Doc Analysis Import
- 18 Oct 2023
- 10 Minutes to read
-
Print
-
DarkLight
Doc Analysis Import
- Updated on 18 Oct 2023
- 10 Minutes to read
-
Print
-
DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Overview
When using the Doc Analysis import option, the ThreatConnect® import engine leverages CAL™ to parse a block of text or an unstructured document for Indicators, Groups, or both. It then creates corresponding objects in ThreatConnect and provides options to create associations between the imported data and existing Groups. If you upload a file at the start of the import, you can create a Document Group containing that file and associate it to the newly created Indicators and Groups.
Important
Although the Doc Analysis import option leverages CAL, you do not need to have CAL enabled in order to use this feature. If you use this feature while CAL is disabled, no information stored in your ThreatConnect instance will be collected by CAL.
Before You Start
Minimum Role(s) | Organization role of Standard User |
---|---|
Prerequisites | Cross-owner associations enabled on your ThreatConnect instance (for creating cross-owner associations between Indicators and Groups being imported into ThreatConnect and existing Groups in one of your owners that match a Group parsed from the supplied text) |
Performing a Doc Analysis Import
- On the top navigation bar, hover over Import and select Doc Analysis. The Import section of the Import Intel - Doc Analysis screen will be displayed (Figure 1).
- Owner: Select the owner (i.e., Organization, Community, or Source) into which Indicators and Groups parsed from the supplied text will be imported.
- + IMPORT FILE: Click this button to locate and select a file to upload.
- Text: After a file has been uploaded, its contents will be displayed in this box. You may also enter text directly into the box.
- Parse for groups to import: Select this checkbox to parse the text displayed in the Text: box for Groups.
- Parse for indicators to import: Select this checkbox to parse the text displayed in the Text: box for Indicators. When parsing for Indicators, CAL will re-fang Indicators automatically.ImportantYou must select at least one of the two parsing options to proceed with the import.NoteCustom Indicator types CAL is not aware of will not be parsed unless they overlap with existing, non-custom Indicator types.
- Text Replacement: Use the Find: and Replace: fields to make multiple changes of the same kind to contents in the Text: box.
- Find: Enter the text you want to locate in the Text: box.
- Replace: Enter the new text that will replace text in the Text: box that matches the text entered in the Find: field.
- Click the APPLY button to perform the text replacement operation.
- History: If you performed a text replacement operation during a previous import, the values entered in the Find: and Replace: fields will be displayed in this section. Click the APPLY button to perform a text replacement operation using those same values.
- Click the Next button.
- The Validate section of the Import Intel - Doc Analysis screen will be displayed (Figure 2).NoteIf an Indicator has been placed on an Indicator Exclusion List, the text “(excluded)” will be displayed to the right of its name in the Value column. In this scenario, you will not be able to select the Indicator for import, as no checkbox will be displayed in the leftmost column.
- Parsed Indicators: This section displays Indicators that were parsed from the supplied text. Select the checkbox in the leftmost column for each Indicator that you want to import. If desired, use the Choose Import Options dropdown to filter Indicators by type.NoteIf a System Administrator has enabled private Indicators on your ThreatConnect instance, a Private column will be displayed to the right of the Value column. Select the checkbox for each Indicator that you want to be marked as private.
- Parsed Groups: This section displays Groups that were parsed from the supplied text. Specifically, it shows the Group’s name, description, type, and object ID, as well as the specific text that CAL detected as a match to the Group. Select the checkbox in the leftmost column for each Group that you want to import.NoteBy default, the following Attributes will be added to the selected Groups automatically after you complete the import: CAL Matched Text and CAL Object ID. The value of the CAL Matched Text Attribute will be the value listed in the Matched Text column for the Group, and the value of the CAL Object ID Attribute will be the value listed in the Object ID column for the Group.NoteFor Attack Pattern and Tactic Groups, the name of the Group created in ThreatConnect will include the values listed in the Object ID and Name columns. For example, if you include the Software Discovery: Security Software Discovery Group shown in Figure 2 in the import, an Attack Pattern Group named T1518.001 - Software Discovery: Security Software Discovery will be created in ThreatConnect after you complete the import.
- Click the Next button.
- Parsed Indicators: This section displays Indicators that were parsed from the supplied text. Select the checkbox in the leftmost column for each Indicator that you want to import. If desired, use the Choose Import Options dropdown to filter Indicators by type.
- The Confirm section of the Import Intel - Doc Analysis screen will be displayed (Figure 3).
- New Indicators: Click the VIEW button in this section to view the new Indicators that will be imported into the owner selected on the Import section.
- Existing Indicators: Click the VIEW button in this section to view Indicators that exist in the owner selected on the Import section and whose summaries match an Indicator selected on the Validate section. These Indicators will be updated based on the information entered and options selected on the remaining sections of the Import Intel - Doc Analysis screen.
- New Groups: Click the VIEW button in this section to view the new Groups that will be imported into the owner selected on the Import section. To prevent a Group from being imported, clear its checkbox.
- Existing Groups: Click the VIEW button to view Groups that exist in the owner selected on the Import section and whose summaries match a Group selected on the Validate section. If cross-owner associations are enabled on your ThreatConnect instance, Groups that exist in any of your owners and whose summaries match a Group selected on the Validate section will be displayed. If desired, select the checkbox in the leftmost column for a Group to update it based on the information entered and options selected on the remaining sections of the Import Intel - Doc Analysis screen.
- Click the Next button.
- The Optional Data section of the Import Intel - Doc Analysis screen will be displayed (Figure 4).
- Indicator Optional Data: This section will be displayed if at least one Indicator was selected on the Validate section. Use the following options to enter details for the new and existing Indicators:
- Description: Enter a default Description for the Indicators. If an existing Indicator contains a default Description, it will be replaced with the value entered in this field.
