We would like to add domains to the current threat list. I would think I could add to localinteldomain or localintelhttp to have the domains be found. However, after attempting to add to either, and rebuilding the data model, nothing is found.
localdomainintel would be were you want to put your own domains. You should not need to be rebuild the threat activity datamodel. It is important to understand how the threat intel framework works. Check for your domain in the threat artifact dashboard and verify it is in the domain intelligence panel. This will provide assurance that it loaded properly. The threat intelligence audit dashboard can provide insight into this as well.
There are some additional threat generation searches that will run that will compare new events coming into the system to the threat intel that you have. Those matches are what is written into the threat activity data model and are also triggered via the correlation search. The maintenance searches run on intervals that are defined in the system so that might be another thing to tweak.
If you are looking to add a domain and then look at historical data, that is not the best mechanism to do that. You would want to do a search against the data in question and leverage a lookup, a subsearch could be used for this if you have more than a couple of domains to search against.
As a simple test you can do something like the following:
|makeresults | eval domain="mybaddomain.com" | eval description="my rad descrition" | eval weight=10 | table description, domain, weight | outputlookup append=T localdomainintel
That will write a line with your bad domain and associated description to the local lookup. From there go to the threat artifacts page (ESS>Security Intelligence>Threat Intelligence>Threat Artifacts)
And then in the dropdown for "Threat Group" select "localdomain_intel". Your values should show up there.
Now at this point, the threat matching correlation search will fire when it sees that domain in your logs, such as proxy logs, etc.
@john.glasscock - Did one of the answers below help provide a solution your question? If yes, please click “Accept” below the best answer to resolve this post and upvote anything that was helpful. If no, please leave a comment with more feedback. Thanks.