How to disable a Threat Indicator?

In order to disable a Threat Indicator, the corresponding Python File must be removed. Future development will allow for this to be completed through the CLI.

Steps to Disable the Threat Indicator

Outlined below are the steps that should be followed so that a Threat Indicator can be disabled. In this example, the aim is to disable the following Threat Indicator: "Found a call for action (e.g. 'enable macros')"

Find the ID of the Threat Indicator

Find the Threat Indicator ID within the Hunting page by searching for the Threat Indicator description.

In this case it is S040.

Locate and Rename the Corresponding Python File

Search: <installation directory>/transform/consumers

Locate the consumer file. The File Name is similar, however it is not always the same as the Threat Indicator ID.

In relation to this Threat Indicator, it is strings-040.py. Ensure it is the correct consumer by checking the consumer ID in the python script:

Python
Copy

Example bash command to find the consumer file:

bas
Copy

Rename the file

For this example, it is renamed to: strings-040.py.disabled

Restart Sandbox

Restart the Sandbox service for the modification to take effect.

The consumer will be automatically restored by a reinstall or upgrade install.

Type to search, ESC to discard
Type to search, ESC to discard
Type to search, ESC to discard