The ThreatConnect® import engine can extract Indicators from unstructured documents. These Indicators are created in ThreatConnect and associated with a chosen Group. If desired, the text document can be saved and associated to the newly created Indicators.
NOTE: Prior to performing the import, create a Group with which to associate the imported Indicators, as it will not be possible to create the Group during the import process.
Unstructured Indicator Import
- From the top navigation bar (Figure 1), place the cursor over Import, and then click on the Indicators option (Figure 2).
- The Import Indicator screen will be displayed (Figure 3).
- Click the UNSTRUCTURED tab, and the Import Indicators - Unstructured screen will be displayed (Figure 4).
- Click the Owner dropdown menu and select an owner (Organization, Community, or Source) into which the Indicators will be imported.
- Click the + IMPORT FILE button and select the desired document. The contents of the file will appear in the Text: box. Use the Text Replacement section on the right-hand side to make multiple changes of the same kind to the file contents (e.g., replacing text such as “hxxp” and “[.]” in order to re-fang and de-neuter Indicators). Click the Next button. The Validate screen will be displayed (Figure 5).
NOTE: Indicators may also be manually entered into the Text: box.
- Select the Indicators to import. If desired, use the Choose Import Options dropdown menu to include or exclude Indicators by type. Then click the Next button. The Confirm screen will be displayed (Figure 6).
- Click the VIEW buttons to view the new and existing Indicators that were identified for import (Figure 7).
- Click the Next button, and the Optional Data screen will be displayed (Figure 8).
- If desired, add a Description and a Source and select a Threat Rating and Confidence Rating for the Indicators.
NOTE: The information entered on the Optional Data screen will be applied to all imported Indicators. There is currently no way to enter separate information for individual Indicators.
- In the Indicator Status area, check the Active box to set the Indicator Status of all imported Indicators as active, or leave the box unchecked to set the Indicator Status of all imported Indicators as inactive. Check the Update Existing Status box to update the Indicator of any imported Indicators that already exist in ThreatConnect to the status indicated by the Active checkbox. If the Update Existing Status box is not checked, the Indicator Status of imported Indicators that already exist in ThreatConnect will be left unchanged.
NOTE: All imported Indicators must have the same Indicator Status. There is currently no way to set Indicator Status for individual Indicators in the unstructured-import process.
- Use the checkboxes to select whether the DNS and Whois monitors should be enabled for any hosts being created, and then click the Next button. The Labels screen will be displayed (Figure 9).
- Choose Security Labels and Tags, and then click the Next button. The Save screen will be displayed (Figure 10).
- If desired, the original source document can be included and named in this import by checking the box labeled Create Document and associate to indicators using this file.
NOTE: This checkbox will not appear if the Indicators were manually entered in the Text: box in Figure 4 instead of imported from a file, as there is no imported file with which to associate them.
- To associate the Indicators with a Group, click the + NEW ASSOCIATION button. The Select an Association window will be displayed (Figure 11).
- Click on the Select Type dropdown menu, and select the Group type to associate with the Indicators. Adversary is selected for this example. The window will display all available objects of that type (Figure 12).
- If desired, enter a search term in the Filter field and then click the magnifying glass icon to narrow the results.
- Click the checkbox for each Group to associate with the Indicators (Figure 13), and then click the SAVE button.
NOTE: Indicators that have been placed on an Indicator Exclusion list will appear in the Value column with the word “excluded” next to their name. Also, a checkbox will not be visible in the left-hand column of the table for an excluded Indicator, and thus the user will not be able to import that Indicator.
NOTE: ThreatConnect's import engine uses regular expressions to parse Indicators from the supplied text and thus may have false positives in the list (e.g., google.com as a valid host).
NOTE: It is highly recommended that Indicators be associated with a Group; otherwise, they are orphaned and provide minimal value to future analysis.