Create a csv file for your domain threat list.
Upload the csv file to SplunkEnterpriseSecuritySuite/lookups
Create a lookup definition.
Create a threatlist definition.
[threatlist://malwaredomains]
delim_regex =,
description = "Threatlist:Malware domains"
fields = domain,description,category,risk
skip_header_lines = 1
type = "Threatlist:Malware"
url = "lookup:// "
weight = 90
Make sure that the data source you want this threat list to match has the DEST field populated with a domain value.
... View more