Current ThreatQ Version Filter
Troubleshooting
- Use the log file below to troubleshoot the ThreatQuotient Add-on:
$SPLUNK_HOME/var/log/Splunk/ta_threatquotient_add_on_threatq_indicators.log - To find all unique indicators indexed in Splunk by the Add-On (Splunk App allows you to select a specific time range):
sourcetype="threatq:indicators" | dedup value - To review the data collected by data collection, use a query such as:
"index=your_index_name sourcetype=threatq_indicators"- Confirm all the saved searches are enabled.
- Confirm the macro is updated as per the settings.
- The log file can be found at the following location:
/opt/splunk/var/log/splunk/scheduler.log
- If the user changes macros for global score and status thresholds, the audit logs can be accessed using the following two saved searches:
Splunk Search for Listing TQ Indicators
index=_internal threatq_score_filter sourcetype="splunkd_ui_access"
index=_internal threatq_score_filter sourcetype="splunkd_access" - To disable Verify SSL Certification - App versions 2.6.0+
- Navigate to the following file:
$SPLUNK_HOME/etc/apps/ThreatQAppforSplunk/bin/threatq_const.py - Change the
VERIFY_SSLto False.
- Navigate to the following file:
- To disable Verify SSL Certification - Add-On versions 2.6.0+
- Navigate to the following file:
$SPLUNK_HOME/etc/apps/TA-threatquotient-add-on/bin/threatq_const.py - Change the
VERIFY_SSLto False.
- Navigate to the following file: