The ThreatConnect® import engine can extract Indicators from structured comma-separated values (CSV) files. If the document to be imported is not structured, ThreatConnect has an unstructured import option. Structured imports require that the CSV file meet a specified structure, which is described in the Steps section of this article.
NOTE: Prior to performing the import, create a Group with which to associate the imported Indicators, as it will not be possible to create the Group during the import process.
NOTE: Structured imports work with any Indicator, including custom Indicators, that takes a single value and is marked as parsable. Note that any multivalue Indicator type is automatically marked as non-parsable. The only exception is the File Indicator, although only one value gets parsed out in the structured import.
- From the top navigation bar (Figure 1), place the cursor over IMPORT, and click on the INDICATORS option (Figure 2).
- The Import Indicator screen will appear (Figure 3).
- Click the STRUCTURED tab, and the Import Indicators - Structured screen will appear (Figure 4).
- Click the Owner dropdown menu, and select an owner (Organization, Community, or Source) into which the Indicators will be imported. The default Delimiter for the imported file is a comma. To change the delimiter, click in the box, delete the comma, and enter a new value.
- To ensure the CSV file is formatted properly, click the Question Mark button on the right-hand side of the screen, and the Import Help window will appear, explaining the proper file format (Figure 5). Click the CLOSE button to return to the Import Indicators - Structured screen.
NOTE: Set Indicator Status by creating an Active column in the CSV file. Each Indicator will be imported with its own individual status as indicated by the value provided in the Active column for that Indicator. Possible values for data in the Active column are 0 or false (sets Indicator Status to inactive; applies to both new Indicators and existing Indicators), 1 or true (sets Indicator Status to active; applies to both new Indicators and existing Indicators), and blank (no value provided; sets Indicator Status to active for new Indicators and leaves Indicator Status unchanged for existing Indicators). If no column for Indicator Status is provided, then all new Indicators will be imported as active, while the status for all existing Indicators will be left unchanged.
- Click the + IMPORT FILE button, and select the desired file. Once the file has been uploaded, a list of Detected Column Names will be displayed (Figure 6).
- Click the Next button, and the Validate screen will appear (Figure 7).
- The Validate screen displays both valid and invalid Indicators. Click the VIEW button next to the Valid Indicators section, and the valid Indicators will appear (Figure 8).
- Click the VIEW button next to the Invalid Indicators section, and the invalid Indicators will appear (Figure 9).
NOTE: The Reason column will display a message stating that the Indicator is invalid because it is contained on a System-wide, Organization-specific, Community-specific, or Source-specific Exclusion list.
- Once the Indicators are validated, click the Next button, and the Confirm screen will appear (Figure 10).
- The Indicators are separated into two groups: New and Existing. Click the VIEW button for each group to see its respective Indicators. Once the Indicators are confirmed, click the Next button, and the Labels screen will appear (Figure 11). On this screen, a Security Label (see Applying Security Labels) and Tags (see Applying Tags) can be applied globally to all imported Indicators.
- Click the Next button and the Save screen will appear (Figure 12).
- If desired, save the originally uploaded CSV file as a Document and associate the Document to the Indicators by clicking the checkbox labeled Create Document and associate to indicators using this file.