Import data using standard format

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read

    • Import data in supported formats (STIX 2.x JSON or MISP JSON) to enable full ingestion of all STIX Domain Objects (SDOs) and MISP objects.

    Before you begin

    Role required: sn_sec_tisc.analyst

    Procedure

    1. Navigate to Workspaces > Threat Intelligence Security Center.
      Threat Intel Library page is displayed.
    2. Select Import Intelligence.
    3. Select Import from standard file card.
      Important:
      While importing the threat intelligence data in the supported file formats such as TXT, CSV, STIX 2.x JSON, MISP JSON, or Structured File, the file size is limited to 5 MB. The characters limit to raw text is limited to 10,000.
    4. On the form, fill in the fields.
      Field Description
      File Format Select the required option from the drop down list such as STIX 2.x JSON or MISP JSON.
      • STIX 2.x JSON: Select the format in STIX 2.x JSON to import.
        Note:
        All the standard STIX entities such as Observables, Indicators, Objects, and Relationships will be imported from the uploaded STIX file.
      • MISP JSON: Select the format in MISP JSON format to import.
        Note:
        MISP provides the functionality to import events, attributes, and objects using its standardized import format for seamless data ingestion.

        For details on how MISP events, along with their associated attributes and objects, are mapped to TISC entities, refer to KB2197697.
      Upload file Click this link to upload the data in the standard file format.
      Set definitions
      TLP Select the TLP indicator from the drop-down list to be applied for the imported records.
      Confidence (0-100) Define the confidence value.
      Expiry Period (days) Enter the expiry period for the imported records.
      Note:
      This is a mandatory field.
      Add Tags Use the tags to annotate or ear mark records ingested into the system from this source. Start typing the tag name in the Search bar to choose the available tags in the system or enter new tag name and click Add to assign it to the source.
      Add Observable(s) to security Control List Select this option to add observables to the appropriate security control list.

      This option allows you to directly add the observables to a security control list while importing.

      The available options in the drop-down list are:
      • Allow list
      • Deny list
      • None
      The default option is None.
      Taxonomy
      Select a Taxonomy Select the taxonomy for the imported data. Using taxonomies, define dictionaries that can be used as taxonomies assigned to threat intelligence records. For example, CAPEC nomenclature. For more information, see Creating Taxonomies.
      Select Taxonomy values Indicates the taxonomy values that are associated with the Taxonomy.
      Override source value Select this check box if you wish to over ride the source values for TLP, Confidence, and Expiration from the configured values. If you don't select this check box the default values are applied.
    5. Click Next.
    6. Review the data before submission for processing.
      Note:
      Reviewing of imported records is not supported for STIX JSON or MISP JSON option.

      After you click Next, you can see the summary of all the information that user has provided in the above section, and the below section provides you with all the records that needs to be imported.

      User can perform any type of activities and the multiple users can collaborate using the comment section which is available in the right contextual menu.

      Note:
      Any records that fail the validations are skipped from the import process and those records are not displayed on the Review & submit page for further processing.
    7. Click Update Type and select the type to update any type of the imported records.
    8. Click Delete to delete any type of the imported records.
    9. Click Submit.
      Note:

      After you submit the import record, it is directed for approval based on the configured approval rules. If the submitting user is exempt from approval, the import job is automatically approved upon submission.

    10. Click View Status to view the status of the record or click Done.
      The record displays the processed status once it is processed.
    11. Click Cancel to abort the import process.
    12. Click Go Back to go back to the previous page and review the record, if necessary.
      For more information, see Viewing all imports.