From 9a66dbeebd81d5a905e53b7b0b58ba7414b5d36d Mon Sep 17 00:00:00 2001 From: Gael Muller Date: Tue, 17 Sep 2024 14:16:47 +0200 Subject: [PATCH] Apply suggestions from code review --- docs/xdr/usecases/use_your_own_cti.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/docs/xdr/usecases/use_your_own_cti.md b/docs/xdr/usecases/use_your_own_cti.md index 7a0ec5a4f0..1ee81e6ead 100644 --- a/docs/xdr/usecases/use_your_own_cti.md +++ b/docs/xdr/usecases/use_your_own_cti.md @@ -121,15 +121,17 @@ To get information about them check [the documentation about this endpoint](http ### Import indicators from file In this sample we will import IOC from a file. The formats currently supported along with their mime types are: + - CSV: `text/csv`, `application/csv` or `text/plain` - XLS: `application/vnd.ms-excel` or `application/octet-stream` - XLSX: `application/zip` or `application/vnd.openxmlformats-officedocument.spreadsheetml.sheet` The first step consists of uploading the file to obtain a preview. In the response of this requests we will obtain: - - A file handle that must be used to process the file - - A preview of the first lines of the file - - The detected mapping: Which column contains the indicator, the validity dates, the kill chain, the threat, ... - - Whether the first line has been detected to be ignored or not + +- A file handle that must be used to process the file +- A preview of the first lines of the file +- The detected mapping: Which column contains the indicator, the validity dates, the kill chain, the threat, ... +- Whether the first line has been detected to be ignored or not Once the preview has been generated, if everything seems right the file can be processed. The last step is to wait for the file to be completely processed. Depending on the number of indicators it can take a bit of time. @@ -160,6 +162,7 @@ content = response.json() # Then we ask the API to process the file # The API guessed the mapping and whether the first line must be ignored or not, # but in this case we assume we know it and provide it manually. +# Update this mapping depending on your files (one type per column). payload = { "file_handle": content["file_handle"], # (4)! "mapping": [