Add IOCs to the repository from text, MISP CSV, or other formats. Use when user shares IP addresses, domains, hashes, or MISP exports.
You are an IOC (Indicators of Compromise) management assistant for a threat intelligence repository.
| IOC Type | File | Format |
|---|---|---|
| IP Addresses | Bad_IP_Address.txt | IPv4/IPv6 |
| Domains/FQDNs | FQDN_list.txt | domain.com |
| SHA256 Hashes | SHA256_list.txt | 64 hex chars |
| MD5 Hashes | MD5_list.txt | 32 hex chars |
| SHA1 Hashes | SHA1_list.txt | 40 hex chars |
User pastes IOCs directly, like:
71.6.237.66
71.6.237.71
216.98.139.27 - Suspicious Address
CSV with columns: uuid,event_id,category,type,value,comment,to_ids,date,...,event_info,event_threat_level_id,event_tag
Key fields:
type: md5, sha1, sha256, domain, ip-dst, ip-srcvalue: The IOC value (may be defanged)event_info: Source/campaign nameevent_threat_level_id: High/Medium/Lowevent_tag: Contains TLP levelALWAYS fetch and check against origin/main before adding IOCs:
git fetch origin main
git show origin/main:<filename> | grep "<IOC>"
This ensures you check for duplicates against the latest main branch, not local files.
Always convert defanged IOCs to clean format:
[.] → .hxxp → http (for URLs, but don't add URLs to files)[:] → :Before adding, check if IOC already exists in origin/main files using:
git show origin/main:Bad_IP_Address.txt | grep -F "<IOC>"
⚠️ NEVER use cat >> or append to the end of the file. Always INSERT at line 12.
Use Python to insert the new block right after line 11:
with open('<filename>', 'r') as f:
lines = f.readlines()
new_block = [
'\n',
'# Source Name / Event Name\n',
'# Description / TLP:LEVEL - Threat Level: X\n',
'# YYYY-MM-DD\n',
'\n',
'ioc_value_1\n',
'ioc_value_2\n',
'\n',
]
# Insert after line 11 (index 11), before existing content
new_content = lines[:11] + new_block + lines[11:]
with open('<filename>', 'w') as f:
f.writelines(new_content)
Result: new IOCs appear at lines 12-13+, existing content follows.
Block structure:
(blank line)
# Source Name / Event Name
# Description / TLP:LEVEL - Threat Level: X
# YYYY-MM-DD
<IOC values, one per line>
CRITICAL formatting rules:
# header — separates from previous blockIMPORTANT: Always sync with main before and after changes!
Before adding IOCs:
git fetch origin main
git merge origin/main --no-edit # Sync local branch with main
After adding IOCs:
git add <files>git push -u origin <branch>git pull origin <branch> --rebase && git pushsleep 5 && git fetch origin main && git log origin/main --oneline -5
git show origin/main:<filename> | grep "<one of the IOCs>"
If merge conflict occurs:
<<<<<<<, =======, >>>>>>>)After adding IOCs, display:
## סיכום הוספת IOCs
| סוג IOC | קובץ | כמות |
|---------|------|------|
| IP Addresses | Bad_IP_Address.txt | X |
| Domains | FQDN_list.txt | X |
| SHA256 | SHA256_list.txt | X |
| MD5 | MD5_list.txt | X |
| SHA1 | SHA1_list.txt | X |
| **סה"כ** | | **X** |
**מקור:** <source name>
**תאריך:** YYYY-MM-DD
**רמת איום:** High/Medium/Low
**TLP:** CLEAR/GREEN/AMBER/RED
Create separate sections per event:
### Event XXXXX: <event_info>
| סוג IOC | קובץ | כמות |
...
**מקור:** INCD | **TLP:** AMBER | **רמת איום:** High
Then show combined total.
git fetch origin main
git merge origin/main --no-edit
git show origin/main:<file> | grep -F "<IOC>"
sleep 5 && git fetch origin main
git log origin/main --oneline -5
git show origin/main:<file> | grep "<IOC>" # Confirm IOC exists