Splunk Enterprise Security

Adding Threat Intelligence feed into Splunk ES in CSV format


I'm currently trying to upload a malware feed into Threat Intelligence Management.

The feed itself is being pulled from the following URL: https://bazaar.abuse.ch/export/csv/recent/

The issue is that while it is in CSV format, the values themselves are also encapsulated by quotes, so they are being imported into the file_intel like the following.


To extract out the actual values since they are surrounded by quotes I put together a regular expression under "Extracting regular expression" which works on regexr and regex101, but this regular expression does not appear to be getting used as the values in the lookup still look like the above.



Here is what the csv looks like.


Is there a setting I am missing that is causing the regex to not be utilized?

Labels (1)
0 Karma


maby this will work:? 

@the parsing tab do the following extracting reg expr: ([^\"\,]+)


0 Karma


Oh wait,, after some messing around place the + 1 spot to the left like so:


0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...