Signature Import

Last Updated: Oct 23, 2018 11:25AM EDT
User

Overview

ThreatConnect® allows analysts to import and manage the following popular Signature formats: Snort®, YARA, CybOX™, OpenIOC, ClamAV®, Suricata, Bro, Regex, and Splunk® Search Processing Language (SPL). Once imported, these Signatures can be enriched and correlated with other threat-intelligence data, such as Incidents and Threats. Signatures, like Indicators, can also be shared with trusted collaborating partners.

Steps

  1. From the top navigation bar (Figure 1), place the cursor over IMPORT, and click on the SIGNATURE option (Figure 2).
  2. The Import Signature screen will appear (Figure 3).
  3. Click on the Owner dropdown menu, and select an owner for the Signature being imported (Figure 4).
  4. Click on the Type dropdown menu, and select a Signature type (Figure 5).
  5. NOTE: System Administrators may define custom Signature types. See the ThreatConnect System Administration Guide for more details.

  6. Click the + IMPORT FILE button (Figure 3) to navigate to a local directory.
  7. Select and open a file, and a window for reviewing the Signature will appear below to the right of the + IMPORT FILE button (Figure 6).
  8. Click the Next button, and the Confirm screen will appear (Figure 7).
  9. Enter a File Name and Signature Name, and, if appropriate, enter a Description and a Source. Click the Next button, and the Save screen will appear (Figure 8).

    NOTE: Entering a Description and a Source is not required, but it is highly recommended in order to provide as much metadata as possible.

  10. In the Save screen, Signatures may be associated with Indicators. Click the + NEW ASSOCIATION button, and the Select an Association window will appear (Figure 9). Click on the Select Type dropdown menu, and select the object type to associate with the Signature. Address is selected for this example.
  11. Click the Search (magnifying glass) icon to display all entries, or, optionally, add a search term to narrow the results.
  12. Click the checkbox for each Indicator to associate with the Signature (Figure 10), and click the SAVE button.

ClamAv® and Snort® are registered trademarks of Cisco Systems, Inc.

CybOX is a trademark of the MITRE Corporation.

Splunk® is a registered trademark of Splunk, Inc.

20006-04 EN Rev. G

Contact Us

  • ThreatConnect, Inc.
    3865 Wilson Blvd.
    Suite 550
    Arlington, VA 22203

    Toll Free:   1.800.965.2708
    Local: +1.703.229.4240
    Fax +1.703.229.4489

    Email Us



https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete