Import Indicators of compromise#

To import IOCs, either enable one of the pre-integrated IOCs feeds on the Settings->Feeds Tab or add your own custom/private TAXII/STIX/MISP/CSV…etc feed, or you can import the IOCs files manually via Indicators->Add/Import Indicators->Bulk Import Indicators from File.

To enable one of the pre-integrated IOCs feeds Click on Settings->Feeds Tab, Then Enable one of the Indicators feeds, for example here we enabled the “abuse.ch Feodo Tracker Botnet C2 IP” feed, and clicked on “Update” to trigger the feed download now.

Once the import is done, you will be able to view the indicators via the Indicators Management Page by Clicking on Indicators of the left menu.

../_images/enable_abuse_ch_feodo_tracker_botnet_c2_feed.gif

To learn how to enable custom Rules/IOCs feed, please read the custom feeds guide.
You can as well manually import the IOCs files via Indicators -> Add/Import Indicators -> Bulk Import Indicators From File.

../_images/bulk_import_indicators_to_suricata.gif

Within minute, Suricata Hosts will download those IOCs and apply them, and you should start seeing alerts if those indicators got observed in your network.