Splunk Enterprise Security

We are attempting to setup local lookup file as a threat intelligence download

rbal_splunk
Splunk Employee
Splunk Employee

( as per https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Addthreatintelcustomlookup) . and are unable to use this intelligence list with the "inputintelligence" command. Also, we see error like "Failed to read threatlist /opt/splunk/var/lib/splunk/modinputs/threatlist/oculus"

0 Karma

dzejsonborn
New Member

Can I use "| inputintelligence" in the correlation search ?

| eval TOR="danme_tor_node_list_with_ports"
| lookup "danme_tor_node_list_with_ports" ip as All_Traffic.src_ip OUTPUT ip name
| where isnotnull(ip)

??? still does not work

0 Karma

rbal_splunk
Splunk Employee
Splunk Employee

you can only use "| inputintelligence" on non-threat intelligence...given it's a local lookup you can just use "| inputlookup" ?

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...