The treat activity dashboard won't populate in the Splunk Enterprise Security app, although other dashboards (not all) are populated like the protocol center, useragent, url length.
I created a list with some malicious ip's and urls's (bro logs)
Threat list CSVs are populated in the splunk folder.
When I do `| inputlookup threatlist_lookup_by_cidr` it returns no results.
It seems to be that the data indexed good and splunk can create the datamodels. because i can do a searches against the data models.
The threat_Activity datamodel keeps standing on building. I assume that's correct?
Someone knows a solution on how to get the treat activity dashboard populated?
↧