Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

PhishTank Threat Intelligence Not Writing to Collection

merzinger_prude
Explorer
‎08-01-2019 02:56 PM

I am trying to enable the out of box PhishTank Threat Intelligence in ES. The file downloads correctly but it doesn't write to any KV store collection. From my understanding, it should write to one of the *_intel KV stores. What else do I need to configure?

Reply
1 Solution
Solved! Jump to solution
Solution

merzinger_prude
Explorer
‎08-05-2019 07:59 AM

Thanks jawaharas,

I am not able to view the image you posted.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

merzinger_prude
Explorer
‎08-05-2019 07:59 AM

Thanks jawaharas,

I am not able to view the image you posted.

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎08-05-2019 05:08 PM

Avoid posting your response/query as new answer. Instead user 'Add Comment' option under corresponding post.

Text version of Parsing options:

Parsing Options-
Demiliting regular expression: ,
Extracting reguarl expression:
Fields: url:$2,description:"Target: $8 (xref: $3)"
Ignoring regular expression: (^#|^\s*$)
Skip header lines: 1
Intelligence file encoding:

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎08-08-2019 11:08 PM

@merzinger_prudent
Can you upvote and accept the answer if it's helped you? Thanks.

0 Karma
Reply
Solved! Jump to solution

merzinger_prude
Explorer
‎08-10-2019 10:40 AM

Thanks for your help. That worked

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎08-04-2019 11:51 PM

Parsing options for 'phishtank' intelligence downloads:

parsing options for 'phishtank' intelligence downloads

Can you accept the answer if it's helped you? Thanks.

0 Karma
Reply
Solved! Jump to solution

merzinger_prude
Explorer
‎08-02-2019 05:48 AM

Thanks for your reply. I see the file being downloaded daily to$SPLUNK_BASE/etc/apps/SA-ThreatIntelligence/local/data/threat_intel/phishtank.csv, however the "threat_group_intel" lookup is empty. Could this be a parsing issue? What should the settings be for Parsing Options under Data Inputs>Intelligence Downloads>phishtank?

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎08-01-2019 10:04 PM

The 'phishttank' intel data is collected in 'threat_group_intel' kvstore collection.

You can verify the audit events to ensure the threat intelligences are collected by navigating to: Audit -> Threat Intelligence Audit in the ESS app menu.

Also, can you see data in '$SPLUNK_BASE/etc/apps/SA-ThreatIntelligence/local/data/threat_intel/phishtank.csv' file?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...