Splunk Enterprise Security

Splunk for Enterprise Security 3.2: Why is lookup threatlist_names.csv not populated correctly?

gstefan
Engager

Hi,

My installation is downloading threat lists correctly, but lookup threatlist_names.csv is not populated correctly. Search "| rest /services/data/inputs/threatlist" produces no results even though when I go to splunk:8089:/services/data/inputs/threatlist it looks correct.
It seems that my installation is not working at all.

Regards

1 Solution

jakewalter
Explorer

I was able to solve this by adding splunk_server=local to the Threalists - Threatlist Inventory - Lookup Gen scheduled search in SA-ThreatIntelligence, so the full search would look like this:

| rest /services/data/inputs/threatlist splunk_server=local | where target="threatlist" AND disabled=0 | rename title as name | table name weight | outputlookup threatlist_names

View solution in original post

jakewalter
Explorer

I was able to solve this by adding splunk_server=local to the Threalists - Threatlist Inventory - Lookup Gen scheduled search in SA-ThreatIntelligence, so the full search would look like this:

| rest /services/data/inputs/threatlist splunk_server=local | where target="threatlist" AND disabled=0 | rename title as name | table name weight | outputlookup threatlist_names

chris
Motivator

I had the same issue. I also had to manually edit the Threat List Audit View (/app/SplunkEnterpriseSecuritySuite/threat_list_audit) and add a splunk_server=local to the searches that use the rest command.

0 Karma

hexx
Splunk Employee
Splunk Employee

Just curious but did these issues happen after setting up the Distributed Management Console in distributed mode on your ES search-head?

0 Karma

niemesrw
Path Finder

I had a similar issue - my notable_owners weren't being built b/c the | rest command returns something different than browsing to the SH via normal restful interface. I reset the DMC and all is well again. Thanks!!!

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...