https://community.splunk.com/t5/Security/Splunk-Enterprise-Security-Intelligence-Github-Data-Pulling-Why/m-p/648063#M17052 <P>Hi Team,</P> <P>&nbsp;</P> <P>I want support to know why I am not able to see lookup for my created Threat Intelligence Management Source under Splunk Enterprise Security pulled from Github.</P> <P>I am trying to get mac and its vendor details as intelligence after using the feature of "Threat Intelligence Management"</P> <P>&nbsp;</P> <P>My configurations are below:</P> <P>&nbsp;</P> <P>1. Creation of source under Threat Intelligence Manager with "Line Oriented" selection.</P> <P>2. Input name mac_vendor with description as mac_vendor, type also mac_vendor with Github URL details:&nbsp;</P> <P>3. Unchecked "Threat Intelligence" Box.</P> <P>4. File Parser Auto</P> <P>5. Delimiting regular expression setting as : ,</P> <P>6. Ignoring regular expression setting as :&nbsp;(^#|^\s*$)</P> <P>7. field section: mac:$1,vendor:$2</P> <P>8. skip header lines : 0</P> <P>with rest configured as default only.</P> <P>Sample Event showing successful file download:</P> <P><SPAN class="">INFO</SPAN> <SPAN class="">pid=28775</SPAN> <SPAN class="">tid=MainThread</SPAN> <SPAN class="">file=threatlist.py:download_threatlist_file:549</SPAN><SPAN> | </SPAN><SPAN class="">stanza=</SPAN><SPAN>"</SPAN><SPAN class=""><SPAN class="">mac_ioc</SPAN></SPAN><SPAN>" </SPAN><SPAN class="">retries_remaining=</SPAN><SPAN>"</SPAN><SPAN class="">3</SPAN><SPAN>" </SPAN><SPAN class="">status=</SPAN><SPAN>"</SPAN><SPAN class="">threat</SPAN> <SPAN class="">list</SPAN> <SPAN class="">downloaded</SPAN><SPAN>" </SPAN><SPAN class="">file=</SPAN><SPAN>"</SPAN><SPAN class="">/opt/splunk/var/lib/splunk/modinputs/threatlist/mac_ioc</SPAN><SPAN>" </SPAN><SPAN class="">bytes=</SPAN><SPAN>"</SPAN><SPAN class="">678565</SPAN><SPAN>" </SPAN><SPAN class="">url=</SPAN><SPAN>"</SPAN><SPAN class=""><A href="https://gist.githubusercontent.com/aallan/b4bb86db86079509e6159810ae9bd3e4/raw/846ae1b646ab0f4d646af9115e47365f4118e5f6/mac-vendor.txt" target="_blank" rel="noopener">https://gist.githubusercontent.com/aallan/b4bb86db86079509e6159810ae9bd3e4/raw/846ae1b646ab0f4d646af9115e47365f4118e5f6/mac-vendor.txt</A>"</SPAN></P> <P>What I am missing to see this information in Splunk S.A Intelligence?</P> Mon, 26 Jun 2023 14:00:39 GMT joomla 2023-06-26T14:00:39Z https://community.splunk.com/t5/Security/Splunk-Enterprise-Security-Intelligence-Github-Data-Pulling-Why/m-p/648063#M17052 <P>Hi Team,</P> <P>&nbsp;</P> <P>I want support to know why I am not able to see lookup for my created Threat Intelligence Management Source under Splunk Enterprise Security pulled from Github.</P> <P>I am trying to get mac and its vendor details as intelligence after using the feature of "Threat Intelligence Management"</P> <P>&nbsp;</P> <P>My configurations are below:</P> <P>&nbsp;</P> <P>1. Creation of source under Threat Intelligence Manager with "Line Oriented" selection.</P> <P>2. Input name mac_vendor with description as mac_vendor, type also mac_vendor with Github URL details:&nbsp;</P> <P>3. Unchecked "Threat Intelligence" Box.</P> <P>4. File Parser Auto</P> <P>5. Delimiting regular expression setting as : ,</P> <P>6. Ignoring regular expression setting as :&nbsp;(^#|^\s*$)</P> <P>7. field section: mac:$1,vendor:$2</P> <P>8. skip header lines : 0</P> <P>with rest configured as default only.</P> <P>Sample Event showing successful file download:</P> <P><SPAN class="">INFO</SPAN> <SPAN class="">pid=28775</SPAN> <SPAN class="">tid=MainThread</SPAN> <SPAN class="">file=threatlist.py:download_threatlist_file:549</SPAN><SPAN> | </SPAN><SPAN class="">stanza=</SPAN><SPAN>"</SPAN><SPAN class=""><SPAN class="">mac_ioc</SPAN></SPAN><SPAN>" </SPAN><SPAN class="">retries_remaining=</SPAN><SPAN>"</SPAN><SPAN class="">3</SPAN><SPAN>" </SPAN><SPAN class="">status=</SPAN><SPAN>"</SPAN><SPAN class="">threat</SPAN> <SPAN class="">list</SPAN> <SPAN class="">downloaded</SPAN><SPAN>" </SPAN><SPAN class="">file=</SPAN><SPAN>"</SPAN><SPAN class="">/opt/splunk/var/lib/splunk/modinputs/threatlist/mac_ioc</SPAN><SPAN>" </SPAN><SPAN class="">bytes=</SPAN><SPAN>"</SPAN><SPAN class="">678565</SPAN><SPAN>" </SPAN><SPAN class="">url=</SPAN><SPAN>"</SPAN><SPAN class=""><A href="https://gist.githubusercontent.com/aallan/b4bb86db86079509e6159810ae9bd3e4/raw/846ae1b646ab0f4d646af9115e47365f4118e5f6/mac-vendor.txt" target="_blank" rel="noopener">https://gist.githubusercontent.com/aallan/b4bb86db86079509e6159810ae9bd3e4/raw/846ae1b646ab0f4d646af9115e47365f4118e5f6/mac-vendor.txt</A>"</SPAN></P> <P>What I am missing to see this information in Splunk S.A Intelligence?</P> Mon, 26 Jun 2023 14:00:39 GMT https://community.splunk.com/t5/Security/Splunk-Enterprise-Security-Intelligence-Github-Data-Pulling-Why/m-p/648063#M17052 joomla 2023-06-26T14:00:39Z