Hi Season! When you say you "cleared" the glasstable, is it safe to assume that this was done using the "clear" action available when editing a glasstable? Or was the glasstable removed/deleted from the system? There is a way to restore the glasstable but it unfortunately can only be done if you have disk access to the system. If you do have disk access to the system, following the steps below should fix the issue. These steps will walk you through the removal of the "ess_content_importer" metadata file. This file tracks which apps have had glass table content imported and which have not. Deleting it will force all content to be reimported for all installed apps. That said, the importer will NOT overwrite any existing content, so modifications to existing glass tables will remain unchanged. Delete the "ES Deployment Template" from within the "Saved Glass Tables" dashboard (called "Glass Tables" in the nav bar). Once the glass table has been deleted, navigate to the following directory on disk: "$SPLUNK_HOME/var/lib/splunk/modinputs/ess_content_importer" Once in this directory, delete the "ess_content_importer" file. Make sure you delete the "ess_content_importer" file (there is no extension for the file) and not the directory. It can be a bit confusing because the file name is the same as the name of the directory that contains it. To be clear, the full path of the file that needs to be removed is: "$SPLUNK_HOME/var/lib/splunk/modinputs/ess_content_importer/ess_content_importer". Note that this resolution is only needed for the out-of-the-box glass tables because they were shipped within the SplunkEnterpriseSecuritySuite app, which cannot be disabled and re-enabled. To reimport content for any other other apps, you can follow the steps outlined in the documentation linked below. http://docs.splunk.com/Documentation/ES/4.7.0/User/ManageGlassTable#Restore_a_glass_table_that_you_deleted_after_importing_it_as_part_of_an_app_2 Hope this helps! Let me know if it doesn't. Kindest Regards, ~Brian ... View more

Hi nyfaisal -- ES 3.3 currently only supports basic HTTP authentication over HTTP/HTTPS to a TAXII feed. Credentials for the feed can be stored either in the POST Arguments for the Threat Intelligence Download or referenced from the ES Credential Manager. Certificate based authentication to TAXII feeds via the taxii_cert_pem/taxii_cert_key parameters is not yet supported in Enterprise Security. ~Brian ... View more

Hello -- The HTTP referrer is appended to the HTTP header by the browser whenever a user navigates to a URL from a link in another site. Google is commonly seen as a referrer because many people navigate to websites that they search for using their search engine. For instance, if you search for splunk on google.com and then click on the link to Splunks homepage, a google referrer will get appended to the HTTP header by your browser. As far as I know, Email clients do not append HTTP referrers for links contained within the email. However, you should be able to track the HTTP referrers for sites that are linking to your site and then attempt to match the results against known bad domains to identify any malicious domains that are linking to your site. If you're currently using Splunks Enterprise Security application, it comes preloaded with a bunch of threat intelligence sources that you can use to match against the referrer headers. If you don't currently use Splunks Enterprise Security application, there are still a number of public domain threat sources you can gather intel from and pass to splunk for matching. Hope this helps. ~Brian ... View more