ThreatConnect® allows analysts to import and manage the following popular Signature formats: Snort®, YARA, CybOX™, OpenIOC, ClamAV®, Suricata, Bro, Regex, and Splunk® Search Processing Language (SPL). Once imported, these Signatures can be enriched and correlated with other threat-intelligence data, such as Incidents and Threats. Signatures, like Indicators, can also be shared with trusted collaborating partners.
- From the top navigation bar (Figure 1), place the cursor over IMPORT, and click on the SIGNATURE option (Figure 2).
- The Import Signature screen will appear (Figure 3).
- Click on the Owner dropdown menu, and select an owner for the Signature being imported (Figure 4).
- Click on the Type dropdown menu, and select a Signature type (Figure 5).
- Click the + IMPORT FILE button (Figure 3) to navigate to a local directory.
- Select and open a file, and a window for reviewing the Signature will appear below to the right of the + IMPORT FILE button (Figure 6).
- Click the Next button, and the Confirm screen will appear (Figure 7).
Enter a File Name and Signature Name, and, if appropriate, enter a Description and a Source. Click the Next button, and the Save screen will appear (Figure 8).
NOTE: Entering a Description and a Source is not required, but it is highly recommended in order to provide as much metadata as possible.
- In the Save screen, Signatures may be associated with Indicators. Click the + NEW ASSOCIATION button, and the Select an Association window will appear (Figure 9). Click on the Select Type dropdown menu, and select the object type to associate with the Signature. Address is selected for this example.
- Click the Search (magnifying glass) icon to display all entries, or, optionally, add a search term to narrow the results.
- Click the checkbox for each Indicator to associate with the Signature (Figure 10), and click the SAVE button.
NOTE: System Administrators may define custom Signature types. See the ThreatConnect System Administration Guide for more details.