I want to use a CSV(Indicator file) lookup to detect the indicators available in the file to report an alert. please suggest.
Hi Phoenix,
I would recomend using a combination of file upload and threat match detection type.
Ensure your csv has a timestamp column or use a pipeline during fileupload to add a
@timestampfield with the now value. This is required for the detection.
- Open the integrations page and search for
csv - Select the "upload a file" integration
- go through the steps and use a specific index as destination, e.g
indicators_from_csv; Take not of the column/fieldname in which you indicator is stored (ip/hash/url) - Navigate to the siem rules and create a new one
- Use the
indicator matchtype and fill out the source, query etc as best applies. e.g:
- Fill out your detection details and use a bigger lookback period if you want to search historicaly.
- Save and enable you rule.
Thanks for your response,
- how to integrate csv data into Index ?
- how to parse the respective fields accroding to IOC detection rule ?
Have you gone through the steps? They should guide you through getting this done.