Hi Team,
I want support to know why I am not able to see lookup for my created Threat Intelligence Management Source under Splunk Enterprise Security pulled from Github.
I am trying to get mac and its vendor details as intelligence after using the feature of "Threat Intelligence Management"
My configurations are below:
1. Creation of source under Threat Intelligence Manager with "Line Oriented" selection.
2. Input name mac_vendor with description as mac_vendor, type also mac_vendor with Github URL details:
3. Unchecked "Threat Intelligence" Box.
4. File Parser Auto
5. Delimiting regular expression setting as : ,
6. Ignoring regular expression setting as : (^#|^\s*$)
7. field section: mac:$1,vendor:$2
8. skip header lines : 0
with rest configured as default only.
Sample Event showing successful file download:
INFO pid=28775 tid=MainThread file=threatlist.py:download_threatlist_file:549 | stanza="mac_ioc" retries_remaining="3" status="threat list downloaded" file="/opt/splunk/var/lib/splunk/modinputs/threatlist/mac_ioc" bytes="678565" url="https://gist.githubusercontent.com/aallan/b4bb86db86079509e6159810ae9bd3e4/raw/846ae1b646ab0f4d646af..."
What I am missing to see this information in Splunk S.A Intelligence?