Threat Indicator FAQs
What is the difference between "Can do xxx..." and "Does xxx..." TIs?
There are quite a few TIs with similar names that describe different behaviors. For example there are Can Access Camera and Accesses Camera, Can Access Location and Accesses Location, Can Access Address Book and Sends Address Book. The "Can do" TIs mean that the app is capable of doing something, whereas the "Does" TIs mean that the app actually does it. Technically, the "Can do" TIs were identified during the Appthority MTP static analysis process that looks at what the apps might do according to their design and implementation. The "Does" TIs (with names like "Accesses..." and "Sends..") were identified during the dynamic analysis process that looks at what the apps actually do. That is, during dynamic analysis the behavior was indeed triggered.
It is not always the case that there are a pair of TIs for such behaviors. Static analysis may indicate a capability, whereas the activity may not have been observed during dynamic analysis, or in some cases dynamic analysis has not occurred. Examples include Can Open PDF and Can Access Call Logs.
How is TI Risk determined?
Appthority MTT researchers assign a default risk number from 0-10, (also called a Risk Level) to each TI. The higher the number, the higher the risk. Org or Policy Admins can change the TI Risk number at the "global" level across the Org, for all except TIs in the High-Risk/Malicious category. In the Help see the TI Risk and Risk Scores section of the Appthority MTP Overview.
How are TIs used to calculate Risk Scores?
The TI Risk numbers are used to calculate the App and Device Risk Scores and the App and Device Policy Risk Scores.
An app is assigned a risk score equal to the TI with highest Risk Level in any policy violated by the app. For example, if an app violates Policy_A, TI_1 in with Risk Level 5, and Policy_B, TI_2 with Risk Level 7, the app has a risk score of 7.
A device gets a Risk Score equal to the active TI with highest Risk of a violated App or Device Policy.
An App or Device Policy gets a Risk Score equal to the active TI with highest Risk assigned to the policy.
In the Help see Risk Scoring.