Can you have multiple domain names on single url field? Or does every row have to have single domain name?
The previous answer is incorrect; threatlists do not accept a pipe-delimited field as input for the "url" or "domain" fields. This is something that can easily be tested by simply trying it out. Place an entry into local_threatlist_domains.csv and wait for the threatlist management system to merge the CSVs into the active lookup tables:
$ cat local_threatlist_domains.csv
description,domain
test,splunk.com|google.com
... wait for a while ...
$ grep splunk threatlist_by_domain_or_url.csv
splunk.com|google.com,,,test,,splunk.com|google.com,,local_threatlist_domains,threatlist_domain
Note that the output CSV does not contain multiple entries as would be required in a lookup table for matching to work properly, but retains the pipe-delimited format; thus this indicates that this is not currently supported.
We'll coordinate to have the documentation corrected.
For URLs it would be good to split the url into parts. The URL can be main domain, but also has embedded cookie, referrer, etc. The threat list should be matching against all of its value within url field
I've filed a case to request this feature.
The previous answer is incorrect; threatlists do not accept a pipe-delimited field as input for the "url" or "domain" fields. This is something that can easily be tested by simply trying it out. Place an entry into local_threatlist_domains.csv and wait for the threatlist management system to merge the CSVs into the active lookup tables:
$ cat local_threatlist_domains.csv
description,domain
test,splunk.com|google.com
... wait for a while ...
$ grep splunk threatlist_by_domain_or_url.csv
splunk.com|google.com,,,test,,splunk.com|google.com,,local_threatlist_domains,threatlist_domain
Note that the output CSV does not contain multiple entries as would be required in a lookup table for matching to work properly, but retains the pipe-delimited format; thus this indicates that this is not currently supported.
We'll coordinate to have the documentation corrected.
You can separate multivalues with a pipe as a delimter, per the documentation. However, the way ES hashes out the threatlists url values, it's probably most efficient to have multiple values broken out..