Files | Standard import#

When choosing Standard import, you can upload either:

Import files#

Note

Files uploaded in Standard import have a maximum size of 100MB.

Whether importing multiple files or a single archive, proceed as follows:

  1. In the left navigation bar, select + Create > Upload Upload.

  2. Under Standard file import Standard import in the pop-up, select Upload >.

  3. Browse your network for files/an archive, or drag and drop files into the modal.

    Tip

    To delete a file from the list of uploaded files, select the X to the right of its name.

  4. For each file you’re uploading, select its content type.

  5. In the Source field, select a group.

    All entities and observables ingested from the uploaded files will have this group assigned as their source.

  6. (Optional) Select the following options if they apply to your upload(s):

    Option

    Description

    Override source reliability:

    Set a source reliability for all incoming objects.

    Extract observables from unstructured text:

    Select this option to parse the text in uploaded files and create observables that match well-known text patterns.

    Password protected archive:

    Allows you to provide the password when uploading password protected archives.

    Add information source details:

    Add the below listed information to the source for uploaded files.

    Field

    Description

    Description

    Provide a source description.

    Identity

    Name of source.

    Roles

    Select at least one of the following roles:

    • Initial Author

    • Content Enhancer/Refiner

    • Aggregator

    • Transformer/Translater

    References

    Set one or more URLs.

    Override TLP:

    Override TLP values for all incoming objects.

  7. Select Upload to start uploading these files.

Content types#

You can upload files in the these formats:

Content-type

Description

PDF

If native PDF, i.e. not scanned, Intelligence Center extracts observables and identifies & applies MITRE ATT&CK TTPs.

DOCX

Intelligence Center extracts observables and identifies & applies MITRE ATT&CK TTPs.

CSV

Under Standard import, CSV files are treated as plain text. Observables are extracted and MITRE ATT&CK TTPs are identified and applied.

To upload CSV files and use more detailed data extraction methods, upload with custom data mapping.

TXT

This content type enables entering free text and literals, wildcards (where supported), as well as JSON paths to point to specific entity property fields, and regex patterns to filter data.

EclecticIQ JSON

JSON format representing entity data as JSON objects.

MISP data

For more information, see Incoming feed - MISP.

SpyCloud Breach Data

For more information, see Incoming feed - SpyCloud Watchlist Ingest.

Email message

Plain text emails.

STIX 1.0

STIX 1.0 XML

STIX 1.1

STIX 1.1 XML

STIX 1.1.1

STIX 1.1.1 XML

STIX 1.2

STIX 1.2 XML

STIX 2.1

STIX 2.1 JSON

CAPEC

Categorized and enumerated attack patterns, attack mechanisms, strategies, tactics and techniques retrieved from the CAPEC catalog.

Upload archives#

Requirements#

When uploading archives ensure:

  • All files in the archive must have the same file type.

  • Files must be a file type that matches the content type selected in step 4 of Import files.

  • The archive itself is one of these formats:

    • .rar

    • .tar

    • .tar.bz2

    • .tar.gz

    • .tar.z

    • .zip