Perform Bulk IOC Lookup
Analysts can look up bulk IOCs and check if they are present in the CTIX application. You can upload a free text file of CSV, XLS, or XLSX formats with IOCs and CTIX analyzes this information and shows you:
The set of IOCs that are present in CTIX. You can view their details in threat data.
The set of IOCs that are not present in CTIX. You can view the IOCs in a CSV file and download it to manually ingest selected IOCs in the platform.
Bulk IOC lookup enables you to identify IOCs in bulk from a free text file. This saves up an analyst's time and effort to manually go through a free text file to search for IOCs.
To lookup for IOCs in CTIX, do the following:
Navigate to Main Menu, and select Threat Data under Collection.
From the top right-hand corner, select Bulk IOC Lookup.
Browse a file with IOCs in CSV, XLS, and XLSX formats, and click Open. The file size must be under 10MB.
CTIX parses a maximum of 10,000 IOCs at one time. If your file has more than 10,000 IOCs, the lookup happens only for the first 10,000 IOCs. CTIX analyzes the uploaded file and based on the size of the file, this process may take a maximum of 6 hours.
Note
If CTIX encounters a URL IOC type in the uploaded file, it is analyzed as two IOCS, a URL, and a Domain. For example, you upload a CSV file with 10 IOCs that includes 3 URLs. The analyzed and downloaded file will include 13 IOCs as the 3 URLs are analyzed as 3 Domains and 3 URLs.
When you bulk import the IOCs from Threat Data > CQL, the platform automatically disables the Saved Search option. To continue utilizing Saved Search, you can clear or reset the CQL query auto-populated for the bulk import.
To abort the process, click X next to the progress bar.
To view the bulk IOC lookup results after the process is complete, click Show. This shows the threat data details of the IOCs present in CTIX.
Click Download CSV to download the IOCs not available in CTIX.