Security

Splunk Enterprise Security Intelligence Github Data Pulling- Why can't I see information?

joomla
Engager

Hi Team,

 

I want support to know why I am not able to see lookup for my created Threat Intelligence Management Source under Splunk Enterprise Security pulled from Github.

I am trying to get mac and its vendor details as intelligence after using the feature of "Threat Intelligence Management"

 

My configurations are below:

 

1. Creation of source under Threat Intelligence Manager with "Line Oriented" selection.

2. Input name mac_vendor with description as mac_vendor, type also mac_vendor with Github URL details: 

3. Unchecked "Threat Intelligence" Box.

4. File Parser Auto

5. Delimiting regular expression setting as : ,

6. Ignoring regular expression setting as : (^#|^\s*$)

7. field section: mac:$1,vendor:$2

8. skip header lines : 0

with rest configured as default only.

Sample Event showing successful file download:

INFO pid=28775 tid=MainThread file=threatlist.py:download_threatlist_file:549 | stanza="mac_ioc" retries_remaining="3" status="threat list downloaded" file="/opt/splunk/var/lib/splunk/modinputs/threatlist/mac_ioc" bytes="678565" url="https://gist.githubusercontent.com/aallan/b4bb86db86079509e6159810ae9bd3e4/raw/846ae1b646ab0f4d646af..."

What I am missing to see this information in Splunk S.A Intelligence?

0 Karma
Get Updates on the Splunk Community!

Index This | What did the zero say to the eight?

June 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...