Splunk Enterprise Security

URL-based threat source : where is CSV/lookup file stored?

koshyk
Super Champion

As per the URL
http://docs.splunk.com/Documentation/ES/4.2.0/User/Configureblocklists

We are looking for : Add a URL-based threat source -> Threat Intelligence Downloads.
After configuring we wanted to check if it has worked. Where is the final lookup/csv file cached/stored?

0 Karma
1 Solution

koshyk
Super Champion

Found the issue. In SHC cluster, though we have created "lookups" directory in deployer and pushed to SHC members, the lookup directory won't be created unless there is a file in it !! ( I feel it is a bug).
So first time, we had to create a dummy csv file and then redeploy again from Deployer and it creates in SHC members. Afterwards, when the "remote URL" runs, it will start fetting the new csv file and overwrite the 1st time lookup file. Then it will be shown in "lookups -> lookup table files" as well in Enterprise Security "Threat Intelligence Audit"

View solution in original post

0 Karma

koshyk
Super Champion

Found the issue. In SHC cluster, though we have created "lookups" directory in deployer and pushed to SHC members, the lookup directory won't be created unless there is a file in it !! ( I feel it is a bug).
So first time, we had to create a dummy csv file and then redeploy again from Deployer and it creates in SHC members. Afterwards, when the "remote URL" runs, it will start fetting the new csv file and overwrite the 1st time lookup file. Then it will be shown in "lookups -> lookup table files" as well in Enterprise Security "Threat Intelligence Audit"

0 Karma

dperre_splunk
Splunk Employee
Splunk Employee

Click Lookups | Lookup table files | Have a look in there and all the threat feeds / folders will be present.

0 Karma

dperre_splunk
Splunk Employee
Splunk Employee

If you are running linux can you look for the following folder in your App folder on the Enterprise Security Search head?

etc/apps/SA-ThreatIntelligence/lookups

That is where all the threatintel feeds are. If it is not there you will need to install the app from the Enterprise Security App. Just extract it from the SPL. Hope this helps.

0 Karma

koshyk
Super Champion

it is not present in the list. (eg: even built-in lookup alexa top 1 million site csv is not present).

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...