Pause or Publish Threat Intelligence Director Data at the Source, Indicator, or Observable Level

If publishing is enabled at the Source level, the system automatically publishes the initial source data and any subsequent changes including:

  • changes from periodic source refreshes

  • changes resulting from system action (for example, TTL expiration)

  • any user-initiated changes (for example, a change in the Action setting for an indicator or observable)

Note

To purge all threat intelligence director observables at once from your devices (elements), see Pause Threat Intelligence Director and Purge Threat Intelligence Director Data from Elements.

Before you begin

Before pausing publishing, understand the ramifications described in About Pausing Publishing.

Procedure

Step 1

Choose any of the following:

  • Integration > Intelligence > Sources

  • Integration > Intelligence > Sources > Indicators

  • Integration > Intelligence > Sources > Observables

Step 2

Locate the Publish Slider (slider icon) and use it to toggle publishing to elements.

Step 3

(Observables only) If you want to resume inheriting the publication setting from the parent indicator, click Revert next to the Publish setting for the observable.

What to do next

  • Wait at least 10 minutes for elements to receive changes. Changes involving large sources will take longer.

  • (Optional) Change the publication frequency for TID data at the observable level; see Modify the Observable Publication Frequency.