Structured Indicator Import

Last Updated: Jun 21, 2019 09:53AM EDT
User
None

Overview

The ThreatConnect® import engine can extract Indicators from structured comma-separated values (CSV) files. If the document to be imported is not structured, ThreatConnect has an unstructured import option. Structured imports require that the CSV file meet a specified structure, which is described in the “Importing Indicators” section of this article.

NOTE: Prior to performing the import, create a Group with which to associate the imported Indicators, as it will not be possible to create the Group during the import process.

NOTE: Structured imports work with any Indicator, including custom Indicators, that takes a single value and is marked as parsable. Note that any multivalue Indicator type is automatically marked as non-parsable. The only exception is the File Indicator, although only one value gets parsed out in the structured import.

Importing Indicators

  1. From the top navigation bar (Figure 1), place the cursor over Import, and click on the Indicators option (Figure 2).
  2. The Import Indicator screen will be displayed (Figure 3).
  3. Click the STRUCTURED button, and the Import Indicators - Structured screen will be displayed with the Import tab selected (Figure 4).
  4. Click the Owner dropdown menu, and select an owner (Organization, Community, or Source) into which the Indicators will be imported. The default Delimiter for the imported file is a comma. To change the delimiter, click in the box, delete the comma, and enter a new value.
  5. To ensure the CSV file is formatted properly, click the icon on the right-hand side of the screen, and the Import Help window will appear, explaining the proper file format (Figure 5). Click the CLOSE button to return to the Import Indicators - Structured screen.

    NOTE: Set Indicator Status by creating an Active column in the CSV file. Each Indicator will be imported with its own individual status as indicated by the value provided in the Active column for that Indicator. Possible values for data in the Active column are 0 or false (sets Indicator Status to inactive; applies to both new Indicators and existing Indicators), 1 or true (sets Indicator Status to active; applies to both new Indicators and existing Indicators), and blank (no value provided; sets Indicator Status to active for new Indicators and leaves Indicator Status unchanged for existing Indicators). If no column for Indicator Status is provided, then all new Indicators will be imported as active, while the status for all existing Indicators will be left unchanged.

  6. Click the + IMPORT FILE button in Figure 4, and select the desired file. Once the file has been uploaded, a list of Detected Column Names will be displayed (Figure 6).
  7. NOTE: The Detected Column Names list displays all of the columns included in the CSV file. However, only valid columns—that is, only the columns listed in the Import Help window (Figure 5)—will be included in the import. Later in the import process, on the Save tab of the Import Indicators - Structured screen (Figure 13), if the option to create a Document from the CSV file and associate it to the imported Indicators is selected, the entire CSV file, including invalid columns, will be included in the Document.

  8. Click the Next button, and the Validate tab will be displayed (Figure 7).
  9. The Validate tab displays both valid and invalid Indicators. Click the VIEW button next to the Valid Indicators section, and a table listing the valid Indicators and their values for some of the imported columns will be displayed (Figure 8).
  10. Click the VIEW button next to the Invalid Indicators section, and a table listing the invalid Indicators will be displayed (Figure 9). The Reason column in the table displays a message stating that the Indicator is invalid because it is contained on a System-wide, Organization-specific, Community-specific, or Source-specific Exclusion list.
  11. Click the Next button, and the Confirm tab will be displayed (Figure 10).
  12. On this tab, the Indicators are separated into two groups: New and Existing. Click the VIEW button for each group to see its respective Indicators (Figure 11).
  13. Click the Next button, and the Labels tab will be displayed (Figure 12). On this screen, a Security Label (see Applying Security Labels) and Tags (see Applying Tags) can be applied globally to all imported Indicators.
  14. Click the Next button and the Save tab will displayed (Figure 13).
  15. If desired, select the checkbox labeled Create Document and associate to indicators using this file to save the originally uploaded CSV file as a Document and associate the Document to the imported Indicators (Figure 14).
  16. Enter a name for the Document in the Document Name text box.
  17. To associate the imported Indicators with an existing Group in ThreatConnect, click the + NEW ASSOCIATION button. The Select an Association window will be displayed (Figure 15).
  18. Select the type of Group from the Select Type dropdown menu. All Groups of that type will be displayed. If desired, enter text in the Filter text box to filter the results further. Figure 16 shows the results that are displayed when the Adversary Group is selected.
  19. Select one or more of the displayed Groups, and then click the SAVE button. Only one type of Group may be added at a time from the Select an Association window. To add more than one type of Group, click the + NEW ASSOCIATION button in Figure 14 again and select a different type of Group.
  20. The selected Groups will be displayed in a table at the bottom of the Save tab (Figure 17).

    NOTE: Once a Group has been added to the table, it cannot be removed. The only way to exclude the Group is to click the CANCEL button and restart the Indicator import process.

  21. Click the SAVE button to complete the import process and view the imported Indicators on the Browse screen.

Video

20010-08 EN Rev. A

Contact Us

  • ThreatConnect, Inc.
    3865 Wilson Blvd.
    Suite 550
    Arlington, VA 22203

    Toll Free:   1.800.965.2708
    Local: +1.703.229.4240
    Fax +1.703.229.4489

    Email Us



https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete