Bulk Add Queries [Feature Request]

[kev365]

Description

In the current setup, adding queries to the Indicators tab in Yeti is a manual, one-by-one process. This can be time-consuming, especially when managing large volumes of queries

Proposed Solution

Introduce a bulk-add feature in the Indicators tab that allows users to import multiple queries simultaneously. Ideally, this feature could accept inputs via CSV, TSV, or PSV format, enabling users to upload a file with a list of queries.

Use Case

Mass import of Splunk and OpenSearch/Elastic queries.

[tomchop]

Could you give us more details about your setup? Is this something you see yourself doing regularly?

If it's a one-off, you can achieve this with a 5-line python script (on top of this) that hits the Yeti API, so I don't know whether it's worth the effort of writing a full importer + UI that supports {C,T,P}SV values (and have to manage all the corner cases etc.). Happy to provide a skeleton for such script if needed.

Alternatively, if it's something that happens regularly, maybe writing a feed that grabs indicators from whatever system you're dumping them from could also be interesting?

[kev365]

Thanks @tomchop, I'm actually in the process of adding Yeti to our lab, we do both the DF and the IR here. We have several folks that work with Splunk and can get a variety of different data sources in, so creation of queries occurs fairly often. Along with the Feed data, I was interested in the feature of Yeti to be a repository for useful queries. I'd not considered using the API for uploading this data, but glad to hear that's an option, too. Overall, my interest was to have an easy way for a variety of folks to bulk add their own queries as they develop them. But I'd certainly not be picky about scripting it out.

[tomchop]

We can certainly add an upload form, but it will probably come a bit later. (we need to think about how to make a useful / bulletproof UX). In the meantime your best bet is probably to just go through the API :)