Splunk Enterprise Security Intelligence Github Dat...

joomla · ‎06-23-2023

Hi Team,

I want support to know why I am not able to see lookup for my created Threat Intelligence Management Source under Splunk Enterprise Security pulled from Github.

I am trying to get mac and its vendor details as intelligence after using the feature of "Threat Intelligence Management"

My configurations are below:

1. Creation of source under Threat Intelligence Manager with "Line Oriented" selection.

2. Input name mac_vendor with description as mac_vendor, type also mac_vendor with Github URL details:

3. Unchecked "Threat Intelligence" Box.

4. File Parser Auto

5. Delimiting regular expression setting as : ,

6. Ignoring regular expression setting as : (^#|^\s*$)

7. field section: mac:$1,vendor:$2

8. skip header lines : 0

with rest configured as default only.

Sample Event showing successful file download:

INFO pid=28775 tid=MainThread file=threatlist.py:download_threatlist_file:549 | stanza="mac_ioc" retries_remaining="3" status="threat list downloaded" file="/opt/splunk/var/lib/splunk/modinputs/threatlist/mac_ioc" bytes="678565" url="https://gist.githubusercontent.com/aallan/b4bb86db86079509e6159810ae9bd3e4/raw/846ae1b646ab0f4d646af..."

What I am missing to see this information in Splunk S.A Intelligence?

Splunk Enterprise Security Intelligence Github Data Pulling- Why can't I see information?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

Join the Conversation