Archive
Highlighted

How to troubleshoot why I'm not getting any data in the iSight Partners ThreatScape App?

New Member

Hi All,

I installed the iSight Partners ThreatScape App, but data is unavailable in Splunk.
What could be the possible reason for this? Please help

Thank you,
Nidhi Gupta

0 Karma
Highlighted

Re: How to troubleshoot why I'm not getting any data in the iSight Partners ThreatScape App?

New Member

Please consider the following:
1. Have you installed the API keys (Public/Private) that are required (manage Apps-iSIGHT Partners-Set up) and set a start date to receive indicators? Contact iSIGHT Partners (https://www.isightpartners.com/act-today/request-proof-concept/) to get keys.
2. Set either Indicators and Warnings or Indicators of Compromise or Vulnerability checkboxes? Need at least one.
3. Examine the indexes; has isightpartners been created (Settings-Data-Indexes)? If not, may want to re-install.
4. Should see results when you execute from either Search & Reporting or this app: Search (index=isight*)

When app is installed, make sure enough time is allotted to allow API to make call to iSIGHT cloud (api.isightpartners.com). Should begin immediately followed by cron job you've configured. Do you have a proxy that could prevent successful connection to iSIGHT? If so, need to specify in Set Up.

From browser, type: https://api.isightpartners.com. Should get error response that you haven't authenticated properly, but at least are communicating with servers (i.e. not a network problem):

message
{"success": false, "message": {"error": "resourceNotFound", "description": "The resource does not exist.", "url": "”}}

Hope this helps with debug. - MJ

0 Karma