Thanks for bringing this to my attention. This has been fixed in the latest release. ... View more

The app pulls the threat feeds down 4x per day. has the app been running that long? also check the troubleshooting tab ... View more

This doesn't work, at least in version 7 ... View more

I did not find a resolution to this, so as a work around to push through the app certification process I commented out all the references to email alerts and actions. ... View more

System12, given an accessible URL, it's just a matter of adding a function for a new threat feed in the code. Do you have something particular in mind you can share? ... View more

Agreed. It looked like from OP's post maybe a heavy forwarder isn't in the environment. If you just have indexers and search heads, I'd put optiv_TA_threat on a single search head. Also, don't forget to create an optiv index if you haven't already. Read the readme.pdf carefully for more details. ... View more

There are four files to edit when using a different file path. See this other thread please: https://answers.splunk.com/answers/374894/how-to-configure-the-optiv-threat-intel-app-on-win.html Specifically the BAT file listed is what you'll need the path corrected. ... View more

I answered this in the other thread but here goes for completeness: Dev here. I am getting the same thing. AlienVault changed something with their feed. I am working on a new release to address some issues. In the meantime, try this: Open optiv_threat_lists.py Go to line 817 Comment out the line specified. raw_threatlist = getUrl(urlList[4].strip('\n'),'true') #if len(str(raw_threatlist)) > 3: #parseAlienVault(raw_threatlist) ^^^^^Put a hash mark in front of parseAlienVault Restart splunk. Just tested it and it fixed the issue for me. I am not sure why ZeuS wasn't showing up for you when you posted this, it just worked for me a few minutes ago however. Perhaps the site briefly went down. ... View more

Please run a .\splunk diag on any Splunk servers running the Optiv app. I have provided a box link to upload to. I am especially interested in the optiv_threat_lists*.log file in %SPLUNK_HOME%\var\log\splunk/ ... View more

For 2, you are going to need the optiv index on your indexers. There's an indexes.conf included in the app to help with this. Could you post the contents of the troubleshooting tab? A healthy set of connections would look something like this: [*] Script Started at: 08-31-2016 09:09:19 GMT [*] Script version: 3.00 URL: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt Finished retrieving 809 IPs from SpamHaus. Finished retrieving 23 IPs from Dshield. Finished retrieving 692 IPs from Feodo. URL: http://rules.emergingthreats.net/blockrules/compromised-ips.txt Finished retrieving 1224 Emerging Threats Compromised IPs. URL: http://www.binarydefense.com/banlist.txt Finished retrieving 7828 IPs from Binary Defense. URL: http://malc0de.com/bl/IP_Blacklist.txt Finished retrieving 48 malc0de_IPs. URL: https://reputation.alienvault.com/reputation.generic Finished retrieving 12150 IPs from AlienVault. URL: https://check.torproject.org/exit-addresses Finished retrieving 1093 TorExitNodes. URL: https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist Finished retrieving 162 IPs from Zeus. URL: https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist Finished retrieving 14 IPs from Palevo. URL: http://www.openbl.org/lists/base_1days.txt Finished retrieving 150 IPs from Open Blocklist base 1 day. URL: http://avant.it-mate.co.uk/dl/Tools/hpHosts/hosts.txt Finished retrieving 211470 HP Hosts by MalwareBytes Domains. URL: http://www.malwaredomainlist.com/hostslist/hosts.txt Finished retrieving 618 Malware Domains. URL: https://isc.sans.edu/feeds/suspiciousdomains_High.txt Finished retrieving 141 ISC SANS Suspicious Domains. URL: https://openphish.com/feed.txt Finished retrieving 2757 Open Phish URLs. URL: http://data.phishtank.com/data/online-valid.csv Finished retrieving 34316 Phish Tank URLs. URL: http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt Finished retrieving 329 Bambenek IPs. URL: http://www.talosintel.com/feeds/ip-filter.blf Finished retrieving 12680 Talos Intel IPs. URL: http://malc0de.com/bl/ZONES Finished retrieving 54 Malc0de Domains. URL: http://autoshun.org/files/shunlist.csv URL: http://cinsscore.com/list/ci-badguys.txt Finished retrieving 573 CI Army Badguys IPs. [*] Starting python get alerts script. [*] Looking for old log files to clear. I am wondering if the lookups aren't populating because the search head cannot connect to the URLs containing the threat intelligence sources. The list of URLs to whitelist are in the README.txt at the bottom as well as the troubleshooting tab of the app. If you are getting partial threat lists some network control is blocking the queries (firewall, proxy, ids/ips). If you perform this search you should get something similar. If some threat lists are missing (less than 20) or have counts of zero, check the above. Cheers. index=optiv earliest=-12h | top 50 threat_list_name AlienVault_IP_Blocklist 12147 4.230812 Binary_Defense_IPs 7825 2.725455 CI_Army_Badguys_IPs 572 0.199228 Dshield_Top_Attackers 20 0.006966 Emerging_Threats_Compromised_IPs 1224 0.42632 Feodo 692 0.241024 HP_Hosts_By_MalwareBytes 211468 73.654513 ISC_SANS_Suspicious 140 0.048762 Malware_Domains 617 0.214902 OpenBL_1day 149 0.051897 Open_Phish_URLs 2756 0.959918 Palevo_CandC 14 0.004876 Phish_Tank_URLs 34315 11.951948 Spamhaus_Drop_Nets 809 0.281775 TorExitNodes 1092 0.380345 Zeus 162 0.056425 bambenekIPs 328 0.114243 malc0de_Domains 53 0.01846 malc0de_IPs 47 0.01637 talos_intel_IPs 12678 4.41576 ... View more

