Splunk Enterprise Security

How to access non-threat Intelligence downloads as a file

stroud_bc
Path Finder

I have configured ES to download the list of free webmail-hosting domains below as an intelligence download (Data inputs -> Intelligence Downloads). I don't want to trigger Threat Activity results based on these domains since they include common services like outlook.com, gmail.com, yahoo, etc., so I unchecked the Is Threat Intelligence checkbox when creating the file. It has successfully downloaded the file to splunk/var/lib/splunk/modinputs/threatlist/filename.txt, but I am at a loss for how to get it into a CSV for use in search. I tried to create a lookup definition in the GUI, but I presume that dialog is only able to see CSVs which are in the /lookups directories for various apps.

Does anyone have any suggestions for using my new intelligence file as a lookup? Thanks!

hxxps://gist.githubusercontent.com/tbrianjones/5992856/raw/93213efb652749e226e69884d6c048e595c1280a/free_email_provider_domains.txt

0 Karma
1 Solution

smoir_splunk
Splunk Employee
Splunk Employee
0 Karma

smoir_splunk
Splunk Employee
Splunk Employee
0 Karma

stroud_bc
Path Finder

Thanks-- that's exactly what I was looking for!

smoir_splunk
Splunk Employee
Splunk Employee

glad to hear!

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!