Splunk Enterprise Security

Splunk App for Enterprise Security: Why do the Threatintel lookup files not work unless used after the table command?

hcheang
Path Finder

Hello,

I am using the threat intelligence lookup files from the Splunk App for Enterprise Security and the lookup file (e.g. threatintel_by_domain) is giving an error when it is not used after table.

For example,

index=* sourcetype=bluecoat | table cs_host user | lookup threatintel_by_domain.csv domain as cs_host OUTPUT threat_collection | search threat_collection=*

works, but

index=* sourcetype=bluecoat | lookup threatintel_by_domain.csv domain as cs_host OUTPUT threat_collection | search threat_collection=* | table cs_host user

gives error saying The lookup table 'threatintel_by_domain.csv' does not exist or is not available.

All my custom lookup files work without table, but all the lookups in threatintel does not work without table. I've checked the permission and they are all global so it is not an issue with permission.

Any suggestion?

0 Karma

woodcock
Esteemed Legend

You are referencing the lookup by filename but you need to be referencing it by definition. Go to Settings -> Lookup -> Lookup definitions and select the ES app (or "All") in "App Context" and search for threatintel_by_domain.csv in the search box. It will identify the Lookup definition that is associated with that table. When I did this, I found one that it is called threatintel_by_domain. Swap out this value in your search like this:

index=* sourcetype=bluecoat | lookup threatintel_by_domaindomain as cs_host OUTPUT threat_collection | search threat_collection=* | table cs_host user
0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...