Our Security team requested this app, so we'd like to give it a try. We're in Splunk Cloud (managed, multi-tier, clustered, v8.0).
Splunk Cloud Support installed the app and the script (and presumably curl call) appears to be getting executed successfully, but we get the following error message:
06-19-2020 18:03:47.502 ERROR script - sid:1592589699.48204_791B8AB7-1DA7-4625-BB26-A1D7AF2DC563 command="getwatchlist", Error fetching watch list: <urlopen error [Errno 110] Connection timed out>
They suggested I post a request to the developer of the app, which I'm quoting below:
I am also a Cloud customer and can't run getwatchlist there either. So I have to run the addon on a Heavy Forwarder on-prem put the data in an index. I just finished re-writing it so it runs on 8.0.5 with Python3. I just came here looking for a repo where I could post, but it doesn't look like it's in a Github repo. Let me know if you need a copy that runs in 8.x and I'll send it to you.
Update from Splunk Cloud regarding question about open ports "by default" and "by request":
On Search head:
By default the following ports are open to the world, unless you provided an ip to restrict access to that one,
Inputs data manager
On search head and indexers, ports other than the default are not allowed; it is possible, however, to open addition al ports on the inputs data manager (IDM) instance. Note: The IDM instance is not a SHC member, so writing lookups to IDM does not make them available on (in) Splunk Cloud SHC.