Hello,
Retrieving the threatlist through the URL in Enterprise Security, I would like to know if is stored in csv.
have a look in the /opt/splunk/etc/apps/SA-ThreatIntelligence/lookups directory.