10-12-2020 03:19 PM
I am just wondering if Cisco SecureX integration allows the import of intel via CSV file?
Solved! Go to Solution.
10-13-2020 09:25 AM
There are various ways you could do this, yes. Which one to use depends on what you're trying to do.
If you want to check for local sightings or global intelligence on observables in a CSV, you can simply paste the csv into the SecureX investigation panel, and SecureX will extract all observables from the CSV and perform an investigation on them. For a large CSV, this won't work well so you may need to split it up.
If you want to have the CSV be consulted as an intel or sighting source when doing investigations of other observables, you would need to do one of two things:
1: import the CSV into your private intel store that is included in SecureX. This would involve writing code to both transform it into the CTIM data model and then upload it via the SecureX API.
2: Host the CSV on your own server, create an API to accept queries from SecureX about observables and then search through the CSV locally, and reply to the query with any matches (again in CTIM format).
10-13-2020 09:29 AM - edited 10-13-2020 09:59 AM
So for use case one, investigating the contents, yes it is very easy. For use case two, using the CSV as an intel repo (or adding the contents to the internal SecureX private intel repo), there are two options and neither is particularly easy. We are working on some tools in SecureX Orchestration that will simplify this use case.
10-13-2020 09:25 AM
There are various ways you could do this, yes. Which one to use depends on what you're trying to do.
If you want to check for local sightings or global intelligence on observables in a CSV, you can simply paste the csv into the SecureX investigation panel, and SecureX will extract all observables from the CSV and perform an investigation on them. For a large CSV, this won't work well so you may need to split it up.
If you want to have the CSV be consulted as an intel or sighting source when doing investigations of other observables, you would need to do one of two things:
1: import the CSV into your private intel store that is included in SecureX. This would involve writing code to both transform it into the CTIM data model and then upload it via the SecureX API.
2: Host the CSV on your own server, create an API to accept queries from SecureX about observables and then search through the CSV locally, and reply to the query with any matches (again in CTIM format).
10-13-2020 09:29 AM - edited 10-13-2020 09:59 AM
So for use case one, investigating the contents, yes it is very easy. For use case two, using the CSV as an intel repo (or adding the contents to the internal SecureX private intel repo), there are two options and neither is particularly easy. We are working on some tools in SecureX Orchestration that will simplify this use case.
10-13-2020 02:11 PM
Thanks Ben!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide