I'm trying to upload a simple list of malicious filenames into ES Threat Intel.
I have a csv file which I formatted with the header file_name and some examples:
I get the message: File uploaded successfully but I never see the threat artifacts appear.
When checking the index=_internal sourcetype="threatintel*" I see some errors:
ERROR pid=294087 tid=MainThread file=threat_intelligence_manager.py:process_files:558 | status="Exception when processing file." filename=filenames.csv" message="Parser does not extract a field that can be mapped to a threat intelligence collection."
I have tried many different options, files, etc...but cannot get this to work. I looked at the ES Threat Intel documentation and that gets me stuck in a loop.
What do I need to do exactly to get this to work properly with file_intel?
I am in the same situation. Endpoint filesystem datamodel has file_hash and file_name values. I do see those values uploaded to Threat artifacts dashboard succesfully. However threatintell is not hitting it for some reason. Any help would be apreciated.
Make sure you copy the exact headers and do NOT use whitespaces.
Next; I recommend giving the default weight of 5. Make sure you fill in a meaningful Threat Category and Threat Group as these will be the values that populate the dropdowns in the Threat Intelligence dashboards.
Next important thing is to wait a few minutes for the upload to be processed by ES.
Go to Security Intelligence->Threat Intelligence->Threat Artifacts and you will see your uploaded values: