Indicator Detection

I want to use a CSV(Indicator file) lookup to detect the indicators available in the file to report an alert. please suggest.

Hi Phoenix,

I would recomend using a combination of file upload and threat match detection type.

Ensure your csv has a timestamp column or use a pipeline during fileupload to add a @timestamp field with the now value. This is required for the detection.

  1. Open the integrations page and search for csv
  2. Select the "upload a file" integration
  3. go through the steps and use a specific index as destination, e.g indicators_from_csv; Take not of the column/fieldname in which you indicator is stored (ip/hash/url)
  4. Navigate to the siem rules and create a new one
  5. Use the indicator match type and fill out the source, query etc as best applies. e.g:
  6. Fill out your detection details and use a bigger lookback period if you want to search historicaly.
  7. Save and enable you rule.

Thanks for your response,

  1. how to integrate csv data into Index ?
  2. how to parse the respective fields accroding to IOC detection rule ?

Have you gone through the steps? They should guide you through getting this done.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.