Manage Threat Indicators

• View all threat indicators forwarded to AutoFocus.
  Click Indicators on the navigation pane to access the Indicator Store.
• Filter the indicators.

  Add or remove conditions for filtering the displayed indicators. Filter by the following criteria and click Search:

  • Upload Source—The app that forwarded the indicator to AutoFocus.
  • Type—The type of information that an indicator is (examples: IPv4, Mutex, URL). See Artifact Types for definitions of each indicator type. In addition to what are considered Threat Indicators in AutoFocus, AutoFocus can receive the following additional indicator types from MineMeld: IPv6, registry key, process, filename, SHA256 hash, SHA1 hash, MD5 hash, and Ssdeep fuzzy hash.
  • Indicator—The exact value of the indicator.
  • Indicator Fragments—A partial value of the indicator. Use this search criteria if you only know part of an indicator.
  • Time—The date and time that AutoFocus received the indicator.
  • IPv4—A criteria for searching for IP addresses in a range.
    • Use the filter IPv4matches to find an IP address that belongs to a range.
    • Use the filter IPv4matches list to find multiple IP addresses in a range.
  • First Seen—The date and time that the indicator was first seen in the threat feed.
  • Last Seen—The date and time that the indicator was most recently seen in the threat feed.
  • Feed Source—The name of the threat feed from which an indicator was retrieved.
  • Confidence—A confidence rating that the feed owner associates with the indicators in a feed. The confidence level is measured on a 0-100 scale, with 0 indicating that feed contents have not been verified and 100 indicating that the feed contents are confirmed accurate.
    When constructing an AutoFocus feed query, you are limited to
  • Share Level—The share level that the feed owner associates with the indicator.
  • Threat Type—A default value (malicious) that MineMeld assigns to indicators.
  • Metadata—Additional information about the indicator that the feed owner provided.
  • Expired—If the value is True, the indicator is aged-out, that is, removed from its source feed. If the value is False, the indicator is active.
• Import or export filters for the indicators.

  • Import Search to paste a query for filtering indicators from another AutoFocus user.
  • Export Search to share a query for filtering indicators to another AutoFocus user.
• Check how much space for storing indicators is remaining.

  View all indicators (remove any existing filters), and check the percentage of indicator storage currently in use. AutoFocus stops receiving indicators from MineMeld when it reaches the maximum number of indicators that it can store (180 million indicators).

  Check the status of the indicator storage periodically. If you are close to the maximum limit, Remove indicators from the store.
• Remove indicators from the store.

  Click the trash icon to remove all indicators from the store.

  To remove only a subset of indicators, first Filter the indicators. Then, click the trash icon to remove only the indicators that match the filter criteria. For example, you can apply the filter ExpiredisTrue and click the trash icon to remove only expired indicators from the store.
• Use the Indicator Store as a source of indicators for MineMeld.

  Create MineMeld Miner to create an AutoFocus indicator store miner that will extract artifacts from the Indicator Store. This is one of the ways to Forward AutoFocus Indicators to MineMeld. If you applied a filter for the indicators before clicking this button, the miner will be configured to extract only indicators that match the filter criteria.
• View additional information about the indicator provided by its source (i.e., the feed owner).

  Expand the entry for an indicator to check if the feed owner provided supplementary attributes or metadata about the indicator.