All Collections
LookingGlass scoutTHREAT Documentation
All scoutTHREAT User Documentation Articles
scoutTHREAT - Updating scoutTHREAT Objects with New TICE Information
scoutTHREAT - Updating scoutTHREAT Objects with New TICE Information

Validating intelligence items

Written by Benjamin Dewey
Updated over a week ago

The following steps are for validating new intelligence data items in TICE that may be similar to those already stored in your scoutTHREAT system. By validating the item, it will download and update what's already in your scoutTHREAT system.

1. Navigate to the Validation page in the TICE Module.

2. The Validation page will show a list of intelligence data items. Click Review to view the item's details.

3. On the Item validation page, you will see the Destination for the data which should be scoutTHREAT.

4. If the item you selected to review is also in scoutTHREAT you will see three-column table.

5. The SCOUTTHREAT STORED OBJECT column provides details of the intelligence data item already stored in your scoutTHREAT system.

The EXTENSIONS field contains the item's unique identifier information written in JXEL. It will include details of who created the object, creation and modification date, etc. The information in this field may differ from the incoming TICE data item.

6. The OBJECT INCOMING FROM TICE column is the TICE data intelligence that contains new or updated information about the object. In the image below, notice that the there is more information in the Description field here than in the Description for the object stored in scoutTHREAT.

The details in this EXTENSIONS field refer to the source of the incoming intelligence data item, which can be another tenant, the TICE cloud, or a data feed (e.g., MITRE, MISP). This field will not reveal the source's name because TICE intelligence is shared anonymously.
7. The RESOLUTION column will be the object stored in scoutTHREAT as a result of the validation process. Here, each data field is compared by TICE with what is on the right and left columns. If there is a data conflict due to values being different on each side then it will be highlighted in red. The conflicting data portions will also be highlighted on each side.

When there are conflicts between what is stored in scoutTHREAT and TICE, you can choose to accept either side completely or you can choose to use the small arrows to select the data you want from either side. In some cases, you will have the choice to merge the data by clicking Accept bot.

8. After you have read all the information on the columns and chosen what will go on the Resolution column, click Approve. You will see a banner on the top left side of the Validation page stating that the object has been approved.

9. Navigate to scoutTHREAT and to the data item which you approved in the TICE Module to ensure its information was updated. If you chose to Reject the data item in the TICE Module, then the information on scoutTHREAT will remain the same.

Related Content

Did this answer your question?