Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3493
Views
0
Helpful
3
Replies

Product question for Cisco SecureX Integration

Go to solution
ShrutiPatel78705
Level 1
Level 1

‎10-12-2020 03:19 PM

I am just wondering if Cisco SecureX integration allows the import of intel via CSV file?

1 person had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ben.greenbaum
Cisco Employee
Cisco Employee

‎10-13-2020 09:25 AM

There are various ways you could do this, yes. Which one to use depends on what you're trying to do. 

If you want to check for local sightings or global intelligence on observables in a CSV, you can simply paste the csv into the SecureX investigation panel, and SecureX will extract all observables from the CSV and perform an investigation on them. For a large CSV, this won't work well so you may need to split it up. 

If you want to have the CSV be consulted as an intel or sighting source when doing investigations of other observables, you would need to do one of two things:
1: import the CSV into your private intel store that is included in SecureX. This would involve writing code to both transform it into the CTIM data model and then upload it via the SecureX API. 
2: Host the CSV on your own server, create an API to accept queries from SecureX about observables and then search through the CSV locally, and reply to the query with any matches (again in CTIM format). 


View solution in original post

0 Helpful

Go to solution
ben.greenbaum
Cisco Employee
Cisco Employee
In response to ben.greenbaum

‎10-13-2020 09:29 AM - edited ‎10-13-2020 09:59 AM

So for use case one, investigating the contents, yes it is very easy. For use case two, using the CSV as an intel repo (or adding the contents to the internal SecureX private intel repo), there are two options and neither is particularly easy. We are working on some tools in SecureX Orchestration that will simplify this use case. 

 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ben.greenbaum
Cisco Employee
Cisco Employee

‎10-13-2020 09:25 AM

There are various ways you could do this, yes. Which one to use depends on what you're trying to do. 

If you want to check for local sightings or global intelligence on observables in a CSV, you can simply paste the csv into the SecureX investigation panel, and SecureX will extract all observables from the CSV and perform an investigation on them. For a large CSV, this won't work well so you may need to split it up. 

If you want to have the CSV be consulted as an intel or sighting source when doing investigations of other observables, you would need to do one of two things:
1: import the CSV into your private intel store that is included in SecureX. This would involve writing code to both transform it into the CTIM data model and then upload it via the SecureX API. 
2: Host the CSV on your own server, create an API to accept queries from SecureX about observables and then search through the CSV locally, and reply to the query with any matches (again in CTIM format). 


0 Helpful

Go to solution
ben.greenbaum
Cisco Employee
Cisco Employee
In response to ben.greenbaum

‎10-13-2020 09:29 AM - edited ‎10-13-2020 09:59 AM

So for use case one, investigating the contents, yes it is very easy. For use case two, using the CSV as an intel repo (or adding the contents to the internal SecureX private intel repo), there are two options and neither is particularly easy. We are working on some tools in SecureX Orchestration that will simplify this use case. 

 

0 Helpful

Go to solution
ShrutiPatel78705
Level 1
Level 1
In response to ben.greenbaum

‎10-13-2020 02:11 PM

Thanks Ben! 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents