Adding and Editing an Indicator

Scenarios

The indicator library list displays information about all your indicators.

This section describes how to create and edit an indicator.

• Adding an Indicator: If a potential threat to the system and users is detected, you can add indicators to record the threat. In this way, the security personnel can quickly take measures to protect personnel, information, and assets, and accelerate threat detection and rectification.
• Editing an Indicator: If the threat level, status, and owner of an indicator changes, you can edit the indicator information.

Adding an Indicator

1. Log in to the SecMaster console.
2. Click in the upper left corner of the management console and select a region or project.
3. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
4. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
   Figure 1 Workspace management page
   

5. In the navigation pane on the left, choose Threats > Indicators.
6. On the Indicators page, click Add. On the Add page, set parameters.

   Table 1 Indicator parameters

   Parameter	Description
   Indicator Name	Name of a user-defined threat indicator. The value can contain: Only uppercase letters, lowercase letters, digits, and the special characters: -_ ()
   Type	Indicator type. Options: IPv6, URL, Other, Email, Domain name, and IPv4.
   Threat Degree	Select a threat degree level. Black: dangerous Gray: minor White: secure
   Data Source Product Name	Data source product name
   Data Source Type	Type of the data source. The options are Cloud Service, Third-party, and Private.
   Status	Indicator status. Possible values are Open, Closed, and Revoked. Open Closed: If the threat corresponding to the indicator is eliminated, you can close the indicator. Revoked: If an indicator is incorrect or the threat scenario described by the indicator does not exist, you can revoke or delete the indicator. Deleted indicators cannot be restored. Exercise caution when performing this operation.
   Confidence	Reliability of the selected indicator. The value ranges from 80 to 100.
   Owner	Primary owner of the indicator.
   Labels	Label of a user-defined counter.
   First Occurrence Time	First occurrence time of the indicator.
   Last Occurrence Time	Latest occurrence time of the indicator.
   Expiration Time	Expiration time of the indicator.
   Invalid or not	Whether to invalidate the indicator. The default value is No.
   Granularity	Granularity of the indicator. The options are First time observed, In-house data, To be purchased, and Queried from external networks.
   Display Name	If Type is set to Email, you can customize the email display name.
   Familial	If Type is set to Domain name, you can customize the family the domain name belongs to.
   Email Account	If Type is set to IPv6, IPv4, Email, or Domain name, you can configure a custom email account.
   Region	If Type is set to IPv6 or IPv4, you can configure the region an IP address belongs to.
   URL	If Type is set to URL, you can customize URL information.
   DNS Category	If Type is set to Domain name, you can customize the DNS category for the domain name.
   Description	Description of the custom indicator.
   Value	Enter the indicator value, such as IP, URL, and domain.

7. Click OK.

Editing an Indicator

1. Log in to the SecMaster console.
2. Click in the upper left corner of the management console and select a region or project.
3. Click in the upper left corner of the page and choose Security & Compliance > SecMaster.
4. In the navigation pane on the left, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
   Figure 2 Workspace management page
   

5. In the navigation pane on the left, choose Threats > Indicators.
6. On the Indicators page, locate the target indicator and click Edit in the Operation column.
7. On the Edit page that is displayed, edit indicator parameters.

   Table 2 Indicator parameters

   Parameter	Description
   Indicator Name	Name of a user-defined threat indicator. The value can contain: Only uppercase letters, lowercase letters, digits, and the special characters: -_ ()
   Type	Indicator type.
   Threat Degree	Select a threat degree level. Black: dangerous Gray: minor White: secure
   Data Source Product Name	Name of the data source, which cannot be changed
   Data Source Type	Type of the data source, which cannot be changed
   Status	Indicator status. Possible values are Open, Closed, and Revoked.
   Confidence	Reliability of the selected indicator. The value ranges from 80 to 100.
   Owner	Primary owner of the indicator.
   Labels	Label of a user-defined indicator.
   First Occurrence Time	First occurrence time of the indicator.
   Last Occurrence Time	Latest occurrence time of the indicator.
   Expiration Time	Expiration time of the indicator.
   Invalid or not	Whether to invalidate the indicator. The default value is No.
   Granularity	Granularity of the indicator. The options are First time observed, In-house data, To be purchased, and Queried from external networks.
   MD5	Enter the MD5 value of the indicator.
   SHA1	Enter the SHA1 value of the indicator.
   SHA256	Enter the SHA-256 value of the indicator.
   File type	Enter the file type of the indicator.
   Compile Time	Enter the compilation time of the indicator.
   File Name	Enter the file name of the indicator.
   File MIME Type	Enter the MIME type of the indicator file.
   Familial	Enter the family the indicator belongs to.
   Category	Enter the type of the indicator.

8. Click OK.