Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

PhishTank Threat Intelligence Not Writing to Collection

merzinger_prude
Explorer
‎08-01-2019 02:56 PM

I am trying to enable the out of box PhishTank Threat Intelligence in ES. The file downloads correctly but it doesn't write to any KV store collection. From my understanding, it should write to one of the *_intel KV stores. What else do I need to configure?

Reply
1 Solution
Solved! Jump to solution
Solution

merzinger_prude
Explorer
‎08-05-2019 07:59 AM

Thanks jawaharas,

I am not able to view the image you posted.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

merzinger_prude
Explorer
‎08-05-2019 07:59 AM

Thanks jawaharas,

I am not able to view the image you posted.

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎08-05-2019 05:08 PM

Avoid posting your response/query as new answer. Instead user 'Add Comment' option under corresponding post.

Text version of Parsing options:

Parsing Options-
Demiliting regular expression: ,
Extracting reguarl expression:
Fields: url:$2,description:"Target: $8 (xref: $3)"
Ignoring regular expression: (^#|^\s*$)
Skip header lines: 1
Intelligence file encoding:

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎08-08-2019 11:08 PM

@merzinger_prudent
Can you upvote and accept the answer if it's helped you? Thanks.

0 Karma
Reply
Solved! Jump to solution

merzinger_prude
Explorer
‎08-10-2019 10:40 AM

Thanks for your help. That worked

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎08-04-2019 11:51 PM

Parsing options for 'phishtank' intelligence downloads:

parsing options for 'phishtank' intelligence downloads

Can you accept the answer if it's helped you? Thanks.

0 Karma
Reply
Solved! Jump to solution

merzinger_prude
Explorer
‎08-02-2019 05:48 AM

Thanks for your reply. I see the file being downloaded daily to$SPLUNK_BASE/etc/apps/SA-ThreatIntelligence/local/data/threat_intel/phishtank.csv, however the "threat_group_intel" lookup is empty. Could this be a parsing issue? What should the settings be for Parsing Options under Data Inputs>Intelligence Downloads>phishtank?

0 Karma
Reply
Solved! Jump to solution

jawaharas
Motivator
‎08-01-2019 10:04 PM

The 'phishttank' intel data is collected in 'threat_group_intel' kvstore collection.

You can verify the audit events to ensure the threat intelligences are collected by navigating to: Audit -> Threat Intelligence Audit in the ESS app menu.

Also, can you see data in '$SPLUNK_BASE/etc/apps/SA-ThreatIntelligence/local/data/threat_intel/phishtank.csv' file?

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...