Add domains to threat lists


I'm looking at using Threat Lists to manage local lists of known malicious websites that I see traffic to. However, from the documentation, it seems that the threat lists are only able to work with IP addresses, not domains.

Is there anyway to get Threat Lists to work with domains rather than IPs?

If not, what would be the best way to approach this?

Tags (1)

Splunk Employee
Splunk Employee
  1. Create a csv file for your domain threat list.
  2. Upload the csv file to SplunkEnterpriseSecuritySuite/lookups
  3. Create a lookup definition.
  4. Create a threatlist definition.

    delim_regex =,
    description = "Threatlist:Malware domains"
    fields = domain,description,category,risk
    skip_header_lines = 1
    type = "Threatlist:Malware"
    url = "lookup://"
    weight = 90

  5. Make sure that the data source you want this threat list to match has the DEST field populated with a domain value.


Sam, any update on this one ? I'm facing the exact same issue and I tend to believe only IP addresses are supported. Thanks !

0 Karma


Splunk confirmed that only IPs are useable in threat lists. You have to create your own lookups to have domains.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...