Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise Security
- :
- Splunk Enterprise Security: How to use a downloade...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Enterprise Security: How to use a downloaded threat intelligence source as a lookup?
Hello,
I added a new threat intelligence source in Splunk Enterprise Security (https://ransomwaretracker.abuse.ch/feeds/csv/ ). The download works fine and the list is stored in /opt/splunk/etc/aps/SA-TreatIntelligence/local/data. Then the list is included in the threat collection 'ip_intel' but at this step, I lose important information which is in the list, but not in the collection.
So I would like to use the downloaded list as a lookup. I tried to create a lookup in SA-ThreatIntelligence/lookpus/ and modified some parameters, but no data is copied in.
Any idea on how to do that?
PS: I am using Splunk 6.2.4 and ES 3.3.2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is an app for this, too:
https://splunkbase.splunk.com/app/635
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team,
I'm using Enterprise splunk and trying to use the inbuilt threat intel feeds in splunk, let say iblocklist_tor, i have enabled it and it is getting downloaded at path location opt/splunk/etc/aps/SA-TreatIntelligence/local/data. But while i'm doing the lookup for it i'm not able to do it with my firewall logs getting no hits, what i'm trying is
index=firewall[| inputlookup iblocklist_tor.csv]
but not getting any result, the csv getting generated having delimiter as (:). can you please help me out with this hot wot get this done.
Thanks!
Vinod Yadav
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team,
I'm using Enterprise splunk and trying to use the inbuilt threat intel feeds in splunk, let say iblocklist_tor, i have enabled it and it is getting downloaded at path location opt/splunk/etc/aps/SA-TreatIntelligence/local/data. But while i'm doing the lookup for it i'm not able to do it with my firewall logs getting no hits, what i'm trying is
index=firewall[| inputlookup iblocklist_tor.csv]
but not getting any result, the csv getting generated having delimiter as (:). can you please help me out with this hot wot get this done.
Thanks!
Vinod Yadav,Hi Team,
I'm also using splunk enterprise, i have enabled few in built threat intel source,let say iblocklist_tor. I'm seeing the file is getting downloaded with a delimiter as(:). How can i lookup the list of IP addresses in my firewall logs.
I'm trying to search like
index=firewall[| inputlookup iblocklist_tor.csv]
but not getting any event hit. can you please help me out with the steps what i'm missing here.
Thanks!
Vinod Yadav
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the info you miss is in an other intel list you can try the all_threat_intel macro to see if you can find the info you are looking for. In the column threat_collection you can find list/macro that the info is in.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I already used the all_threat_intel macro but I miss information too. The list I download has 9 fields and I need them all. (Firstseen (UTC),Threat,Malware,Host,URL,Status,Registrar,IP address(es),ASN(s),Country)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Oliver, did you ever get round to solving this?
I'm having the same issue with http://ransomwaretracker.abuse.ch/feeds/csv/
I've tried renaming the fields using regex and the field transforms, but no luck so far!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I have not resolved this issue. I am still in the same version of Splunk but may be it is better in the last versions...
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
