Security

Splunk Enterprise Security Intelligence Github Data Pulling- Why can't I see information?

joomla
Engager

Hi Team,

 

I want support to know why I am not able to see lookup for my created Threat Intelligence Management Source under Splunk Enterprise Security pulled from Github.

I am trying to get mac and its vendor details as intelligence after using the feature of "Threat Intelligence Management"

 

My configurations are below:

 

1. Creation of source under Threat Intelligence Manager with "Line Oriented" selection.

2. Input name mac_vendor with description as mac_vendor, type also mac_vendor with Github URL details: 

3. Unchecked "Threat Intelligence" Box.

4. File Parser Auto

5. Delimiting regular expression setting as : ,

6. Ignoring regular expression setting as : (^#|^\s*$)

7. field section: mac:$1,vendor:$2

8. skip header lines : 0

with rest configured as default only.

Sample Event showing successful file download:

INFO pid=28775 tid=MainThread file=threatlist.py:download_threatlist_file:549 | stanza="mac_ioc" retries_remaining="3" status="threat list downloaded" file="/opt/splunk/var/lib/splunk/modinputs/threatlist/mac_ioc" bytes="678565" url="https://gist.githubusercontent.com/aallan/b4bb86db86079509e6159810ae9bd3e4/raw/846ae1b646ab0f4d646af..."

What I am missing to see this information in Splunk S.A Intelligence?

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...