Splunk Enterprise Security
Highlighted

How to access non-threat Intelligence downloads as a file

Path Finder

I have configured ES to download the list of free webmail-hosting domains below as an intelligence download (Data inputs -> Intelligence Downloads). I don't want to trigger Threat Activity results based on these domains since they include common services like outlook.com, gmail.com, yahoo, etc., so I unchecked the Is Threat Intelligence checkbox when creating the file. It has successfully downloaded the file to splunk/var/lib/splunk/modinputs/threatlist/filename.txt, but I am at a loss for how to get it into a CSV for use in search. I tried to create a lookup definition in the GUI, but I presume that dialog is only able to see CSVs which are in the /lookups directories for various apps.

Does anyone have any suggestions for using my new intelligence file as a lookup? Thanks!

hxxps://gist.githubusercontent.com/tbrianjones/5992856/raw/93213efb652749e226e69884d6c048e595c1280a/freeemailprovider_domains.txt

0 Karma
Highlighted

Re: How to access non-threat Intelligence downloads as a file

Builder
0 Karma
Highlighted

Re: How to access non-threat Intelligence downloads as a file

Path Finder

Thanks-- that's exactly what I was looking for!

Highlighted

Re: How to access non-threat Intelligence downloads as a file

Builder

glad to hear!

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.