Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

PhishTank Threat Intelligence Not Writing to Collection

merzinger_prude
Explorer
‎08-01-2019 02:56 PM

I am trying to enable the out of box PhishTank Threat Intelligence in ES. The file downloads correctly but it doesn't write to any KV store collection. From my understanding, it should write to one of the *_intel KV stores. What else do I need to configure?

Reply
1 Solution
Solved! Jump to solution
Solution

merzinger_prude
Explorer
‎08-05-2019 07:59 AM

Thanks jawaharas,

I am not able to view the image you posted.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

merzinger_prude
Explorer
‎08-05-2019 07:59 AM

Thanks jawaharas,

I am not able to view the image you posted.

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎08-05-2019 05:08 PM

Avoid posting your response/query as new answer. Instead user 'Add Comment' option under corresponding post.

Text version of Parsing options:

Parsing Options-
Demiliting regular expression: ,
Extracting reguarl expression:
Fields: url:$2,description:"Target: $8 (xref: $3)"
Ignoring regular expression: (^#|^\s*$)
Skip header lines: 1
Intelligence file encoding:

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎08-08-2019 11:08 PM

@merzinger_prudent
Can you upvote and accept the answer if it's helped you? Thanks.

0 Karma
Reply
Solved! Jump to solution

merzinger_prude
Explorer
‎08-10-2019 10:40 AM

Thanks for your help. That worked

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎08-04-2019 11:51 PM

Parsing options for 'phishtank' intelligence downloads:

parsing options for 'phishtank' intelligence downloads

Can you accept the answer if it's helped you? Thanks.

0 Karma
Reply
Solved! Jump to solution

merzinger_prude
Explorer
‎08-02-2019 05:48 AM

Thanks for your reply. I see the file being downloaded daily to$SPLUNK_BASE/etc/apps/SA-ThreatIntelligence/local/data/threat_intel/phishtank.csv, however the "threat_group_intel" lookup is empty. Could this be a parsing issue? What should the settings be for Parsing Options under Data Inputs>Intelligence Downloads>phishtank?

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎08-01-2019 10:04 PM

The 'phishttank' intel data is collected in 'threat_group_intel' kvstore collection.

You can verify the audit events to ensure the threat intelligences are collected by navigating to: Audit -> Threat Intelligence Audit in the ESS app menu.

Also, can you see data in '$SPLUNK_BASE/etc/apps/SA-ThreatIntelligence/local/data/threat_intel/phishtank.csv' file?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...