Edit Threat Intelligence Director Actions at the Source, Indicator, or Observable Level

Note:

Editing the action for a parent sets the action for all children. If you edit the action at the source level, you set the action for all its indicators. If you edit the action at the indicator level, you set the action for all of its observables.
Editing the action for a child interrupts inheritance. If you edit the action at the indicator level, and subsequently edit it at the source level, the indicator's action is retained until you edit the action for the individual indicator. If you edit the action at the observable level, and subsequently edit it at the indicator level, the observable's action is retained until you edit the action for the individual observable. At the observable level, you can revert automatically to the parent indicator's action. For more information about inheritance, see Inheritance in Threat Intelligence Director Configurations.

You may also want to review other Factors That Affect the Action Taken.

Procedure

Step 1

Choose any of the following:

Integration > Intelligence > Sources

Note	threat intelligence director does not support blocking TAXII sources at the source level. If the TAXII source contains a simple indicator, you can block at the indicator or observable level.

Integration > Intelligence > Sources > Indicators

Note	threat intelligence director does not support blocking complex indicators. Instead, block individual observables within the complex indicator.

Integration > Intelligence > Sources > Observables

Step 2

Use the Action dropdown to choose Monitor ( monitor icon ) or Block ( block icon ).

Step 3

(Observables only) If you want to resume inheriting the action setting from the parent indicator, click Revert next to the Action setting for the observable.