- Source: Enter a default Source for the Indicators. If an existing Indicator contains a default Source, it will be replaced with the value entered in this field.
- Threat Rating: Use the skull icons to set the Threat Rating for the Indicators. If a Threat Rating has been set for an existing Indicator, it will be replaced with the one specified in this field.
- Confidence Rating: Use the slider to set the Confidence Rating for the Indicators. If a Confidence Rating has been set for an existing Indicator, it will be replaced with the one specified in this field.
- Active: Select this checkbox to set the Indicator Status of the Indicators to active.
- Update Existing Status: Select this checkbox to update the Indicator Status of existing Indicators to the status indicated by the Active checkbox. If you do not select the Update Existing Status checkbox, the Indicator Status of existing Indicators will be left unchanged after you complete the import.
- DNS: Select this checkbox to enable DNS resolution tracking for all Host Indicators that will be imported. Note that selecting this checkbox will not enable DNS resolution tracking for existing Host Indicators.
- Whois: Select this checkbox to enable WHOIS lookups for all Host Indicators that will be imported. Note that selecting this checkbox will not enable WHOIS lookups for existing Host Indicators.
- Group Optional Data: This section will be displayed if at least one Group was selected on the Confirm section. Use the following options to enter details for the new and existing Groups:
- Use individual descriptions from CAL: Select this checkbox to set the default Description for each Group to the Group’s respective description in CAL. Note that if this checkbox is selected, the Description text box will be grayed out.
- Description: If you did not select the Use individual descriptions from CAL checkbox, enter a default Description for the Groups. If an existing Group contains a default Description, it will be replaced with the value entered in this field.
- Source: Enter a default Source for the Groups. If an existing Group contains a default Source, it will be replaced with the value entered in this field.
- Click the Next button.
- Indicator Optional Data: This section will be displayed if at least one Indicator was selected on the Validate section. Use the following options to enter details for the new and existing Indicators:
- The Labels section of the Import Intel - Doc Analysis screen will be displayed (Figure 5).
- Security Labels: Select one or more Security Labels to apply to the new and existing Indicators and Groups. For existing Indicators and Groups, the selected Security Labels will be appended to any Security Labels already applied to them.
- Tags: Enter one or more Tags to apply to the new and existing Indicators and Groups. For existing Indicators and Groups, the selected Tags will be appended to any Tags already applied to them.NoteIf you enter a Tag that matches an ATT&CK Tag in ThreatConnect, the ATT&CK Tag will be applied to the new and existing Indicators and Groups instead of the entered Tag after you complete the import.ImportantIf you apply a Tag that is defined as a synonymous Tag in a Tag normalization rule, it will be converted to the main Tag defined in the rule after you complete the import.
- Click the Next button.
- The Save section of the Import Intel - Doc Analysis screen will be displayed (Figure 6).
- Create Document and associate to indicators using this file.: This checkbox will be displayed only if you uploaded a file on the Import section. Select the checkbox to create a Document Group containing the source file and associate it to the new and existing Indicators and Groups.
- Document Name: If you selected the Create Document and associate to indicators using this file. checkbox, a Document Name: field will be displayed. Enter the name for the Document Group.
- Associate Indicators to Imported Groups: Select this checkbox to associate the new and existing Indicators to the new Groups that will be imported. Note that this operation will also create second-level (i.e., indirect) associations between the new and existing Indicators.
- Associate Indicators to Existing Groups: Select this checkbox to associate the new and existing Indicators to the existing Groups selected on the Confirm section. Note that this operation will also create second-level (i.e., indirect) associations between the new and existing Indicators.
- Associate All Groups: Select this checkbox to create associations between the new Groups being imported and the existing Groups selected on the Confirm section. If you selected the checkbox to create a Document Group, that Group will also be associated to the new and existing Groups.NoteIf you did not select the Parse for indicators to import checkbox on the Import section, the Associate Indicators to Imported Groups and Associate Indicators to Existing Groups checkboxes will not be displayed. Similarly, if you did not select the Parse for groups to import checkbox on the Import section, the Associate Indicators to Imported Groups, Associate Indicators to Existing Groups, and Associate All Groups checkboxes will not be displayed.
- + NEW ASSOCIATION: Click this button to associate the new and existing Indicators to one or more existing Groups. See Steps 7–9 for further instruction.
- If you do not want to associate the new and existing Indicators imported to one or more existing Groups via the + NEW ASSOCIATION button, click the SAVE button to complete the import. Otherwise, follow Steps 7–9.
- If you clicked the + NEW ASSOCIATION button on the Save section of the Import Intel - Doc Analysis screen, the Select an Association window will be displayed (Figure 7).
- Select a Group type from the Select Type dropdown. One or more Groups of that type will be displayed (Figure 8).
- Filter: If desired, enter text into the search bar and then click Searchto filter the results based on that text.
- Select the checkbox for each Group that you want to associate to the new and existing Indicators. Note that the selected Groups will not be associated to the Groups selected on the Confirm section (Figure 3).
- Click the SAVE button.NoteYou can only associate Groups of a single type at a time. To associate more than one Group type to the new and existing Indicators, repeat Step 8 for each Group type.
- The Save screen will display the Groups that will be associated to the new and existing Indicators (Figure 9). Click the SAVE button to complete the import.NoteOnce you have selected a Group for association and it is added to the table, you cannot remove it. The only way to remove a Group from the table is to click the CANCEL button and restart the import.
ThreatConnect® is a registered trademark, and CAL™ is a trademark, of ThreatConnect, Inc.
20154-01 v.01.B
Was this article helpful?