Signature Import
  • 07 Nov 2022
  • 2 Minutes to read
  • Dark
    Light

Signature Import

  • Dark
    Light

Minimum Role: System role of User and Organization role of Standard User

Prerequisites: None

Overview

ThreatConnect® allows you to import and manage the following popular Signature formats: Bro, ClamAV®, CybOX™, Iris™ Search Hash, OpenIOC, Regex, Splunk® Search Processing Language (SPL), Sigma, Snort®, Suricata, ThreatConnect Query Language (TQL) Query, and YARA. Once imported, you can enrich these Signatures and associate them to Indicators and Groups. You can also share Signatures with trusted collaborating partners.

Importing a Signature

  1. On the top navigation bar, hover the cursor over Import and select Signature. The Import Signature screen will be displayed (Figure 1). Graphical user interface, text, application, email  Description automatically generated

     

    • Owner: Select an owner (i.e., Organization, Community, or Source) into which the Signature will be imported.
    • Type: Select a Signature type.
      Note
      System Administrators may define custom Signature types. See the “System Settings” section of ThreatConnect System Administration Guide for more information.
    • + IMPORT FILE: Click this button to locate and select a file containing the Signature to upload.
  2. After a file has been uploaded, a File box containing the uploaded file’s contents will be displayed (Figure 2). Graphical user interface, text, application, email  Description automatically generated

     

    • Review the contents of the uploaded file. Note that you cannot edit the text displayed in the File box.
    • Click the Next button.
  3. The Confirm screen will be displayed (Figure 3). Graphical user interface, application, website  Description automatically generated

     

    • File Name: This field is auto-populated with the name of the file selected on the Import screen. Click in the box to edit the file name, if desired.
    • Signature Name: Enter the name for the Signature Group object being created. Note that this is a required field.
    • Description: Enter a Description of the Signature. This field is optional, but it is highly recommended that you enter a Description to provide as much metadata as possible.
    • Source: Enter a Source for the Signature. This field is optional, but it is highly recommended that you enter a Source to provide as much metadata as possible.
    • Click the Next button.
  4. The Save screen will be displayed (Figure 4). Graphical user interface, application, Teams  Description automatically generated

     

    • + NEW ASSOCIATION: Click this button to associate the Signature to Indicators and Groups that exist in an owner to which you have access.
    • If you do not want to associate the Signature to existing Indicators or Groups, click the SAVE button to complete the import process. Otherwise, follow Steps 5–7.
  5. Clicking the + NEW ASSOCIATION button will display the Select an Association window (Figure 5). Graphical user interface, application  Description automatically generated

     

  6. Use the Select Type dropdown menu to select the type of object to associate to the Signature. After an object type is selected (Address Indicator in this example), the Select an Association window will display all objects of that type (Figure 6). Graphical user interface, application, Teams  Description automatically generated

     

    • Filter: If desired, enter a search term in this field and click the magnifying glass Icon  Description automatically generated to narrow the results.
    • Select the checkbox for each object to associate to the Signature.
    • Click the SAVE button.
      Important
      When associating Indicators and Groups to a Signature, you can only associate objects of a single type at a time. To associate more than one type of Indicator or Group to a Signature, repeat Step 6 for each object type.
  7. The Save screen will display the selected object(s) to associate to the Signature (Figure 7). Click the SAVE button to complete the import process. Graphical user interface, text, application, Teams  Description automatically generated

     

    Note
    Once you have selected an object for association and it is added to the table, you cannot remove it. The only way to remove an object from the table is to click the Back button to return to the Confirm screen (Figure 3) and then click the Next button to proceed to the Save screen (Figure 4).

ThreatConnect® is a registered trademark of ThreatConnect, Inc.
ClamAv® and Snort® are registered trademarks of Cisco Systems, Inc.
 CybOX™ is a trademark of the MITRE Corporation.
 Iris™ is a trademark of DomainTools, LLC.
Splunk® is a registered trademark of Splunk, Inc.

20006-01 v.06.C


Was this article helpful?