Hello,
I just configured a new Custom Threat Intelligence feed in Splunk Enterprise Security and I'm getting a strange error in the audit view:
2021-11-24 10:31:04,387+0000 ERROR pid=78967 tid=MainThread file=base_modinput.py:execute:820 | Execution failed: 'ThreatlistModularInput' object has no attribute 'file_path' Traceback (most recent call last): File "/opt/splunk/etc/apps/SA-Utils/lib/SolnCommon/modinput/base_modinput.py", line 811, in execute log_exception_and_continue=True File "/opt/splunk/etc/apps/SA-Utils/lib/SolnCommon/modinput/base_modinput.py", line 388, in do_run self.run(stanza) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist.py", line 679, in run self.execute_workloads(stanza, args, last_run) File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist.py", line 587, in execute_workloads 'file_path': self.file_path, AttributeError: 'ThreatlistModularInput' object has no attribute 'file_path'
The URL of the feed is :https://api.maltiverse.com/collection/uYxZknEB8jmkCY9eQoUJ/download?filetype=splunk-ipv4&token=eyJ0e...
And as you can notice it is a CSV where column 1 is the description and the second is the IP address, so filling up the formulary in the Threat Intelligence module in Splunk ES with the following format:
Field Value
File parser | auto |
Delimiting regular expression | , |
Extracting regular expression | |
Fields | description:$1,ip:$2 |
Ignorign regular expression | (^#|^\s*$) |
Skip header lines | 1 |
Intelligence file encoding | UTF8 |
Sinkhole | Yes |
Can anybody help me out?
Thanks in advance