Splunk Enterprise Security

PhishTank Threat Intelligence Not Writing to Collection

I am trying to enable the out of box PhishTank Threat Intelligence in ES. The file downloads correctly but it doesn't write to any KV store collection. From my understanding, it should write to one of the *_intel KV stores. What else do I need to configure?

1 Solution

Thanks jawaharas,

I am not able to view the image you posted.

View solution in original post

0 Karma

Thanks jawaharas,

I am not able to view the image you posted.

View solution in original post

0 Karma

Motivator

Avoid posting your response/query as new answer. Instead user 'Add Comment' option under corresponding post.

Text version of Parsing options:

Parsing Options-
Demiliting regular expression: ,
Extracting reguarl expression:
Fields: url:$2,description:"Target: $8 (xref: $3)"
Ignoring regular expression: (^#|^\s*$)
Skip header lines: 1
Intelligence file encoding:

0 Karma

Motivator

@merzinger_prudent
Can you upvote and accept the answer if it's helped you? Thanks.

0 Karma

Thanks for your help. That worked

0 Karma

Motivator

Parsing options for 'phishtank' intelligence downloads:

parsing options for 'phishtank' intelligence downloads

Can you accept the answer if it's helped you? Thanks.

0 Karma

Thanks for your reply. I see the file being downloaded daily to$SPLUNKBASE/etc/apps/SA-ThreatIntelligence/local/data/threatintel/phishtank.csv, however the "threatgroupintel" lookup is empty. Could this be a parsing issue? What should the settings be for Parsing Options under Data Inputs>Intelligence Downloads>phishtank?

0 Karma

Motivator

The 'phishttank' intel data is collected in 'threatgroupintel' kvstore collection.

You can verify the audit events to ensure the threat intelligences are collected by navigating to: Audit -> Threat Intelligence Audit in the ESS app menu.

Also, can you see data in '$SPLUNKBASE/etc/apps/SA-ThreatIntelligence/local/data/threatintel/phishtank.csv' file?

0 Karma