I was looking at installing https://splunkbase.splunk.com/app/3075/ in Splunkcloud. The documentation here -> https://training.threatconnect.com/learn/article/threatconnect-application-for-splunk-user-guide-kb-... does not specify if it needs to be installed on IDM or can be installed on SH. I went ahead and installed on my ES SH and configured the app, but now the logs are coming into lastchanceindex. Has anyone installed this in splunkcloud and got this working?
ThreatConnect just requires two indexes to be created. If you reference the indexes.conf file in the user guide (under installation) you would see the indexes 'tc_app_logs' and 'tc_event_data'. Create those indexes and see if that resolves the issue.