Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Upload Threat Intelligence not working

Azeemering
Builder
‎06-16-2021 12:29 AM

Hi,

I'm trying to upload a simple list of malicious filenames into ES Threat Intel.

I have a csv file which I formatted with the header file_name and some examples:

123.exe
123.py

I get the message: File uploaded successfully but I never see the threat artifacts appear.

When checking the index=_internal sourcetype="threatintel*" I see some errors:

ERROR pid=294087 tid=MainThread file=threat_intelligence_manager.py:process_files:558 | status="Exception when processing file." filename=filenames.csv" message="Parser does not extract a field that can be mapped to a threat intelligence collection."

I have tried many different options, files, etc...but cannot get this to work. I looked at the ES Threat Intel documentation and that gets me stuck in a loop.

What do I need to do exactly to get this to work properly with file_intel?

 

Reply
1 Solution
Solved! Jump to solution
Solution

Azeemering
Builder
‎09-20-2021 02:25 AM

I did manage to get this to work, so I will share my findings with you so you can do the same.
There are a few important things you need to take into account.


As a test create a csv file like this:

description,file_hash,file_name,weight
test1,11111hash11111,123.py,5
test2,22222hash22222,123.exe,5

In the Enterprise Security App Go to ConfigureData EnrichmentThreat Intelligence Uploads

Azeemering_0-1632129099847.png

The most important part of uploading Threat Intel is that you format your csv file properly.

One of the greatest pain points encountered when ingesting threat indicators is the naming of fields. The threat intelligence framework expects that specific header field values are being utilized.

The reference for this can be found here→

https://docs.splunk.com/Documentation/ES/latest/Admin/Supportedthreatinteltypes

Make sure you copy the exact headers and do NOT use whitespaces.

Next; I recommend giving the default weight of 5. Make sure you fill in a meaningful Threat Category and Threat Group as these will be the values that populate the dropdowns in the Threat Intelligence dashboards.

Azeemering_1-1632129306860.png

Save this.

Next important thing is to wait a few minutes for the upload to be processed by ES.

Go to Security Intelligence->Threat Intelligence->Threat Artifacts and you will see your uploaded values:

Azeemering_2-1632129645815.png

 

 

View solution in original post

Reply
Solved! Jump to solution

Suirand1
Explorer
‎09-19-2021 11:31 PM

I am in the same situation. Endpoint filesystem datamodel has file_hash and file_name values. I do see those values uploaded to Threat artifacts dashboard succesfully. However threatintell is not hitting it for some reason. Any help would be apreciated.

0 Karma
Reply
Solved! Jump to solution
Solution

Azeemering
Builder
‎09-20-2021 02:25 AM

I did manage to get this to work, so I will share my findings with you so you can do the same.
There are a few important things you need to take into account.


As a test create a csv file like this:

description,file_hash,file_name,weight
test1,11111hash11111,123.py,5
test2,22222hash22222,123.exe,5

In the Enterprise Security App Go to ConfigureData EnrichmentThreat Intelligence Uploads

Azeemering_0-1632129099847.png

The most important part of uploading Threat Intel is that you format your csv file properly.

One of the greatest pain points encountered when ingesting threat indicators is the naming of fields. The threat intelligence framework expects that specific header field values are being utilized.

The reference for this can be found here→

https://docs.splunk.com/Documentation/ES/latest/Admin/Supportedthreatinteltypes

Make sure you copy the exact headers and do NOT use whitespaces.

Next; I recommend giving the default weight of 5. Make sure you fill in a meaningful Threat Category and Threat Group as these will be the values that populate the dropdowns in the Threat Intelligence dashboards.

Azeemering_1-1632129306860.png

Save this.

Next important thing is to wait a few minutes for the upload to be processed by ES.

Go to Security Intelligence->Threat Intelligence->Threat Artifacts and you will see your uploaded values:

Azeemering_2-1632129645815.png

 

 

Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...