The ThreatConnect® import engine can extract Indicators from unstructured documents. These Indicators are created in ThreatConnect and associated with a chosen Group. If desired, the text document can be saved and associated to the newly created Indicators.
NOTE: Prior to performing the import, create a Group with which to associate the imported Indicators, as it will not be possible to create the Group during the import process.
- From the top navigation bar (Figure 1), place the cursor over IMPORT, and then click on the INDICATORS option (Figure 2).
- The Import Indicator screen will appear (Figure 3).
- Click the UNSTRUCTURED tab, and the Import Indicators - Unstructured screen will appear (Figure 4).
- Click the Owner dropdown menu and select an owner (Organization, Community, or Source) into which the Indicators will be imported.
- Click the + IMPORT FILE button and select the appropriate document. The contents of the file will appear in the Text: box. Use the Text Replacement section on the right-hand side to make multiple changes of the same kind to the file contents (e.g., replacing text such as “hxxp” and “[.]” in order to re-fang and de-neuter Indicators). Click the Next button. The Validate screen will appear (Figure 5).
- Select the Indicators to import. If desired, use the Choose Import Options dropdown menu to include or exclude Indicators by type. Then click the Next button. The Confirm screen will appear (Figure 6).
- Add a Description and a Source.
- Select a Threat Rating and Confidence Rating.
- In the Indicator Status area, check the Active box to set the Indicator Status of all imported Indicators as active, or leave the box unchecked to set the Indicator Status of all imported Indicators as inactive. Check the Update Existing Status box to update the Indicator of any imported Indicators that already exist in ThreatConnect to the status indicated by the Active checkbox. If the Update Existing Status box is not checked, the Indicator Status of imported Indicators that already exist in ThreatConnect will be left unchanged.
- Use the checkboxes to select whether the DNS and Whois monitors should be enabled for any hosts being created, and then click the Next button. The Labels screen will appear (Figure 7).
- Choose Security Labels and Tags, and then click the Next button. The Save screen will appear (Figure 8).
- If desired, the original source document can be included and named in this import by checking the box labeled Create Document and associate to indicators using this file.
- Click the + NEW ASSOCIATION button, associate the Indicators with a Group, and then click the SAVE button.
NOTE: Indicators may also be manually entered into the Text: box.
NOTE: Indicators that have been placed on an Indicator Exclusion list will appear in the Value column with the word “excluded” next to their name. Also, a checkbox will not be visible in the left-hand column of the table for an excluded Indicator, and thus the user will not be able to import that Indicator.
NOTE: ThreatConnect's import engine uses regular expressions to parse Indicators from the supplied text and thus may have false positives in the list (e.g., google.com as a valid host).
NOTE: All imported Indicators must have the same Indicator Status. There is no way to set Indicator Status for individual Indicators in the unstructured-import process.
NOTE: This checkbox will not appear if the Indicators were manually entered in the Text: box in Figure 4 instead of imported from a file, as there is no imported file with which to associate them.
NOTE: It is highly recommended that Indicators be associated with a Group; otherwise, they are orphaned and provide minimal value to future analysis.