Update macros.con with your index names in local: Example: [network_index_one] disabled = 0 definition = index=pan_logs Create app.conf in local: Example [default] [install] is_configured = 1 Create savedsearches.conf in local: [Optiv Threat List Hit on Destination IP Email Alert - Index 1] disabled = 0 action.email.to = my_new_security_team@example.com cron_schedule = 35 2,14 * * * ... View more

There isn't an app setting for proxy config, can you try the built-in Splunk conf file that specifies proxies? http://docs.splunk.com/Documentation/Splunk/6.4.2/Admin/Specifyaproxyserver ... View more

Dev here- are you editing the saved search as admin? If this issue persists please try restarting Splunk. Otherwise you can edit the search in optiv_threat_intel/default, then copy the stanza you want and paste it into local and make your changes there. Good luck. ... View more

Make sure ES is importing the app properly, see this thread for more info http://docs.splunk.com/Documentation/ES/3.3.0/Install/InstallTechnologyAdd-ons#Add_a_custom_add-on_to_the_ES_app ... View more

John, Please check for the existence of these files in the default directory transforms.conf: [dnsLookup] ## this stanza name will be called by your entry in props.conf and IS case sensitive external_cmd = external_lookup.py host ip fields_list = host, ip commands.conf: [dnslookup] filename=dnslookup.py run_in_preview = true in the /bin folder there needs to be a dnslookup.py ... View more

John, I am showing a different inputs.conf in my 2.80 directory. This is what I have: [monitor://$SPLUNK_HOME\var\log\splunk\optiv_*.log] ignoreOlderThan=3d crcSalt=<SOURCE> index=optiv sourcetype=optiv_threat_list disabled=0 [script://./bin/starter_script.sh] #[script://$SPLUNK_HOME/etc/apps/optiv_threat_intel/bin/starter_script.sh] #8 hours interval=28800 #interval=300 index=optiv disabled=0 In your stanza listed above we're missing a key/value pair for crcSalt. Should we try blowing away the app and a clean reinstall with the latest version? Also, what does the Troubleshooting section of the app show? ... View more

index=optiv is created by the file default/indexes.conf the index name can be adjusted there. if you do so make sure and change the optiv_index definition in macros.conf as well. ... View more

