https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-use-a-downloaded-threat/m-p/707474#M12228 <P>There is an app for this, too:<BR /><A href="https://splunkbase.splunk.com/app/635" target="_blank">https://splunkbase.splunk.com/app/635</A></P> Mon, 23 Dec 2024 03:02:27 GMT woodcock 2024-12-23T03:02:27Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-use-a-downloaded-threat/m-p/253163#M1837 <P>Hello,</P> <P>I added a new threat intelligence source in Splunk Enterprise Security (<A href="https://ransomwaretracker.abuse.ch/feeds/csv/">https://ransomwaretracker.abuse.ch/feeds/csv/</A> ). The download works fine and the list is stored in /opt/splunk/etc/aps/SA-TreatIntelligence/local/data. Then the list is included in the threat collection 'ip_intel' but at this step, I lose important information which is in the list, but not in the collection.</P> <P>So I would like to use the downloaded list as a lookup. I tried to create a lookup in SA-ThreatIntelligence/lookpus/ and modified some parameters, but no data is copied in.</P> <P>Any idea on how to do that?</P> <P>PS: I am using Splunk 6.2.4 and ES 3.3.2</P> Tue, 12 Jul 2016 12:02:32 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-use-a-downloaded-threat/m-p/253163#M1837 Olivier44 2016-07-12T12:02:32Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-use-a-downloaded-threat/m-p/253164#M1838 <P>I think the info you miss is in an other intel list you can try the <CODE>all_threat_intel</CODE> macro to see if you can find the info you are looking for. In the column threat_collection you can find list/macro that the info is in.</P> Thu, 14 Jul 2016 09:10:47 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-use-a-downloaded-threat/m-p/253164#M1838 aholzel 2016-07-14T09:10:47Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-use-a-downloaded-threat/m-p/253165#M1839 <P>I already used the all_threat_intel macro but I miss information too. The list I download has 9 fields and I need them all. (Firstseen (UTC),Threat,Malware,Host,URL,Status,Registrar,IP address(es),ASN(s),Country)</P> Tue, 29 Sep 2020 10:16:01 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-use-a-downloaded-threat/m-p/253165#M1839 Olivier44 2020-09-29T10:16:01Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-use-a-downloaded-threat/m-p/253166#M1840 <P>Hi Oliver, did you ever get round to solving this?</P> <P>I'm having the same issue with <A href="http://ransomwaretracker.abuse.ch/feeds/csv/">http://ransomwaretracker.abuse.ch/feeds/csv/</A></P> <P>I've tried renaming the fields using regex and the field transforms, but no luck so far!</P> Thu, 05 Jan 2017 14:20:32 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-use-a-downloaded-threat/m-p/253166#M1840 kerryc 2017-01-05T14:20:32Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-use-a-downloaded-threat/m-p/253167#M1841 <P>Hello, I have not resolved this issue. I am still in the same version of Splunk but may be it is better in the last versions... </P> Fri, 06 Jan 2017 10:18:41 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-use-a-downloaded-threat/m-p/253167#M1841 Olivier44 2017-01-06T10:18:41Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-use-a-downloaded-threat/m-p/253168#M1842 <P>Hi Team,</P> <P>I'm using Enterprise splunk and trying to use the inbuilt threat intel feeds in splunk, let say iblocklist_tor, i have enabled it and it is getting downloaded at path location opt/splunk/etc/aps/SA-TreatIntelligence/local/data. But while i'm doing the lookup for it i'm not able to do it with my firewall logs getting no hits, what i'm trying is</P> <P>index=firewall[| inputlookup iblocklist_tor.csv]</P> <P>but not getting any result, the csv getting generated having delimiter as (:). can you please help me out with this hot wot get this done.</P> <P>Thanks!<BR /> Vinod Yadav,Hi Team,</P> <P>I'm also using splunk enterprise, i have enabled few in built threat intel source,let say iblocklist_tor. I'm seeing the file is getting downloaded with a delimiter as(:). How can i lookup the list of IP addresses in my firewall logs.</P> <P>I'm trying to search like</P> <P>index=firewall[| inputlookup iblocklist_tor.csv]</P> <P>but not getting any event hit. can you please help me out with the steps what i'm missing here.</P> <P>Thanks!<BR /> Vinod Yadav</P> Mon, 15 May 2017 02:02:02 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-use-a-downloaded-threat/m-p/253168#M1842 vinod50rao 2017-05-15T02:02:02Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-use-a-downloaded-threat/m-p/253169#M1843 <P>Hi Team,</P> <P>I'm using Enterprise splunk and trying to use the inbuilt threat intel feeds in splunk, let say iblocklist_tor, i have enabled it and it is getting downloaded at path location opt/splunk/etc/aps/SA-TreatIntelligence/local/data. But while i'm doing the lookup for it i'm not able to do it with my firewall logs getting no hits, what i'm trying is</P> <P>index=firewall[| inputlookup iblocklist_tor.csv]</P> <P>but not getting any result, the csv getting generated having delimiter as (:). can you please help me out with this hot wot get this done.</P> <P>Thanks!<BR /> Vinod Yadav</P> Mon, 15 May 2017 02:02:40 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-use-a-downloaded-threat/m-p/253169#M1843 vinod50rao 2017-05-15T02:02:40Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-use-a-downloaded-threat/m-p/707431#M12225 <P>This should help:<BR /><A href="https://docs.splunk.com/Documentation/ES/7.3.2/Admin/Useintelinsearch" target="_blank">https://docs.splunk.com/Documentation/ES/7.3.2/Admin/Useintelinsearch</A></P> Sat, 21 Dec 2024 16:59:56 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-use-a-downloaded-threat/m-p/707431#M12225 woodcock 2024-12-21T16:59:56Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-use-a-downloaded-threat/m-p/707474#M12228 <P>There is an app for this, too:<BR /><A href="https://splunkbase.splunk.com/app/635" target="_blank">https://splunkbase.splunk.com/app/635</A></P> Mon, 23 Dec 2024 03:02:27 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-use-a-downloaded-threat/m-p/707474#M12228 woodcock 2024-12-23T03:02:27Z