Under threat intelligence management it looks like this
Name Directory
da_ess_threat_default $SPLUNK_HOME/etc/apps/DA-ESS-ThreatIntelligence/default/data/threat_intel
da_ess_threat_local $SPLUNK_HOME/etc/apps/DA-ESS-ThreatIntelligence/local/data/threat_intel
local_lookups ignored
sa_threat_local $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data/threat_intel
The lookups in question are currently in the app/lookups dir
The events that I am trying to get picked up into the "threat_activity" index are watchguard logs like this:
Apr 10 13:32:11 -FB-02 *1016F5DC (2018-04-10T03:32:11) http-proxy[2256]: msg_id="1AFF-0024" Allow 2-Inside 5-Uecomm10 tcp 172...* 212...* 51153 80 msg="HTTP request" proxy_act="HTTP-Client.3" op="GET" dstname="api.wipmania.com" arg="/jsonp?callback=jQuery191009073215578267857_1523331069485&_=1523331069486" sent_bytes="442" rcvd_bytes="602" elapsed_time="0.657724 sec(s)" app_id="128" app_cat_id="13" app_name="Microsoft Edge" app_cat_name="Web services" reputation="1" reason="262189" action="allow" (HTTP-proxy-00)
... View more