Error code 500 is an HTTP "internal server error" "Page not found" is equivalent to an HTTP 404 error. So if you do the curl command without the --proxy parameter, does it not work? Are there any significant delays to any of the downloads via curl? The python code is using the urllib2 library. I'm trying to isolate if it's a timeout of some sort, or if I need to look at adding organizational proxy support in some manner. ... View more

Since most of the lists are pulling, it's probably not a proxy issue. Let's see if it keeps giving the same error during the next cycle which should be in the next couple hours. If you want to run it manually you can restart splunk, or run the command: /opt/splunk/bin/splunk cmd python /opt/splunk/etc/optiv_threat_intel/bin/optiv_threat_lists.py Some of the lists' web sites have been spotty lately, especially ZeuS. I do have pretty recent data on all of the lists on my end - as of two hours ago: [*] Script Started at: 12-16-2015 17:53:41 GMT [*] Script version: 2.10 URL: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt Finished retrieving 705 IPs from SpamHaus. Finished retrieving 23 IPs from Dshield. Finished retrieving 371 IPs from Feodo. URL: http://rules.emergingthreats.net/blockrules/compromised-ips.txt Finished retrieving 1051 Emerging Threats Compromised IPs. URL: http://www.binarydefense.com/banlist.txt Finished retrieving 13322 IPs from Binary Defense. URL: http://malc0de.com/bl/IP_Blacklist.txt Finished retrieving 941 malc0de_IPs. URL: https://reputation.alienvault.com/reputation.generic Finished retrieving 125660 IPs from AlienVault. URL: https://check.torproject.org/exit-addresses Finished retrieving 1122 TorExitNodes. URL: https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist Finished retrieving 189 IPs from Zeus. URL: https://palevotracker.abuse.ch/blocklists.php?download=ipblocklist Finished retrieving 17 IPs from Palevo. URL: http://www.openbl.org/lists/base_1days.txt Finished retrieving 123 IPs from Open Blocklist base 1 day. URL: http://avant.it-mate.co.uk/dl/Tools/hpHosts/hosts.txt Finished retrieving 168239 HP Hosts by MalwareBytes Domains. URL: http://www.malwaredomainlist.com/hostslist/hosts.txt Finished retrieving 766 Malware Domains. URL: https://isc.sans.edu/feeds/suspiciousdomains_High.txt Finished retrieving 4167 ISC SANS Suspicious Domains. URL: https://openphish.com/feed.txt Finished retrieving 3358 Open Phish URLs. URL: http://data.phishtank.com/data/online-valid.csv Finished retrieving 26219 Phish Tank URLs. URL: http://osint.bambenekconsulting.com/feeds/c2-ipmasterlist.txt Finished retrieving 255 Bambenek IPs. URL: http://www.talosintel.com/feeds/ip-filter.blf Finished retrieving 43902 Talos Intel IPs. [*] Executing get alerts script. ... View more

I can't answer how to set up a symlink, but I did to a find in files in my app and if you find and replace these lines with the path of your Splunk installation you should be set: grep -rnw '.' -e "/opt/splunk" ./bin/getalerts.py:38: splunk_home = '/opt/splunk' ./bin/starter_script.sh:5:THREAT_SCRIPT_PATH="/opt/splunk/etc/apps/optiv_threat_intel/bin/optiv_threat_lists.py" ./bin/starter_script.sh:6:RSS_SCRIPT_PATH="/opt/splunk/etc/apps/optiv_threat_intel/bin/getalerts.py" ./bin/starter_script.sh:7:#LOG_FOLDER="/opt/splunk/etc/apps/optiv_threat_intel/bin/" ./bin/starter_script.sh:8:LOG_FOLDER="/opt/splunk/var/log/splunk/" ./bin/starter_script.sh:9:PYTHON="/opt/splunk/bin/splunk cmd python" ./bin/optiv_threat_lists.py:64: splunk_home = '/opt/splunk' wherever it says /opt/splunk, sub in your path. ... View more