indicators.md
+22-1Lines changed: 22 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -67,13 +67,34 @@ Optimize TI from your sources with ingestion rules. Curate existing TI with the
67
67
68
68
### Optimize threat intelligence feeds with ingestion rules
69
69
70
-
Reduce noise from your TI feeds, extend validity
70
+
Reduce noise from your TI feeds, extend the validity of high value indicators, and add meaningful tags to incoming objects. These are just some of the use cases for ingestion rules. Here are the steps for extending the validity date on high value indicators.
71
+
72
+
1. Select **Ingestion rules** to open a whole new page to view existing rules and construct new rule logic.
73
+
74
+
:::image type="content" source="media/work-with-threat-indicators/select-ingestion-rules.png" alt-text="Screenshot showing threat intelligence management menu hovering on ingestion rules.":::
75
+
76
+
1. Enter a descriptive name for your rule. The ingestion rules page has ample rule for the name, but it's the only text description available to differentiate your rules without editing them.
77
+
78
+
1. Select the **Object type**. This use case is based on extending the `Valid from` property which is only available for `Indicator` object types.
79
+
80
+
1.**Add condition** for `Source``Equals` and select your high value `Source`.
81
+
1.**Add condition** for `Confidence``Greater than or equal` and enter a `Confidence` score.
82
+
83
+
1. Select the **Action**. Since we want to modify this indicator, select `Edit`.
84
+
1. Select the **Add action** for `Valid until`, `Extend by`, and select a time span in days.
85
+
1. Consider adding a tag to indicate the high value placed on these indicators, like `Extended`. The modified date is not updated by ingestion rules.
86
+
1. Select the **Order** you want the rule to run. Rules run from lowest order number to highest. Each rule evaluates every object ingested.
87
+
1. If the rule is ready to be enabled, toggle **Status** to on.
88
+
1. Select **Add** to create the ingestion rule.
89
+
90
+
:::image type="content" source="media/work-with-threat-indicators/new-ingestion-rule.png" alt-text="Screenshot showing new ingestion rule creation for extending valid until date.":::
71
91
72
92
### Curate threat intelligence with the relationship builder
73
93
74
94
Connect threat intelligence objects with the relationship builder. There's a maximum of 20 relationships in the builder at once, but more connections can be created through multiple iterations and by adding relationship target references for new objects.
75
95
76
96
1. Start with an object like a threat actor or attack pattern where the single object connects to one or more objects, like indicators.
97
+
77
98
1. Add the relationship type according to the best practices outlined in the following table and in the [STIX 2.1 reference relationship summary table](https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html#_6n2czpjuie3v):
0 commit comments