Splunk Enterprise Security

We are attempting to setup local lookup file as a threat intelligence download

Splunk Employee
Splunk Employee

( as per https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Addthreatintelcustomlookup) . and are unable to use this intelligence list with the "inputintelligence" command. Also, we see error like "Failed to read threatlist /opt/splunk/var/lib/splunk/modinputs/threatlist/oculus"

0 Karma

New Member

Can I use "| inputintelligence" in the correlation search ?

| eval TOR="danme_tor_node_list_with_ports"
| lookup "danme_tor_node_list_with_ports" ip as All_Traffic.src_ip OUTPUT ip name
| where isnotnull(ip)

??? still does not work

0 Karma

Splunk Employee
Splunk Employee

you can only use "| inputintelligence" on non-threat intelligence...given it's a local lookup you can just use "| inputlookup" ?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!