The ThreatConnect® import engine can extract Indicators from unstructured documents. These Indicators are created in ThreatConnect and associated with a chosen Group. If desired, the text document can be saved and associated to the newly created Indicators.
NOTE: Prior to performing the import, create a Group with which to associate the imported Indicators, as it will not be possible to create the Group during the import process.
- From the top navigation bar (Figure 1), place the cursor over IMPORT, and then click on the INDICATORS option (Figure 2).
- The Import Indicator screen will appear (Figure 3).
- Click the UNSTRUCTURED tab, and the Import Indicators - Unstructured screen will appear (Figure 4).
- Click the Owner dropdown menu and select an owner (Organization, Community, or Source) into which the Indicators will be imported.
- Click the + IMPORT FILE button and select the appropriate document. The contents of the file will appear in the Text: box. Use the Text Replacement section on the right-hand side to make multiple changes of the same kind to the file contents (e.g., replacing text such as “hxxp” and “[.]” in order to re-fang and de-neuter Indicators). Click the Next button. The Validate screen will appear (Figure 5).
NOTE: Indicators may also be manually entered into the Text: box.
- Select the Indicators to import. If desired, use the Choose Import Options dropdown menu to include or exclude Indicators by type. Then click the Next button. The Confirm screen will appear (Figure 6).
- Click the VIEW buttons to view the new and existing Indicators that were identified for import (Figure 7).
- Click the Next button, and the Optional Data screen will appear (Figure 8).
- 9. If desired, add a Description and a Source and select a Threat Rating and Confidence Rating for the Indicators.
NOTE: The information entered on the Optional Data screen will be applied to all imported Indicators. There is currently no way to enter separate information for individual Indicators.
- In the Indicator Status area, check the Active box to set the Indicator Status of all imported Indicators as active, or leave the box unchecked to set the Indicator Status of all imported Indicators as inactive. Check the Update Existing Status box to update the Indicator of any imported Indicators that already exist in ThreatConnect to the status indicated by the Active checkbox. If the Update Existing Status box is not checked, the Indicator Status of imported Indicators that already exist in ThreatConnect will be left unchanged.
NOTE: All imported Indicators must have the same Indicator Status. There is currently no way to set Indicator Status for individual Indicators in the unstructured-import process.
- Use the checkboxes to select whether the DNS and Whois monitors should be enabled for any hosts being created, and then click the Next button. The Labels screen will appear (Figure 9).
- Choose Security Labels and Tags, and then click the Next button. The Save screen will appear (Figure 10).
- If desired, the original source document can be included and named in this import by checking the box labeled Create Document and associate to indicators using this file.
NOTE: This checkbox will not appear if the Indicators were manually entered in the Text: box in Figure 4 instead of imported from a file, as there is no imported file with which to associate them.
- Click the + NEW ASSOCIATION button, associate the Indicators with a Group, and then click the SAVE button.
NOTE: It is highly recommended that Indicators be associated with a Group; otherwise, they are orphaned and provide minimal value to future analysis.
NOTE: Indicators that have been placed on an Indicator Exclusion list will appear in the Value column with the word “excluded” next to their name. Also, a checkbox will not be visible in the left-hand column of the table for an excluded Indicator, and thus the user will not be able to import that Indicator.
NOTE: ThreatConnect's import engine uses regular expressions to parse Indicators from the supplied text and thus may have false positives in the list (e.g., google.com as a valid host).