Source Requirements
Source Type Requirements:
STIX
Files must be STIX Version 1.0, 1.1, 1.1.1, or 1.2 and adhere to the guidelines in the STIX documentation: http://stixproject.github.io/documentation/suggested-practices/.
STIX files can include complex indicators.
The maximum size for a STIX file is 40MB when configured via URL download or file upload. If you have STIX files larger than this, we recommend using a TAXII server.
Flat File
Files must be ASCII text files with one observable value per line.
Flat files include only simple indicators (one observable per indicator.)
Flat files can be up to 500 MB.
Threat Intelligence Director does not support:
-
Delimiter characters separating observable values (e.g.
observable,is invalid). -
Enclosing characters around observable values (e.g.
"observable"is invalid).
Each file should contain only one type of content:
-
SHA-256—SHA-256 hash values. -
Domain—domain names as defined in RFC 1035. -
URL—URLs as defined in RFC 1738.NoteThreat Intelligence Director normalizes any URLs that contain port, protocol, or authentication information, and uses the normalized version when detecting indicators. For example, threat intelligence director normalizes any of the following URLs:
http://example.com/index.htm http://example.com:8080/index.htm example.com:8080/index.htm example.com/index.htmas:
example.com/index.htmOr, for example, threat intelligence director normalizes the following URL:
http://abc@example.com:8080/index.htmas
abc@example.com/index.htm/ -
IPv4—IPv4 addresses as defined in RFC 791.Threat Intelligence Director does not accept CIDR blocks.
-
IPv6—IPv6 addresses as defined in RFC 4291.Threat Intelligence Director does not accept prefix lengths.