IOC Management

Updated 1 week ago by Shimon Modi

Cyber observables and IOCs are the building blocks of CTI analysis, and are critical to making accurate decisions throughout the investigative workflow. But effectively managing large numbers of IOCs in your workflow is challenging. Today we are excited to release a new feature that will streamline IOC management throughout the entire indicator lifecycle. With this feature you can upload large numbers of IOCs, classify IOCs into groups, augment them with additional context, and automatically surface them in internal investigations and threat hunts. 

Read on to learn more.

Submit IOCs

TruSTAR currently supports several IOC types. The full list is available here
    Via the API

    Follow the API guide: https://docs.trustar.co/api/v13/indicators/submit_indicators.html

      Via the UI

      We support 2 different IOC submission use cases via the UI

      1. Running List of IOCs

          Let’s start with the scenario where you only have a list of IOCs. If you are collecting additional context with your IOCs (like date seen, sightings count etc.), jump to the next section.

          1. Click on Submit in the top navigation bar.
          2. Select the Submit IOCs option.
          3. Drag and drop a file that consists of IOCs, or you can also copy paste the list of IOCs.

            NOTE: we will process DOC,PDF,CSV,XLS,TXT, JSON, XML files.
          4. Click Next.
          5. Select the Enclaves you want to upload to.

            OPTIONAL: Add any tags you want associated with all of the IOCs.
          6. Click Submit. You will be sent an email notification after all the IOCs are processed and are available for analysis and investigation. The email will have the details of how many IOCs were processed

          2. I have IOCs with additional context

          We understand that some of you may have been collecting historical context for IOCs like first seen, last seen, sightings etc. Below is the list of additional context that we currently support:

          • First Seen time
          • Last Seen time
          • Sightings - count of how many times the IOC has been observed in a specific campaign, TTP or threat activity
          • Source - where was this IOC context collected from
          • Notes (description)  - any human readable notes that need to be preserved with this IOC
          It is not necessary to have all this information to use this upload feature. You can use it even if you only have information for one of them e.g. First Seen Time.

          The first step is to format your XLS or CSV file with the following structure:

          1. The file needs to have 6 columns with the following titles (matched exactly):
            1. Value
            2. Source
            3. Notes
            4. First Seen
            5. Last Seen
            6. Sightings


          2. Save the file.
          3. Click on Submit > Submit IOCs in the top navigation bar.
          4. Select the Upload IOC Spreadsheet option.
          5. Drag and drop the file you created in Step 1.
            1. If the file submission is invalid, you will be asked to correct the file. Files at a minimum must contain the Value column header, not be empty, and not contain more than 10,000 rows. In addition, values provided for First Seen, Last Seen, Sightings must be numbers.
          6. Select the Enclaves you want to upload to.
            OPTIONAL: Add any tags you want associated with all of the IOCs.
          7. Click Submit. You will be sent an email notification after all the IOCs are processed and are available for analysis and investigation. The email will have the details of how many IOCs were processed.

          You will receive an email informing you that processing is complete. You will be able to go to the Explore view and start browsing through the IOCs and apply various Enclave and Tag filters.

          Graph Analysis

          You will be able to see the link analysis and enrichment from all your subscribed sources after you click on an IOC. With this feature you will now be able to view tags on the visualization and IOCs that have the same tag. The existing filtering and pivoting capabilities can be used for analyzing IOCs.

          Delete IOC

          You can delete an IOC from your list if doesn't correlate with any submitted TruSTAR reports or aren't part of any report content.

          If the IOC is part of a report you will also have to delete the report, or update the remove to remove the specific IOC.

          Export IOC

          You can export lists of indicators from the Explore View, based on the current filters, and from the Analysis View, based on an indicator tag selection. The export option is limited to the most recent 10,000 IOCs.


          How Did We Do?