All Collections
LookingGlass scoutTHREAT Documentation
All scoutTHREAT User Documentation Articles
scoutTHREAT - Creating an Indicator Object
scoutTHREAT - Creating an Indicator Object

Steps for creating a new Indicator Object

B
Written by Benjamin Dewey
Updated over a week ago

1. To add a new Indicator Object, navigate to Intelligence, then click on Indicator.

2. If any exist, a list of Indicator objects will load with the item Name, Type, date Created and Modified.

3. Click on Create New on the top right side of the page.

4. Enter a Name and Description for your Indicator object profile.

5. On the right side of the page, under Information select the Indicator Type from the drop-down menu.

6. Next, provide the name of the STIX Pattern or another appropriate language (e.g., SNORT, YARA, etc.) for this Indicator. For more information, refer to STIX Version 2.1 Documentation online.

7. Now, choose from the drop-down menu under Pattern Type, the corresponding pattern language for this Indicator.

8. It is optional to provide a Pattern Version which is the version of the pattern language that is used for the data in the Pattern property.

9. It is optional to add a Valid From date which is the time from which this Indicator is considered a valid indicator of the behaviors it is related or represents. To add dates, click on Select Date fields to choose from the calendar.

10. It is also optional to add a Valid Until date which is the time at which this Indicator should no longer be considered a valid indicator of the behaviors it is related to or represents. To add dates, click on Select Date fields to choose from the calendar.

11. Kill Chain Phases describe the various stages of a cyber attack. You have the option to select a phase for the Indicator you are creating. Click on Type to search and choose from the drop-down menu the corresponding kill chain phase.

12. Click the + icon in the center of the page to save all your information.

13. Next, you can choose to add a Note to provide further context or analysis about the object, as well as an Opinion to assess the accuracy of the intelligence data.

For steps on adding Notes and Opinions, see Adding Notes to Objects and Adding Opinions to Objects.


14. After saving, you will have the option to add Relationships and External References to the object.

15. To add a new Relationship, click on +Add.

16. A new window will display for adding a new relationship, you will see the following:

  • Source will display the current object which is the name of the object.
    You can select from the Relationship type drop-down menu the type of relationship the object has to the Target.
    ​

  • Depending on the Relationship type you select, a Target can be an Identity Object or another Intelligence Object. To add a target, type its name in the Target field.

    NOTE: A Target must already be in the system for it to appear in the field.
    ​

  • Depending on the object, you can the swap the Source and Target names by clicking on Swap & Target.

  • Under Description you can add details about the Relationship shared with the object you are creating. Click Add when you are done.

17. Newly added relationships will be listed under Relationships.

18. You can also add already existing External References to an Indicator Object.

  • Click on +Add.

  • A new window will display with a drop-down list of External References you can select from. Choose the name of the External Reference you want then click Add.

    NOTE: You can add one or more External References to an object.

19. Newly added references will be listed under External References.

20. Several icons will appear at the top of the page:

#1. This icon is for deactivating the object profile.

#2. This icon is for sharing the object on TICE.

#3. This icon is for editing the object profile information.

Related Content

scoutTHREAT User Documentation Table of Contents


​

Did this answer your question?