Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: Why are there empty ES Lookups?

Abbasali_82
New Member
‎12-05-2016 06:57 PM

Hi,

We use Splunk Enterprise Security (ES) and in our DATA Enrichment --> List and look Ups, we have the below lists which are completely blank:

Local Certificate Intel
Local Domain Intel
Local Email Intel
Local File Intel
Local HTTP Intel
Local IP Intel

What i see in the ES dashboard is that legitimate websites (e.g. outlook.live.com) are being flagged under the malicious domains group.

I see ip_intel and file_intel as the most active threat collections. I think these are being flagged incorrectly since these feeds/lists are blank.

Should this go away if i were to disable these lists?
Also is there a recommended source from where i could populate and regularly update these lists.

Help in the right direction would me much appreciated.

Abbas

0 Karma
Reply

jstoner_splunk
Splunk Employee
Splunk Employee
‎12-08-2016 09:43 AM

The local intel lookups are a place where you can place threat intel specific to your organization. The threat downloads coming in from external sites do not hit those lists and lookups but are extracted to threat collections which are seen in the threat artifacts dashboard. I can't speak to the presence of outlook.live.com. You can see the raw files in the SA-ThreatIntelligence subdirectory of what is coming in through the Threat Downloads section.

0 Karma
Reply

season88481
Contributor
‎04-26-2017 04:44 PM

So if I add some IP address on the local_ip_intel lookup file, will they appear on the "threat activity" panel?

0 Karma
Reply

AbubakarShahid
New Member
‎02-09-2018 03:20 PM

I am also wondering the same thing. I know if it in KV (ip_intel or http_intel) then you will see it. but was wondering if its in local is there a back end search at automatically adds it to KV. Let me know if you were ale to figure it out. Would love to hear some feed back.

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...