Hi,
I'm trying to upload a simple list of malicious filenames into ES Threat Intel.
I have a csv file which I formatted with the header file_name and some examples:
123.exe
123.py
I get the message: File uploaded successfully but I never see the threat artifacts appear.
When checking the index=_internal sourcetype="threatintel*" I see some errors:
ERROR pid=294087 tid=MainThread file=threat_intelligence_manager.py:process_files:558 | status="Exception when processing file." filename=filenames.csv" message="Parser does not extract a field that can be mapped to a threat intelligence collection."
I have tried many different options, files, etc...but cannot get this to work. I looked at the ES Threat Intel documentation and that gets me stuck in a loop.
What do I need to do exactly to get this to work properly with file_intel?
I did manage to get this to work, so I will share my findings with you so you can do the same.
There are a few important things you need to take into account.
As a test create a csv file like this:
description,file_hash,file_name,weight
test1,11111hash11111,123.py,5
test2,22222hash22222,123.exe,5
In the Enterprise Security App Go to Configure→Data Enrichment→Threat Intelligence Uploads
The most important part of uploading Threat Intel is that you format your csv file properly.
One of the greatest pain points encountered when ingesting threat indicators is the naming of fields. The threat intelligence framework expects that specific header field values are being utilized.
The reference for this can be found here→
https://docs.splunk.com/Documentation/ES/latest/Admin/Supportedthreatinteltypes
Make sure you copy the exact headers and do NOT use whitespaces.
Next; I recommend giving the default weight of 5. Make sure you fill in a meaningful Threat Category and Threat Group as these will be the values that populate the dropdowns in the Threat Intelligence dashboards.
Save this.
Next important thing is to wait a few minutes for the upload to be processed by ES.
Go to Security Intelligence->Threat Intelligence->Threat Artifacts and you will see your uploaded values:
I am in the same situation. Endpoint filesystem datamodel has file_hash and file_name values. I do see those values uploaded to Threat artifacts dashboard succesfully. However threatintell is not hitting it for some reason. Any help would be apreciated.
I did manage to get this to work, so I will share my findings with you so you can do the same.
There are a few important things you need to take into account.
As a test create a csv file like this:
description,file_hash,file_name,weight
test1,11111hash11111,123.py,5
test2,22222hash22222,123.exe,5
In the Enterprise Security App Go to Configure→Data Enrichment→Threat Intelligence Uploads
The most important part of uploading Threat Intel is that you format your csv file properly.
One of the greatest pain points encountered when ingesting threat indicators is the naming of fields. The threat intelligence framework expects that specific header field values are being utilized.
The reference for this can be found here→
https://docs.splunk.com/Documentation/ES/latest/Admin/Supportedthreatinteltypes
Make sure you copy the exact headers and do NOT use whitespaces.
Next; I recommend giving the default weight of 5. Make sure you fill in a meaningful Threat Category and Threat Group as these will be the values that populate the dropdowns in the Threat Intelligence dashboards.
Save this.
Next important thing is to wait a few minutes for the upload to be processed by ES.
Go to Security Intelligence->Threat Intelligence->Threat Artifacts and you will see your uploaded values: