Importing and Exporting Intelligence Indicators
This section describes how to import intelligence indicators.
Constraints
- Only .xlsx files no larger than 20 MB can be imported.
- A maximum of 9,999 indicator records can be exported.
Procedure
- Log in to the management console.
- Click in the upper left corner of the page and choose .
- In the navigation pane, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
Figure 1 Management
- In the navigation pane on the left, choose Threat Operations > Indicators.
Figure 2 Indicators
- On the Indicator page, click Import in the upper left corner above the indicator list.
- In the displayed Import dialog box, click Download Template to download a template, and fill in the downloaded template according to the requirements.
- After the indicator file is ready, click Select File in the Import dialog box, and select the Excel file you want to import.
- Fill in information about the intelligence indicators to be imported based on the template. For details, see Parameters in the Intelligence Indicator Template.
- The file must be in the .xlsx format.
- Click OK.
Parameters in the Intelligence Indicator Template
Import intelligence indicators based on the template requirements. For details about the parameters, see Table 1.
Parameter |
Type |
Mandatory |
Description |
---|---|---|---|
data_source |
Object |
Yes |
Data source. Example: {"domain_id":"demo","product_feature":"demo","project_id":"demo","product_module":"demo","company_name":"demo","region_id":"demo","source_type":892339122,"product_name":"demo"} |
environment |
Object |
Yes |
Coordinates of the environment where the indicator is generated. Example: {"domain_id":"demo","project_id":"demo","region_id":"demo","vendor_type":"demo"} |
Object |
No |
Email. |
|
url |
Object |
No |
URL. |
domain |
Object |
No |
Domain name. |
is_deleted |
string |
Yes |
Whether to delete the indicator. |
workspace_id |
String |
Yes |
Workspace ID. |
weak_password |
String |
No |
Weak password. |
vulnerability |
String |
No |
Vulnerability. |
start_time |
Timestamp |
No |
Start time. |
information_source |
String |
Yes |
Source. |
confidence |
Numeric |
No |
Indicator confidence. Its value range is 80 to 100. |
close_comment |
String |
No |
Comment for the closure. |
labels |
String |
No |
Labels, such as mine pool and outreach. |
inactive_time |
Timestamp |
No |
Expiration time. |
file |
Object |
No |
File. |
close_reason |
String |
No |
Closure reason. |
first_report_time |
Timestamp |
Yes |
First occurrence time. |
create_time |
Timestamp |
Yes |
Creation time of the intelligence collected by the threat platform. |
suggested_of_coa |
String |
No |
Suggestion. |
valid_from |
Timestamp |
No |
Start time of the validity period, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the indicator validity period started. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
kill_chain_phases |
String |
No |
Important information that should be retained. |
verdict |
String |
Yes |
Threat degree indicated by colors black, white, and gray. |
pattern |
String |
No |
Reserved field. |
external_references |
String |
No |
Extended field. |
status |
String |
Yes |
Indicator status. The value can be:
|
revoked |
Boolean |
No |
Whether the indicator is revoked. The default value is No. |
creator |
String |
No |
Creator. |
granular_marking |
Numeric |
Yes |
Granularity (confidentiality level). The value can be 1 (first discovery), 2 (self-produced data), 3 (purchase required), and 4 (direct query from the external network) in descending order. |
id |
String |
Yes |
Unique ID, which is generated according to the following rule: MD5 (indicator_type + value + information_source + label) |
owner |
String |
No |
Owner. |
ip |
Object |
No |
IP address. |
indicator_type |
Object |
Yes |
Indicator type. The value can be ipv4, ipv6, domain, email, url, hash, and un_classified. Example: {"indicator_type":"demo","id":"demo","category":"demo"} |
close_time |
String |
No |
Closing time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the indicator occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
inactive_set_time |
Timestamp |
No |
Expiration time. |
update_time |
String |
No |
Update time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the indicator was updated. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
verdict_set_time |
Timestamp |
No |
Verdict time. |
severity |
Numeric |
No |
Severity. The value varies depending on the channel. The value ranges from 80 to 100. |
valid_until |
Timestamp |
No |
End time of the validity period, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the indicator validity period ended. If this parameter cannot be parsed, the default time zone GMT+8 is used. |
last_report_time |
Timestamp |
Yes |
Latest occurrence time. |
value |
String |
Yes |
Value, such as ip, url, and domain. |
defanged |
Boolean |
Yes |
Whether the indicator is invalid. The default value is No. |
extensions |
String |
No |
Extensions. |
count |
Numeric |
No |
Occurrences. |
description |
String |
No |
Description |
name |
String |
Yes |
Intelligence name. |
Exporting Indicators
- Log in to the management console.
- Click in the upper left corner of the page and choose .
- In the navigation pane, choose Workspaces > Management. In the workspace list, click the name of the target workspace.
Figure 3 Management
- In the navigation pane on the left, choose Threat Operations > Indicators.
Figure 4 Indicators
- On the Indicators page, select the indicators you want to export and click in the upper right corner of the list. The Export dialog box is displayed.
- In the Export dialog box, set parameters.
Table 2 Exporting indicators Parameter
Description
Format
By default, the indicator list is exported into an Excel.
Columns
Select the indicator parameters to be exported.
- Click OK.
The system automatically downloads the Excel to your local PC.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot