Re: Add domains to threat lists

Sam2 · ‎04-02-2014

I'm looking at using Threat Lists to manage local lists of known malicious websites that I see traffic to. However, from the documentation, it seems that the threat lists are only able to work with IP addresses, not domains.

Is there anyway to get Threat Lists to work with domains rather than IPs?

If not, what would be the best way to approach this?

mcronkrite · ‎03-29-2015

Create a csv file for your domain threat list.
Upload the csv file to SplunkEnterpriseSecuritySuite/lookups
Create a lookup definition.
Create a threatlist definition.

[threatlist://malwaredomains]
delim_regex =,
description = "Threatlist:Malware domains"
fields = domain,description,category,risk
skip_header_lines = 1
type = "Threatlist:Malware"
url = "lookup://"
weight = 90
Make sure that the data source you want this threat list to match has the DEST field populated with a domain value.

dragoslungu · ‎07-01-2014

Sam, any update on this one ? I'm facing the exact same issue and I tend to believe only IP addresses are supported. Thanks !

Sam2 · ‎07-14-2014

Splunk confirmed that only IPs are useable in threat lists. You have to create your own lookups to have domains.

Add domains to threat lists

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!