https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-are-there-empty-ES-Lookups/m-p/256261#M1867 <P>So if I add some IP address on the local_ip_intel lookup file, will they appear on the "threat activity" panel?</P> Tue, 29 Sep 2020 13:51:10 GMT season88481 2020-09-29T13:51:10Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-are-there-empty-ES-Lookups/m-p/256259#M1865 <P>Hi,</P> <P>We use Splunk Enterprise Security (ES) and in our DATA Enrichment --&gt; List and look Ups, we have the below lists which are completely blank:</P> <P>Local Certificate Intel<BR /> Local Domain Intel<BR /> Local Email Intel<BR /> Local File Intel<BR /> Local HTTP Intel<BR /> Local IP Intel</P> <P>What i see in the ES dashboard is that legitimate websites (e.g. outlook.live.com) are being flagged under the malicious domains group. </P> <P>I see ip_intel and file_intel as the most active threat collections. I think these are being flagged incorrectly since these feeds/lists are blank.</P> <P>Should this go away if i were to disable these lists?<BR /> Also is there a recommended source from where i could populate and regularly update these lists. </P> <P>Help in the right direction would me much appreciated.</P> <P>Abbas</P> Tue, 29 Sep 2020 11:59:12 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-are-there-empty-ES-Lookups/m-p/256259#M1865 Abbasali_82 2020-09-29T11:59:12Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-are-there-empty-ES-Lookups/m-p/256260#M1866 <P>The local intel lookups are a place where you can place threat intel specific to your organization. The threat downloads coming in from external sites do not hit those lists and lookups but are extracted to threat collections which are seen in the threat artifacts dashboard. I can't speak to the presence of outlook.live.com. You can see the raw files in the SA-ThreatIntelligence subdirectory of what is coming in through the Threat Downloads section.</P> Thu, 08 Dec 2016 17:43:41 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-are-there-empty-ES-Lookups/m-p/256260#M1866 jstoner_splunk 2016-12-08T17:43:41Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-are-there-empty-ES-Lookups/m-p/256261#M1867 <P>So if I add some IP address on the local_ip_intel lookup file, will they appear on the "threat activity" panel?</P> Tue, 29 Sep 2020 13:51:10 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-are-there-empty-ES-Lookups/m-p/256261#M1867 season88481 2020-09-29T13:51:10Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-are-there-empty-ES-Lookups/m-p/256262#M1868 <P>I am also wondering the same thing. I know if it in KV (ip_intel or http_intel) then you will see it. but was wondering if its in local is there a back end search at automatically adds it to KV. Let me know if you were ale to figure it out. Would love to hear some feed back. </P> Tue, 29 Sep 2020 17:59:49 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Why-are-there-empty-ES-Lookups/m-p/256262#M1868 AbubakarShahid 2020-09-29T17:59:49Z