Skip to main content

Cyware Threat Intelligence eXchange

Perform Bulk IOC Lookup

Analysts can look up bulk IOCs and check if they are present in the Intel Exchange application. You can upload a free text file of CSV, XLS, or XLSX formats with IOCs, and CTIX analyzes this information and shows you:

  • The set of IOCs that are present in Intel Exchange. You can view their details in threat data.

  • The set of IOCs that are not present in Intel Exchange. You can view the IOCs in a CSV file and download it to manually ingest selected IOCs in the platform.

Bulk IOC lookup enables you to identify IOCs in bulk from a free text file. This saves analysts the time and effort of manually going through a free text file to search for IOCs.

To lookup IOCs in Intel Exchange, follow these steps:

  1. Go to Main Menu > Collection > Threat Data.

  2. From the top right-hand corner, select Bulk IOC Lookup.

  3. Browse a file with IOCs in CSV, XLS, and XLSX formats, and click Open. The file size must be under 10 MB.

    Intel Exchange parses a maximum of 1,00,000 IOCs at one time. If your file has more than 1,00,000 IOCs, the lookup happens only for the first 1,00,000 IOCs. Intel Exchange analyzes the uploaded file, and the lookup results are retained and available for up to 6 hours.

    Note

    • Bulk Lookup feature does not support indicators prefixed with tcp:// and does not parse them. For example, tcp://147.185.221.24:63136 will not be processed.

    • If Intel Exchange encounters an IOC type of URL in the uploaded file, it is analyzed as two IOCS: a URL and a domain. For example, you upload a CSV file with 10 IOCs that includes 3 URLs. The analyzed and downloaded file will include 13 IOCs, as the 3 URLs are analyzed as 3 Domains and 3 URLs.

    • When you bulk-import the IOCs from Threat Data > CQL, the platform automatically disables the Saved Search option. To continue utilizing Saved Search, you can clear or reset the auto-populated CQL query for bulk import.

  4. To abort the process, click X next to the progress bar.

  5. To view the bulk IOC lookup results after the process is complete, click Show. This shows the threat data details of the IOCs present in Intel Exchange.

  6. Click Download CSV to download the IOCs not available in Intel Exchange.