Security

Splunk Enterprise Security Intelligence Github Data Pulling- Why can't I see information?

joomla
Engager

Hi Team,

 

I want support to know why I am not able to see lookup for my created Threat Intelligence Management Source under Splunk Enterprise Security pulled from Github.

I am trying to get mac and its vendor details as intelligence after using the feature of "Threat Intelligence Management"

 

My configurations are below:

 

1. Creation of source under Threat Intelligence Manager with "Line Oriented" selection.

2. Input name mac_vendor with description as mac_vendor, type also mac_vendor with Github URL details: 

3. Unchecked "Threat Intelligence" Box.

4. File Parser Auto

5. Delimiting regular expression setting as : ,

6. Ignoring regular expression setting as : (^#|^\s*$)

7. field section: mac:$1,vendor:$2

8. skip header lines : 0

with rest configured as default only.

Sample Event showing successful file download:

INFO pid=28775 tid=MainThread file=threatlist.py:download_threatlist_file:549 | stanza="mac_ioc" retries_remaining="3" status="threat list downloaded" file="/opt/splunk/var/lib/splunk/modinputs/threatlist/mac_ioc" bytes="678565" url="https://gist.githubusercontent.com/aallan/b4bb86db86079509e6159810ae9bd3e4/raw/846ae1b646ab0f4d646af..."

What I am missing to see this information in Splunk S.A Intelligence?

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

From Data to Insight: Announcing the Winners of the Splunk Dashboard Contest

Hi Splunkers, First off, thank you to everyone who participated in our very first From Data to Insight: The ...

Splunk Developers: Construct Your Future at the .conf26 Builder Bar

Calling all Splunk architects, platform admins, and app developers: the site is open, and the blueprints are ...

Quick connection discovery mode for forwarders

When a Splunk forwarder loses connectivity to its indexers, it does not always reconnect immediately. In many ...