For 2, you are going to need the optiv index on your indexers. There's an indexes.conf included in the app to help with this. Could you post the contents of the troubleshooting tab? A healthy set of connections would look something like this:
[*] Script Started at: 08-31-2016 09:09:19 GMT
[*] Script version: 3.00
URL: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Finished retrieving 809 IPs from SpamHaus.
Finished retrieving 23 IPs from Dshield.
Finished retrieving 692 IPs from Feodo.
URL: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
Finished retrieving 1224 Emerging Threats Compromised IPs.
URL: http://www.binarydefense.com/banlist.txt
Finished retrieving 7828 IPs from Binary Defense.
URL: http://malc0de.com/bl/IP_Blacklist.txt
Finished retrieving 48 malc0de_IPs.
URL: https://reputation.alienvault.com/reputation.generic
Finished retrieving 12150 IPs from AlienVault.
URL: https://check.torproject.org/exit-addresses
Finished retrieving 1093 TorExitNodes.
URL: https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
Finished retrieving 162 IPs from Zeus.
URL: https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist
Finished retrieving 14 IPs from Palevo.
URL: http://www.openbl.org/lists/base_1days.txt
Finished retrieving 150 IPs from Open Blocklist base 1 day.
URL: http://avant.it-mate.co.uk/dl/Tools/hpHosts/hosts.txt
Finished retrieving 211470 HP Hosts by MalwareBytes Domains.
URL: http://www.malwaredomainlist.com/hostslist/hosts.txt
Finished retrieving 618 Malware Domains.
URL: https://isc.sans.edu/feeds/suspiciousdomains_High.txt
Finished retrieving 141 ISC SANS Suspicious Domains.
URL: https://openphish.com/feed.txt
Finished retrieving 2757 Open Phish URLs.
URL: http://data.phishtank.com/data/online-valid.csv
Finished retrieving 34316 Phish Tank URLs.
URL: http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt
Finished retrieving 329 Bambenek IPs.
URL: http://www.talosintel.com/feeds/ip-filter.blf
Finished retrieving 12680 Talos Intel IPs.
URL: http://malc0de.com/bl/ZONES
Finished retrieving 54 Malc0de Domains.
URL: http://autoshun.org/files/shunlist.csv
URL: http://cinsscore.com/list/ci-badguys.txt
Finished retrieving 573 CI Army Badguys IPs.
[*] Starting python get alerts script.
[*] Looking for old log files to clear.
I am wondering if the lookups aren't populating because the search head cannot connect to the URLs containing the threat intelligence sources. The list of URLs to whitelist are in the README.txt at the bottom as well as the troubleshooting tab of the app. If you are getting partial threat lists some network control is blocking the queries (firewall, proxy, ids/ips).
If you perform this search you should get something similar. If some threat lists are missing (less than 20) or have counts of zero, check the above. Cheers.
index=optiv earliest=-12h | top 50 threat_list_name
AlienVault_IP_Blocklist 12147 4.230812
Binary_Defense_IPs 7825 2.725455
CI_Army_Badguys_IPs 572 0.199228
Dshield_Top_Attackers 20 0.006966
Emerging_Threats_Compromised_IPs 1224 0.42632
Feodo 692 0.241024
HP_Hosts_By_MalwareBytes 211468 73.654513
ISC_SANS_Suspicious 140 0.048762
Malware_Domains 617 0.214902
OpenBL_1day 149 0.051897
Open_Phish_URLs 2756 0.959918
Palevo_CandC 14 0.004876
Phish_Tank_URLs 34315 11.951948
Spamhaus_Drop_Nets 809 0.281775
TorExitNodes 1092 0.380345
Zeus 162 0.056425
bambenekIPs 328 0.114243
malc0de_Domains 53 0.01846
malc0de_IPs 47 0.01637
talos_intel_IPs 12678 4.41576
... View more