Manage Threat Indicators

View and keep track of all Threat Indicators that you have forwarded to AutoFocus using the MineMeld app. These indicators help you Find High-Risk Artifacts in your AutoFocus search results. AutoFocus can store up to 180 million indicators, and all dates and times are in Pacific Time (PST/PDT). Filter the indicators by certain attributes and export them to the firewall or other security and information event management (SIEM) platforms through MineMeld.
  • View all threat indicators forwarded to AutoFocus.
    Click
    Indicators
    on the navigation pane to access the Indicator Store.
  • Filter the indicators.
    indicator-store-add.png
    Add or remove conditions for filtering the displayed indicators. Filter by the following criteria and click
    Search
    :
    • Upload Source
      —The app that forwarded the indicator to AutoFocus.
    • Type
      —The type of information that an indicator is (examples: IPv4, Mutex, URL). See Artifact Types for definitions of each indicator type. In addition to what are considered Threat Indicators in AutoFocus, AutoFocus can receive the following additional indicator types from MineMeld: IPv6, registry key, process, filename, SHA256 hash, SHA1 hash, MD5 hash, and Ssdeep fuzzy hash.
    • Indicator
      —The exact value of the indicator.
    • Indicator Fragments
      —A partial value of the indicator. Use this search criteria if you only know part of an indicator.
    • Time
      —The date and time that AutoFocus received the indicator.
    • IPv4
      —A criteria for searching for IP addresses in a range.
      • Use the filter
        IPv4
        matches
        to find an IP address that belongs to a range.
      • Use the filter
        IPv4
        matches list
        to find multiple IP addresses in a range.
    • First Seen
      —The date and time that the indicator was first seen in the threat feed.
    • Last Seen
      —The date and time that the indicator was most recently seen in the threat feed.
    • Feed Source
      —The name of the threat feed from which an indicator was retrieved.
    • Confidence
      —A confidence rating that the feed owner associates with the indicators in a feed. The confidence level is measured on a 0-100 scale, with 0 indicating that feed contents have not been verified and 100 indicating that the feed contents are confirmed accurate.
      When constructing an AutoFocus feed query, you are limited to
    • Share Level
      —The share level that the feed owner associates with the indicator.
    • Threat Type
      —A default value (
      malicious
      ) that MineMeld assigns to indicators.
    • Metadata
      —Additional information about the indicator that the feed owner provided.
    • Expired
      —If the value is
      True
      , the indicator is
      aged-out
      , that is, removed from its source feed. If the value is
      False
      , the indicator is active.
  • Import or export filters for the indicators.
    indicator-store-import.png
    • Import Search
      to paste a query for filtering indicators from another AutoFocus user.
    • Export Search
      to share a query for filtering indicators to another AutoFocus user.
  • Check how much space for storing indicators is remaining.
    indicator-store-percentage.png
    View all indicators (remove any existing filters), and check the percentage of indicator storage currently in use. AutoFocus stops receiving indicators from MineMeld when it reaches the maximum number of indicators that it can store (180 million indicators).
    Check the status of the indicator storage periodically. If you are close to the maximum limit, Remove indicators from the store.
  • Remove indicators from the store.
    indicator-store-delete.png
    Click the trash icon to remove all indicators from the store.
    To remove only a subset of indicators, first Filter the indicators. Then, click the trash icon to remove only the indicators that match the filter criteria. For example, you can apply the filter
    Expired
    is
    True
    and click the trash icon to remove only expired indicators from the store.
  • Use the Indicator Store as a source of indicators for MineMeld.
    indicator-store-minemeld.png
    Create MineMeld Miner
    to create an AutoFocus indicator store miner that will extract artifacts from the Indicator Store. This is one of the ways to Forward AutoFocus Indicators to MineMeld. If you applied a filter for the indicators before clicking this button, the miner will be configured to extract only indicators that match the filter criteria.
  • View additional information about the indicator provided by its source (i.e., the feed owner).
    indicator-store-metadata.png
    Expand the entry for an indicator to check if the feed owner provided supplementary attributes or metadata about the indicator.

Recommended For You