Upload a Local File to Use as a Source

Use this procedure for a one-time manual upload of a local file.

When ingesting a STIX file, threat intelligence director creates a simple or complex indicator from the contents of the STIX file.

When ingesting a flat file, threat intelligence director creates a simple indicator for each observable value in the file.

If you encounter an issue during threat intelligence director configuration or operation, see Troubleshoot Threat Intelligence Director

Procedure

Step 1

Make sure your file meets the requirements in Source Requirements

Step 2

Choose Intelligence > Sources.

Step 3

Click Add (add icon).

Step 4

Choose Upload as the Delivery method for the source.

Step 5

Complete the form.

  • If you are uploading a flat file, choose a Type that describes the data contained within the source.

  • For Name: To simplify sorting and handling of incidents based on threat intelligence director indicators, use a consistent naming scheme across sources. For example, <source>-<type>.

    Including the source name simplifies returning to the source for further information or feedback.

    Be sure to enter the name consistently. For example, for a source with IPv4 addresses, you might always use IPV4 (not IPv4 or ipv4 or IP_v4 or IP_V4 or ip-v4 or IP-v4, IP-V4, etc.)

  • If you are uploading a STIX file, Block is not an Action option, because STIX data can contain complex indicators. Devices (elements) store and take action based on single observables; they cannot take action based on multiple observables.

    However, you can block a simple indicator at the indicator or observable level. For more information, see Edit Threat Intelligence Director Actions at the Source, Indicator, or Observable Level.

  • After the number of days you specify for the TTL interval, threat intelligence director deletes:

    • all of the source's indicators that are not included in a subsequent upload.

    • all observables not referenced by a surviving indicator.

    Note

    If the source contains no updates for the number of days specified for TTL and the source checksum remains unchanged, downloads are treated as feeds with no updates. For observables to receive a new TTL value, the source must contain a few updates.

Step 6

If you want to immediately begin publishing to elements, confirm that the Publish Slider (slider icon) is enabled.

If you do not publish the source at ingestion, you cannot publish all source indicators at once later; instead, you must publish each observable individually. See Pause or Publish Threat Intelligence Director Data at the Source, Indicator, or Observable Level.

Step 7

Click Save.

What to do next

  • To view ingestion status, refresh the Sources page. If you see an error, hover over status for details.

  • If you are doing initial threat intelligence director configuration, return to How To Set Up Threat Intelligence Director.