https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-test-check-to-see-if-my-new-quot-local-quot-ES/m-p/707561#M12234 <P>I am using these dox:<BR /><A href="https://docs.splunk.com/Documentation/ES/8.0.1/Admin/AddThreatIntelSources#Add_threat_intelligence_with_a_custom_lookup_file" target="_blank">https://docs.splunk.com/Documentation/ES/8.0.1/Admin/AddThreatIntelSources#Add_threat_intelligence_with_a_custom_lookup_file</A><BR /><BR />It is pretty straightforward but I suspect that my configuraiton is not working.&nbsp; Where are the "master lookups" that Splunk's Threat Framework uses?&nbsp; I assume that there is 1 "master lookup" each for IPv4, domains, urls, hashes, etc.&nbsp; Or perhaps they are all combined into 1.&nbsp; &nbsp;There are about 100 lookups this client's ES and I have checked out the ones that look promising but didn't find my new data so I cannot conclude anything.</P> Wed, 25 Dec 2024 19:46:28 GMT woodcock 2024-12-25T19:46:28Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-test-check-to-see-if-my-new-quot-local-quot-ES/m-p/707561#M12234 <P>I am using these dox:<BR /><A href="https://docs.splunk.com/Documentation/ES/8.0.1/Admin/AddThreatIntelSources#Add_threat_intelligence_with_a_custom_lookup_file" target="_blank">https://docs.splunk.com/Documentation/ES/8.0.1/Admin/AddThreatIntelSources#Add_threat_intelligence_with_a_custom_lookup_file</A><BR /><BR />It is pretty straightforward but I suspect that my configuraiton is not working.&nbsp; Where are the "master lookups" that Splunk's Threat Framework uses?&nbsp; I assume that there is 1 "master lookup" each for IPv4, domains, urls, hashes, etc.&nbsp; Or perhaps they are all combined into 1.&nbsp; &nbsp;There are about 100 lookups this client's ES and I have checked out the ones that look promising but didn't find my new data so I cannot conclude anything.</P> Wed, 25 Dec 2024 19:46:28 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-test-check-to-see-if-my-new-quot-local-quot-ES/m-p/707561#M12234 woodcock 2024-12-25T19:46:28Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-test-check-to-see-if-my-new-quot-local-quot-ES/m-p/707578#M12235 <P>I assume that this accepted answer is correct:<BR /><A href="https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-use-the-threat-feed-I-added-using-threat-intelligence/m-p/234794" target="_blank" rel="noopener">https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-use-the-threat-feed-I-added-using-threat-intelligence/m-p/234794</A><BR /><BR />So like this:</P><PRE>| `service_intel` | `process_intel` | `file_intel` | `registry_intel` | `user_intel` | `email_intel` | `certificate_intel` | `ip_intel`</PRE> Thu, 26 Dec 2024 15:39:27 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-test-check-to-see-if-my-new-quot-local-quot-ES/m-p/707578#M12235 woodcock 2024-12-26T15:39:27Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-test-check-to-see-if-my-new-quot-local-quot-ES/m-p/707581#M12236 <P>Yes, search for "_intel" in Lookup Definition and you will see all Threat Intel Lookup along with definition -&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-12-26 at 9.30.30 PM.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/33945iEA7A90F3AF383918/image-size/medium?v=v2&amp;px=400" role="button" title="Screenshot 2024-12-26 at 9.30.30 PM.png" alt="Screenshot 2024-12-26 at 9.30.30 PM.png" /></span></P><P>All lookups from the specific categories gets combined / merged and used to Threat Matching. For example, everything related to IP will fall under ip_intel lookup. </P><P>Please hit Karma, if this helps!</P> Thu, 26 Dec 2024 16:02:04 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-test-check-to-see-if-my-new-quot-local-quot-ES/m-p/707581#M12236 meetmshah 2024-12-26T16:02:04Z