Splunk Enterprise Security

Upload Threat Intelligence not working

Azeemering
Builder

Hi,

I'm trying to upload a simple list of malicious filenames into ES Threat Intel.

I have a csv file which I formatted with the header file_name and some examples:

123.exe
123.py

I get the message: File uploaded successfully but I never see the threat artifacts appear.

When checking the index=_internal sourcetype="threatintel*" I see some errors:

ERROR pid=294087 tid=MainThread file=threat_intelligence_manager.py:process_files:558 | status="Exception when processing file." filename=filenames.csv" message="Parser does not extract a field that can be mapped to a threat intelligence collection."

I have tried many different options, files, etc...but cannot get this to work. I looked at the ES Threat Intel documentation and that gets me stuck in a loop.

What do I need to do exactly to get this to work properly with file_intel?

 

1 Solution

Azeemering
Builder

I did manage to get this to work, so I will share my findings with you so you can do the same.
There are a few important things you need to take into account.


As a test create a csv file like this:

description,file_hash,file_name,weight
test1,11111hash11111,123.py,5
test2,22222hash22222,123.exe,5

In the Enterprise Security App Go to ConfigureData EnrichmentThreat Intelligence Uploads

Azeemering_0-1632129099847.png

The most important part of uploading Threat Intel is that you format your csv file properly.

One of the greatest pain points encountered when ingesting threat indicators is the naming of fields. The threat intelligence framework expects that specific header field values are being utilized.

The reference for this can be found here→

https://docs.splunk.com/Documentation/ES/latest/Admin/Supportedthreatinteltypes

Make sure you copy the exact headers and do NOT use whitespaces.

Next; I recommend giving the default weight of 5. Make sure you fill in a meaningful Threat Category and Threat Group as these will be the values that populate the dropdowns in the Threat Intelligence dashboards.

Azeemering_1-1632129306860.png

Save this.

Next important thing is to wait a few minutes for the upload to be processed by ES.

Go to Security Intelligence->Threat Intelligence->Threat Artifacts and you will see your uploaded values:

Azeemering_2-1632129645815.png

 

 

View solution in original post

Suirand1
Explorer

I am in the same situation. Endpoint filesystem datamodel has file_hash and file_name values. I do see those values uploaded to Threat artifacts dashboard succesfully. However threatintell is not hitting it for some reason. Any help would be apreciated.

0 Karma

Azeemering
Builder

I did manage to get this to work, so I will share my findings with you so you can do the same.
There are a few important things you need to take into account.


As a test create a csv file like this:

description,file_hash,file_name,weight
test1,11111hash11111,123.py,5
test2,22222hash22222,123.exe,5

In the Enterprise Security App Go to ConfigureData EnrichmentThreat Intelligence Uploads

Azeemering_0-1632129099847.png

The most important part of uploading Threat Intel is that you format your csv file properly.

One of the greatest pain points encountered when ingesting threat indicators is the naming of fields. The threat intelligence framework expects that specific header field values are being utilized.

The reference for this can be found here→

https://docs.splunk.com/Documentation/ES/latest/Admin/Supportedthreatinteltypes

Make sure you copy the exact headers and do NOT use whitespaces.

Next; I recommend giving the default weight of 5. Make sure you fill in a meaningful Threat Category and Threat Group as these will be the values that populate the dropdowns in the Threat Intelligence dashboards.

Azeemering_1-1632129306860.png

Save this.

Next important thing is to wait a few minutes for the upload to be processed by ES.

Go to Security Intelligence->Threat Intelligence->Threat Artifacts and you will see your uploaded values:

Azeemering_2-1632129645815.png

 

 

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...