Thanks for your reply. I see the file being downloaded daily to$SPLUNK_BASE/etc/apps/SA-ThreatIntelligence/local/data/threat_intel/phishtank.csv, however the "threat_group_intel" lookup is empty. Could this be a parsing issue? What should the settings be for Parsing Options under Data Inputs>Intelligence Downloads>phishtank?
... View more