Importing and Exporting Intelligence Indicators

This section describes how to import intelligence indicators.

Constraints

Only .xlsx files no larger than 20 MB can be imported.
A maximum of 9,999 indicator records can be exported.

Procedure

Log in to the management console.
Click in the upper left corner of the page and choose Security > SecMaster.
In the navigation pane, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

Figure 1 Management
In the navigation pane on the left, choose Threat Operations > Indicators.

Figure 2 Indicators
On the Indicator page, click Import in the upper left corner above the indicator list.
In the displayed Import dialog box, click Download Template to download a template, and fill in the downloaded template according to the requirements.
After the indicator file is ready, click Select File in the Import dialog box, and select the Excel file you want to import.
- Fill in information about the intelligence indicators to be imported based on the template. For details, see Parameters in the Intelligence Indicator Template.
- The file must be in the .xlsx format.
Click OK.

Parameters in the Intelligence Indicator Template

Import intelligence indicators based on the template requirements. For details about the parameters, see Table 1.

**Table 1** Parameters in the intelligence indicator template
Parameter	Type	Mandatory	Description
data_source	Object	Yes	Data source. Example: {"domain_id":"demo","product_feature":"demo","project_id":"demo","product_module":"demo","company_name":"demo","region_id":"demo","source_type":892339122,"product_name":"demo"}
environment	Object	Yes	Coordinates of the environment where the indicator is generated. Example: {"domain_id":"demo","project_id":"demo","region_id":"demo","vendor_type":"demo"}
email	Object	No	Email.
url	Object	No	URL.
domain	Object	No	Domain name.
is_deleted	string	Yes	Whether to delete the indicator.
workspace_id	String	Yes	Workspace ID.
weak_password	String	No	Weak password.
vulnerability	String	No	Vulnerability.
start_time	Timestamp	No	Start time.
information_source	String	Yes	Source.
confidence	Numeric	No	Indicator confidence. Its value range is 80 to 100.
close_comment	String	No	Comment for the closure.
labels	String	No	Labels, such as mine pool and outreach.
inactive_time	Timestamp	No	Expiration time.
file	Object	No	File.
close_reason	String	No	Closure reason.
first_report_time	Timestamp	Yes	First occurrence time.
create_time	Timestamp	Yes	Creation time of the intelligence collected by the threat platform.
suggested_of_coa	String	No	Suggestion.
valid_from	Timestamp	No	Start time of the validity period, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the indicator validity period started. If this parameter cannot be parsed, the default time zone GMT+8 is used.
kill_chain_phases	String	No	Important information that should be retained.
verdict	String	Yes	Threat degree indicated by colors black, white, and gray.
pattern	String	No	Reserved field.
external_references	String	No	Extended field.
status	String	Yes	Indicator status. The value can be: Open: enabled. Closed: disabled. Revoked: invalid.
revoked	Boolean	No	Whether the indicator is revoked. The default value is No.
creator	String	No	Creator.
granular_marking	Numeric	Yes	Granularity (confidentiality level). The value can be 1 (first discovery), 2 (self-produced data), 3 (purchase required), and 4 (direct query from the external network) in descending order.
id	String	Yes	Unique ID, which is generated according to the following rule: MD5 (indicator_type + value + information_source + label)
owner	String	No	Owner.
ip	Object	No	IP address.
indicator_type	Object	Yes	Indicator type. The value can be ipv4, ipv6, domain, email, url, hash, and un_classified. Example: {"indicator_type":"demo","id":"demo","category":"demo"}
close_time	String	No	Closing time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the indicator occurred. If this parameter cannot be parsed, the default time zone GMT+8 is used.
inactive_set_time	Timestamp	No	Expiration time.
update_time	String	No	Update time, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the indicator was updated. If this parameter cannot be parsed, the default time zone GMT+8 is used.
verdict_set_time	Timestamp	No	Verdict time.
severity	Numeric	No	Severity. The value varies depending on the channel. The value ranges from 80 to 100.
valid_until	Timestamp	No	End time of the validity period, in the ISO 8601 format of "YYYY-MM-DDTHH:mm:ss.ms+Time zone". Time zone refers to where the indicator validity period ended. If this parameter cannot be parsed, the default time zone GMT+8 is used.
last_report_time	Timestamp	Yes	Latest occurrence time.
value	String	Yes	Value, such as ip, url, and domain.
defanged	Boolean	Yes	Whether the indicator is invalid. The default value is No.
extensions	String	No	Extensions.
count	Numeric	No	Occurrences.
description	String	No	Description
name	String	Yes	Intelligence name.

Exporting Indicators

Log in to the management console.
Click in the upper left corner of the page and choose Security > SecMaster.
In the navigation pane, choose Workspaces > Management. In the workspace list, click the name of the target workspace.

Figure 3 Management
In the navigation pane on the left, choose Threat Operations > Indicators.

Figure 4 Indicators
On the Indicators page, select the indicators you want to export and click in the upper right corner of the list. The Export dialog box is displayed.