Signature Import

Overview

ThreatConnect^® allows you to import and manage the following popular Signature formats: Bro, ClamAV^®, CybOX™, Iris™ Search Hash, Microsoft^® KQL, OpenIOC, Regex, Splunk^® Search Processing Language (SPL), Sigma, Snort^®, Suricata, ThreatConnect Query Language (TQL) Query, and YARA. Once imported, you can enrich these Signatures and associate them to Indicators and Groups. You can also share Signatures with trusted collaborating partners.

Before You Start

Importing a Signature

1. On the top navigation bar, hover the cursor over Import and select Signature. The Import Signature screen will be displayed (Figure 1). 

    

   • Owner: Select an owner (i.e., Organization, Community, or Source) into which the Signature will be imported.
   • Type: Select a Signature type.
     Note

     System Administrators may define custom Signature types. See the “System Settings” section of ThreatConnect System Administration Guide for more information.
   • + IMPORT FILE: Click this button to locate and select a file containing the Signature to upload.
2. After a file has been uploaded, a File box containing the uploaded file’s contents will be displayed (Figure 2). 

    

   • Review the contents of the uploaded file. Note that you cannot edit the text displayed in the File box.
   • Click the Next button.
3. The Confirm screen will be displayed (Figure 3). 

    

   • File Name: This field is auto-populated with the name of the file selected on the Import screen. Click in the box to edit the file name, if desired.
   • Signature Name: Enter the name for the Signature Group object being created. Note that this is a required field.
   • Description: Enter a Description of the Signature. This field is optional, but it is highly recommended that you enter a Description to provide as much metadata as possible.
   • Source: Enter a Source for the Signature. This field is optional, but it is highly recommended that you enter a Source to provide as much metadata as possible.
   • Click the Next button.
4. The Save screen will be displayed (Figure 4). 

    

   • + NEW ASSOCIATION: Click this button to associate the Signature to Indicators and Groups that exist in an owner to which you have access.
   • If you do not want to associate the Signature to existing Indicators or Groups, click the SAVE button to complete the import process. Otherwise, follow Steps 5–7.
5. Clicking the + NEW ASSOCIATION button will display the Select an Association window (Figure 5). 

    

6. Use the Select Type dropdown menu to select the type of object to associate to the Signature. After an object type is selected (Address Indicator in this example), the Select an Association window will display all objects of that type (Figure 6). 

    

   • Filter: If desired, enter a search term in this field and click the magnifying glass  to narrow the results.
   • Select the checkbox for each object to associate to the Signature.
   • Click the SAVE button.
     Important

     When associating Indicators and Groups to a Signature, you can only associate objects of a single type at a time. To associate more than one type of Indicator or Group to a Signature, repeat Step 6 for each object type.
7. The Save screen will display the selected object(s) to associate to the Signature (Figure 7). Click the SAVE button to complete the import process. 

    

   Note

   Once you have selected an object for association and it is added to the table, you cannot remove it. The only way to remove an object from the table is to click the Back button to return to the Confirm screen (Figure 3) and then click the Next button to proceed to the Save screen (Figure 4).

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
ClamAv^® and Snort^® are registered trademarks of Cisco Systems, Inc.
 CybOX™ is a trademark of the MITRE Corporation.
 Iris™ is a trademark of DomainTools, LLC.
Microsoft^® is a registered trademark of Microsoft Corporation.
Splunk^® is a registered trademark of Splunk, Inc.

20006-01 v.07.A