Splunk Enterprise Security Intelligence Github Dat...

joomla · ‎06-23-2023

Hi Team,

I want support to know why I am not able to see lookup for my created Threat Intelligence Management Source under Splunk Enterprise Security pulled from Github.

I am trying to get mac and its vendor details as intelligence after using the feature of "Threat Intelligence Management"

My configurations are below:

1. Creation of source under Threat Intelligence Manager with "Line Oriented" selection.

2. Input name mac_vendor with description as mac_vendor, type also mac_vendor with Github URL details:

3. Unchecked "Threat Intelligence" Box.

4. File Parser Auto

5. Delimiting regular expression setting as : ,

6. Ignoring regular expression setting as : (^#|^\s*$)

7. field section: mac:$1,vendor:$2

8. skip header lines : 0

with rest configured as default only.

Sample Event showing successful file download:

INFO pid=28775 tid=MainThread file=threatlist.py:download_threatlist_file:549 | stanza="mac_ioc" retries_remaining="3" status="threat list downloaded" file="/opt/splunk/var/lib/splunk/modinputs/threatlist/mac_ioc" bytes="678565" url="https://gist.githubusercontent.com/aallan/b4bb86db86079509e6159810ae9bd3e4/raw/846ae1b646ab0f4d646af..."

What I am missing to see this information in Splunk S.A Intelligence?

Splunk Enterprise Security Intelligence Github Data Pulling- Why can't I see information?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation