Upload STIX files through the REST API
Threat collections enable your ExtraHop system to identify suspicious IP addresses, hostnames, and URIs found in your network activity. While ExtraHop-curated threat collections are enabled by default, you can also upload a custom threat collection from free or commercial sources.
Before you begin
- For RevealX 360, you must have valid REST API credentials to make changes through the REST API and complete the procedures below. (See Create REST API credentials.)
- For sensors and ECA VMs, you must have a valid API key to make changes through the REST API and complete the procedures below. (See Generate an API key.)
- Familiarize yourself with threat intelligence.
Threat collections must be added and updated to all connected sensors and consoles. And because these sources are often updated frequently, the REST API provides the opportunity to automate updates for threat collections to all sensors and consoles.
Custom threat collections must be formatted in Structured Threat Information Expression (STIX) as compressed TAR files, such as .TGZ or TAR.GZ. ExtraHop systems currently support uploads of STIX file versions 1.0 - 1.2.
Retrieve and run the example Python script
The ExtraHop GitHub repository contains an example Python script that uploads all STIX files in a given directory to a list of sensors and consoles. First, the script reads through a CSV file that contains the URLs and API keys for each system. For each system, the script gets a list of all threat collections that are already on the system. The script then processes each STIX file in the directory for each system.
If the name of the file matches the name of a threat collection on the system, the script overwrites the threat collection with the file contents. If there are no threat collection names that match the file name, the script uploads the file to create a new threat collection.
Note: | The following procedure is not compatible with the RevealX 360 REST API. To uploads STIX files to RevealX 360, see Retrieve and run the example Python script for RevealX 360. |
Retrieve and run the example Python script for RevealX 360
The ExtraHop GitHub repository contains an example Python script that uploads all STIX files in a given directory to RevealX 360.
If the name of the file matches the name of a threat collection on RevealX 360, the script overwrites the threat collection with the file contents. If there are no threat collection names that match the file name, the script uploads the file to create a new threat collection.
Note: | The following procedure is only compatible with the RevealX 360 REST API. To uploads STIX files to sensors and ECA VMs, see Retrieve and run the example Python script. |
Thank you for your feedback. Can we contact you to ask follow up questions?