I've setup several internal lookup files and made them part of an Intelligence download. I've added in lookup definitions for each file so Splunk can programatically read them as well.
However, Im getting an Invalid Threatlist Stanza error - any thoughts on how to investigate these at all? My only thought is the Threatlist stanza only looks for certain column names within the scope of the lookup file?
The columns available in these internal lookups contain the following:
category type Event.info comment value Country timestamp count
_time stanza disabled type url weight exit_status download_status manager_status run_duration