Is there a way to use lookups to add threat intelligence to the non-network based intelligence stores, such as file_intel? I know STIX and OpenIOC can populate these, however, I've got IOCs in CSVs and custom feeds of file names, hashes, etc. Thanks!
Yes absolutely, in fact, that's the default threat list style.
The csv files have to have two fields, ip and description, url and description, or domain and description.
http://docs.splunk.com/Documentation/ES/3.3.0/Install/Configureblocklists
Yes absolutely, in fact, that's the default threat list style.
The csv files have to have two fields, ip and description, url and description, or domain and description.
http://docs.splunk.com/Documentation/ES/3.3.0/Install/Configureblocklists
I've followed the instructions in the documentation for network indicators (IPs, URLs, and Domains) and it work great! However, I can not reproduce those results for fie-based indicators (file names, hashes, etc.).
fixed in updates of ES