Custom Indicators

It would be great to upload custom Indicators (IPs, file hashes, domains, etc) into the Threat Intelligence capabilities of Elasticsearch Security.

I know I could index this material into Elastic using the REST API, however, I was curious if Elastic had considered the ability to add custom indicators via the Security platform in Kibana or if anyone has approached this in another manner.

1 Like

Hello @digital-thought!

Maybe value lists is something that can help?

Value lists can be used in Indicator Match rule

@digital-thought If you need the indicators not only for indicator match rule, but also for other TI functionality, like Intelligence view in Security and Threat Intelligence insights, I believe you can use a small hack and leverage Machine Learning > Data Visualizer > File to upload a csv to an index and define the mapping for the data in csv. Mind though, that the mapping should match ECS schema for Indicator of Compromise under threat.indicator.* and the index should either match the index pattern defined in securitySolution:defaultThreatIndex advanced setting (by default it is logs_ti*) or you can just add the index to the pattern. As this is not officially supported, there might be things I missed that prevented it from working, but you can play with the functionality and see if it works for you.

1 Like