Splunk Enterprise Security

Upload Threat Intelligence not working

Azeemering
Builder

Hi,

I'm trying to upload a simple list of malicious filenames into ES Threat Intel.

I have a csv file which I formatted with the header file_name and some examples:

123.exe
123.py

I get the message: File uploaded successfully but I never see the threat artifacts appear.

When checking the index=_internal sourcetype="threatintel*" I see some errors:

ERROR pid=294087 tid=MainThread file=threat_intelligence_manager.py:process_files:558 | status="Exception when processing file." filename=filenames.csv" message="Parser does not extract a field that can be mapped to a threat intelligence collection."

I have tried many different options, files, etc...but cannot get this to work. I looked at the ES Threat Intel documentation and that gets me stuck in a loop.

What do I need to do exactly to get this to work properly with file_intel?

 

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.