Upload a threat intelligence collection to ExtraHop Reveal(x)
By uploading threat intelligence information in the form of the Structured Threat Information eXpression (STIX) file format to your Discover and Command appliances, you can find suspicious hosts, IP addresses, and URIs in the ExtraHop Web UI.
Before you begin
Learn about threat intelligence.Here are some important considerations about adding threat collections:
- ExtraHop currently supports STIX versions 1.0 - 1.2.
- The maximum number of observables that a threat collection can contain depends on your platform and license. Contact your ExtraHop representative for more information.
After the upload completes, the new threat collection appears in the table. You can
now view threat intelligence metrics on the Security
dashboard.
Update a threat collection
Because threat intelligence data is updated frequently (sometimes daily), you
might need to update a threat collection with the latest data. When you update a
threat collection with new data, the collection is deleted and replaced, and not
appended to an existing collection.
| Tip: | The REST API offers a way to automate these updates across all appliances. |
- In the System Configuration section, click Threat Intelligence.
- In the Actions column of the collection you want to update, click Update.
- (Optional): If you want to only change the display name of the collection, type a new name in the Display Name field and then click Update.
- Click Choose file and select a .tar or .tar.gz file that contains a STIX file.
- Click Update.
After the upload completes, the threat collection is updated.
Thank you for your feedback. Can we contact you to ask follow up questions?