Factors That Affect the Action Taken

Many factors determine when the system takes action and what action the system takes when it detects traffic that matches a threat intelligence director observable.

• Features like Security Intelligence take action before threat intelligence director does. For details, see Threat Intelligence Director-Management Center Action Prioritization.

• Generally, the action configured for an observable (which may differ from the action configured for its parent indicator or source) is the action that will be taken.

• Because STIX sources can contain complex indicators, the Action setting for the source can be set only to Monitor. However, individual simple indicators or observables contained in a STIX feed or file can be set to Block.

• Action settings for indicators and observables can be inherited or individually configured to override inheritance. See Inheritance in Threat Intelligence Director Configurations and Edit Threat Intelligence Director Actions at the Source, Indicator, or Observable Level.

• Traffic that might otherwise be actionable might be on a Do Not Block list. For details, see Add Threat Intelligence Director Observables to a Do Not Block List.

• The configured action is taken for both partially- and fully-realized incidents.

• An incident based on a complex indicator can be partially blocked. This can occur if the indicator includes both monitored and blocked observations.

• Pausing publishing affects actions the system takes. See About Pausing Publishing and Pause or Publish Threat Intelligence Director Data at the Source, Indicator, or Observable Level.

• Pausing the threat intelligence director feature prevents all actions. After you resume the feature, actionable data may be different from before. For details, see Pause Threat Intelligence Director and Purge Threat Intelligence Director Data from Elements.