Splunk Enterprise Security

alert triggered but ip not available in csv


Hello Folks,

I have enabled a notable in ESapp, which triggers if it finds any ip available from localip_intel.csv.

Now I got a notable for one IP address, which I don't want it present in that list.

when I start searching, that IP is not available in localipintel.csv.

but i can see a foot print in "ESApp"-->"Threat Artifacts"--> "network" dashboard with source path "/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/lookups/localip_intel.csv"

What might be causing, this false alert from ES_app where IP is not available in source csv file.

0 Karma