Signature Import

Overview

ThreatConnect^® allows you to import the following types of signature files as a Signature Group object: Bro, ClamAV^®, CybOX™, Iris^® Search Hash, Microsoft^® Kusto Query Language (KQL), OpenIOC, Regex, Splunk^® Search Processing Language (SPL), Sigma, Snort^®, STIX™ Pattern, Suricata, ThreatConnect Query Language (TQL) Query, and YARA. Once you have imported a Signature, you can associate it to Groups, Indicators, Intelligence Requirements (IRs), and Victims.

Before You Start

Importing a Signature

1. On the top navigation bar, hover the cursor over Import and select Signature. The Import Signature screen will be displayed (Figure 1). 

    

   • Owner: Select an owner (i.e., Organization, Community, or Source) into which the signature file will be imported as a Signature Group.
   • Type: Select a signature type.
   • + IMPORT FILE: Click this button to locate and select a file containing the signature file to upload.
2. After a file has been uploaded, a File box containing the uploaded file’s contents will be displayed (Figure 2). 

    

   • Review the file’s contents, if desired. Note that you cannot edit the text displayed in the File box.
   • Click the Next button.
3. The Confirm screen will be displayed (Figure 3). 

    

   • File Name: This field is auto-populated with the name of the file selected on the Import screen. Click in the box to edit the file name, if desired.
   • Signature Name: Enter the name for the Signature Group object being created.
   • Description: Enter a Description for the Signature.
   • Source: Enter a Source for the Signature.
     Note

     Entering a Description and Source is optional, but highly recommended to provide as much metadata as possible.
   • Click the Next button.
4. The Save screen will be displayed (Figure 4). 

    

   • + NEW ASSOCIATION: Click this button to associate the Signature to Groups, Indicators, IRs, and Victims in your owners.
     Note

     If you do not want to create any associations at this time, click the SAVE button to complete the import process.
5. Click the + NEW ASSOCIATION button to display the Select an Association window (Figure 5). 

    

6. Select the type of object to associate to the Signature from the Select Type dropdown. The window will display all objects of that type (Figure 6). 

    

   • Filter: If desired, enter a search term in this field and click the magnifying glass  to narrow the results.
   • Select the checkbox for each object to associate to the Signature.
   • Click the SAVE button.
     Important

     When associating objects to a Signature, you can only associate objects of a single object type (Indicator type, Group type, IR, or Victim) at a time. To associate more than one object type to a Signature, repeat Step 6 for each object type.
7. The Save screen will display all the objects selected for association (Figure 7). Click the SAVE button to complete the import process. 

    

   Note

   Once you have selected an object for association and it is added to the table, you cannot remove it. The only way to remove an object from the table is to click the Back button to return to the Confirm screen (Figure 3) and then click the Next button to proceed to the Save screen (Figure 4).

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
ClamAv^® and Snort^® are registered trademarks of Cisco Systems, Inc.
Iris^® is a registered trademark of DomainTools, LLC.
Microsoft^® is a registered trademark of Microsoft Corporation.
Splunk^® is a registered trademark of Splunk, Inc.
CybOX™ and STIX™ are trademarks of The MITRE Corporation.

20006-01 v.08.A