When direct integration for data collection is not possible, manual data upload can be used. The process is as follows:
- Go to the Integrations page.
- Either select an existing integration or create a new Manual Upload integration.
- Select the upload tab.
Supported Data Types
- Detections
- Campaigns
- Visibility
- Assets (with Vulnerabilities)
Upload Process
- Download the CSV template for your chosen data type.
- Fill in the template with your data, see data type sections below for more details.
- Upload the completed CSV file.
Important Notes
- Only one file can be uploaded per data type.
- To remove uploaded data, upload a blank CSV template file.
Detections
CSV Header
reference_id, name, description, level, state, logic, author, license, deprecated, prevention, techniques, platforms
Fields
| field | type | description | required | default | example |
|---|---|---|---|---|---|
| reference_id | string | Unique id that references the detection | No | NULL | 12345-1 |
| name | string | Name of the detection | Yes | Detection Name | |
| description | string | Short description of the detection | No | NULL | Finds malicious activity |
| level | string | Severity level of the detection; one of [Info, Low, Medium, High, Critical] | No | Low | Medium |
| state | string | The current state of the detection; one of [ENABLED, DISABLED] | No | ENABLED | ENABLED |
| logic | string | The logic for this detection | No | { } | |
| author | string | The author of this detection | No | NULL | John Doe |
| license | string | Any license associated with this detection | No | NULL | |
| deprecated | boolean | If this suggestion has been enabled, but is no longer suggested | No | False | False |
| techniques | string | Comma-separated list of techniques this detection helps detect | No | NULL | T1053.002 or "T1053.002,T1053.004" |
| platforms | string | The platforms this detection is associated with, normally only one | No | NULL | Windows |
Campaigns
CSV Header
name, reference_id, description, softwares, techniques, threat_groups, vulnerabilities, first_seen_timestamp, last_seen_timestamp, reference_url
Fields
| field | type | description | required | default | example |
|---|---|---|---|---|---|
| name | string | Name of the campaign | Yes | #StopRansomware: ALPHV Blackcat | |
| reference_id | string | Unique identifier that references the campaign | Yes | 1234-5678 | |
| description | string | Short description of the campaign | Yes | The FBI and CISA have released a joint cybersecurity advisory detailing the ALPHV Blackcat ransomware as a service (RaaS). The advisory provides updates on the ransomware, including a new version that can encrypt both Windows and Linux devices. ALPHV Blackcat affiliates have compromised over 1000 entities, demanded over $500 million, and received nearly $300 million in ransom payments | |
| softwares | string | Comma-separated list of software/malware associated with the campaign | No | NULL | S1028 or "S1000,S1028" |
| techniques | string | Comma-separated list of techniques associated with the campaign | No | NULL | T0893 or "T0882,T0893" |
| threat_groups | string | Comma-separated list of threat groups associated with the campaign | No | NULL | G0007 or "G0007,G0032" |
| vulnerabilities | string | Comma-separated list of vulnerability cve ids associated with the campaign | No | NULL | CVE-2023-6200 or "CVE-2023-6200,CVE-2024-0841" |
| first_seen_timestamp | datetime | The time at which this campaign activity was first observed | No | NULL | 2023-01-29T11:43:37.275516 |
| last_seen_timestamp | string | the latest observed activity from this campaign | No | NULL | 2024-01-01T11:43:37.275516 |
| reference_url | string | Link to the campaign reference | No | NULL | http\://example.com/campaigns/blackhat-2023-1345 |
Visibility
CSV Header
name, categories, windows, linux, mac
Fields
| field | type | description | required | default | example |
|---|---|---|---|---|---|
| name | string | Unique name | Yes | Sysmon Event Code 1 | |
| categories | string (comma delimited) | A list of visibility categories this visibility provides | No | Process Creation, Command Execution | |
| windows | boolean | If this visibility is for Windows systems | No | False | "True" |
| linux | boolean | If this visibility is for Linux systems | No | False | "True" |
| mac | boolean | If this visibility is for macOS systems | No | False | "True" |
Assets (with Vulnerabilities)
CSV Header
reference_id, name, hostname, description, platform, operating_system, critical, ipv4s, ipv6s, cves
Fields
| field | type | description | required | default | example |
|---|---|---|---|---|---|
| reference_id | string | Unique id that references the asset | Yes | 12345-1 | |
| name | string | Name of the asset | Yes | ad-server.local | |
| hostname | string | Name of the asset | Yes | ad-server.local | |
| description | string | Short description of the asset | No | No description provided | Active Directory Server |
| platform | string | High level operating system platform | No | NULL | Windows |
| operating_system | string | Specific operating system version | No | NULL | Windows 10 |
| critical | boolean | If the asset has been flagged as critical to an organization. | No | False | True |
| ipv4s | string | Comma-separated list of IPv4 addresses associated with asset | No | NULL | 192.168.1.20 or "192.168.1.20,192.168.1.21" |
| ipv6s | string | Comma-separated list of IPv6 addresses associated with asset | No | NULL | 2001\:db8:3333:4444:5555:6666:7777:8888 or "2001\:db8:3333:4444:5555:6666:7777:8888,2001\:db8:3333:4444\:CCCC\:DDDD\:EEEE\:FFFF" |
| cves | string | Comma-separated list of vulnerability CVE ids associated with asset | No | NULL | CVE-2023-6200 or "CVE-2023-6200,CVE-2024-0841" |