Applies To: WatchGuard Advanced EPDR
From the IOC Gallery, you can Import IOCs and Export IOCs.
Import IOCs
Compatible import files are in STIX, YARA, or comma-separated value format. You cannot import an IOC that has the same ID as another IOC that is part of a search task that is in progress. The ID is available in the STIX file. For information on how to review the STIX file, go to View the Original STIX File.
To import an IOC:
- In WatchGuard Cloud, select Configure > Endpoints.
- Select Settings.
- Select IOC Gallery.
- In the upper-right corner of the page, click
Import.
The Import dialog box opens. - Click Select File.
- Select a file.
Compatible files are in STIX, YARA, or comma-separated value format. - Click Import.
- If an IOC in the import file already exists, you select to:
- Replace — Replaces the existing IOC with the new one.
- Ignore— Ignores the new IOC and keeps the existing one.
When you import IOCs, you must review and approve the search statement before a search task can use the IOC. IOCs that require approval display as STIX (Pending Approval). For more information, go to Manage IOCs.
To filter items in the IOC list, use the search bar in the IOC Gallery. Enter the name or description of an IOC to show only items from the list that meet the search criteria.
Export IOCs
You can export one or multiple IOCs from the IOC Gallery to a JSON file.
To export a single IOC:
- In WatchGuard Cloud, select Configure > Endpoints.
- Select Settings.
- Select IOC Gallery.
- In the row of the IOC you want to export, click
and select Export.
A JSON file with the IOC definition downloads to your computer.
To export multiple IOCs:
- In WatchGuard Cloud, select Configure > Endpoints.
- Select Settings.
- Select IOC Gallery.
- Select the check box for each IOC you want to export.
- In the toolbar, click
Export.
A JSON file with the IOC definitions downloads to your computer.