topic Re: Upload Threat Intelligence not working in Splunk Enterprise Security

Upload Threat Intelligence not working

Azeemering — Wed, 16 Jun 2021 07:29:07 GMT

Hi,

I'm trying to upload a simple list of malicious filenames into ES Threat Intel.

I have a csv file which I formatted with the header file_name and some examples:

123.exe
123.py

I get the message: File uploaded successfully but I never see the threat artifacts appear.

When checking the index=_internal sourcetype="threatintel*" I see some errors:

ERROR pid=294087 tid=MainThread file=threat_intelligence_manager.py:process_files:558 | status="Exception when processing file." filename=filenames.csv" message="Parser does not extract a field that can be mapped to a threat intelligence collection."

I have tried many different options, files, etc...but cannot get this to work. I looked at the ES Threat Intel documentation and that gets me stuck in a loop.

What do I need to do exactly to get this to work properly with file_intel?

Re: Upload Threat Intelligence not working

Suirand1 — Mon, 20 Sep 2021 06:31:01 GMT

I am in the same situation. Endpoint filesystem datamodel has file_hash and file_name values. I do see those values uploaded to Threat artifacts dashboard succesfully. However threatintell is not hitting it for some reason. Any help would be apreciated.

Re: Upload Threat Intelligence not working

Azeemering — Mon, 20 Sep 2021 09:25:31 GMT

I did manage to get this to work, so I will share my findings with you so you can do the same.
There are a few important things you need to take into account.

As a test create a csv file like this:

description,file_hash,file_name,weight
test1,11111hash11111,123.py,5
test2,22222hash22222,123.exe,5

In the Enterprise Security App Go to Configure→Data Enrichment→Threat Intelligence Uploads

The most important part of uploading Threat Intel is that you format your csv file properly.

One of the greatest pain points encountered when ingesting threat indicators is the naming of fields. The threat intelligence framework expects that specific header field values are being utilized.

The reference for this can be found here→

https://docs.splunk.com/Documentation/ES/latest/Admin/Supportedthreatinteltypes

Make sure you copy the exact headers and do NOT use whitespaces.

Next; I recommend giving the default weight of 5. Make sure you fill in a meaningful Threat Category and Threat Group as these will be the values that populate the dropdowns in the Threat Intelligence dashboards.

Save this.

Next important thing is to wait a few minutes for the upload to be processed by ES.

Go to Security Intelligence->Threat Intelligence->Threat Artifacts and you will see your uploaded values: