Splunk Enterprise Security

We are attempting to setup local lookup file as a threat intelligence download

rbal_splunk
Splunk Employee
Splunk Employee

( as per https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Addthreatintelcustomlookup) . and are unable to use this intelligence list with the "inputintelligence" command. Also, we see error like "Failed to read threatlist /opt/splunk/var/lib/splunk/modinputs/threatlist/oculus"

0 Karma

dzejsonborn
New Member

Can I use "| inputintelligence" in the correlation search ?

| eval TOR="danme_tor_node_list_with_ports"
| lookup "danme_tor_node_list_with_ports" ip as All_Traffic.src_ip OUTPUT ip name
| where isnotnull(ip)

??? still does not work

0 Karma

rbal_splunk
Splunk Employee
Splunk Employee

you can only use "| inputintelligence" on non-threat intelligence...given it's a local lookup you can just use "| inputlookup" ?

0 Karma