Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Adding Threat Intelligence feed into Splunk ES in CSV format

JakeInfoSec
Explorer
‎04-22-2022 09:04 AM

I'm currently trying to upload a malware feed into Threat Intelligence Management.

The feed itself is being pulled from the following URL: https://bazaar.abuse.ch/export/csv/recent/

The issue is that while it is in CSV format, the values themselves are also encapsulated by quotes, so they are being imported into the file_intel like the following.

JakeInfoSec_0-1650639667839.png

To extract out the actual values since they are surrounded by quotes I put together a regular expression under "Extracting regular expression" which works on regexr and regex101, but this regular expression does not appear to be getting used as the values in the lookup still look like the above.

JakeInfoSec_0-1650643252401.png

 

Here is what the csv looks like.

JakeInfoSec_2-1650640799840.png

Is there a setting I am missing that is causing the regex to not be utilized?

Labels (1)
Labels
0 Karma
Reply

BenjaminAbben
Loves-to-Learn
‎05-20-2022 04:36 AM

maby this will work:? 

@the parsing tab do the following extracting reg expr: ([^\"\,]+)

 

0 Karma
Reply

BenjaminAbben
Loves-to-Learn
‎05-20-2022 04:49 AM

Oh wait,, after some messing around place the + 1 spot to the left like so:

\b([^\"\,]+)\b

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...