Splunk® Enterprise Security

Administer Splunk Enterprise Security

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Change existing threat intelligence in Splunk Enterprise Security

After you add threat intelligence to Splunk Enterprise Security, you can make changes to the settings to make sure the threat intelligence you correlate with events is useful.

Enable or disable a threat intelligence source

Enable or disable a threat intelligence source to prevent your events from matching data in the collections of threat intelligence.

  1. From the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Downloads.
  2. Find the threat intelligence source.
  3. Under Status, click Enable or Disable.

Disable individual threat artifacts

To prevent individual threat artifacts on a threat list from creating notable events if they match events in your environment, disable individual threat artifacts. If you have command line access to the Enterprise Security search head, you can disable individual threat artifacts using the REST API. See Threat Intelligence API reference in Splunk Enterprise Security REST API Reference.

Edit a threat source

Change information about an existing threat source, such as the retention period or the download interval for a threat source.

  1. From the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Downloads.
  2. Click the name of the threat source you want to edit.
  3. Make changes to the fields as needed.
  4. Save your changes.

By default, only administrators can edit threat sources. To allow non-admin users to edit threat sources, see Adding capabilities to a role in the Installation and Upgrade Manual.

Configure threat source retention

Remove threat intelligence from the KV Store collections in Splunk Enterprise Security based on the date that the intelligence was added to Enterprise Security.

  1. If the threat intelligence source is not a TAXII feed, define the maximum age of the threat intelligence. This field is not used for TAXII feeds.
    1. From the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Downloads.
    2. Select a threat source.
    3. Change the Maximum age setting using a relative time specifier. For example, -7d or -30d.
  2. Enable the retention search for the collection.
    1. From the Splunk platform menu bar, select Settings and click Searches, reports, and alerts.
    2. Search for "retention" using the search filter.
    3. Enable the retention search for the collection that hosts the threat source. All retention searches are disabled by default.

Configure threat intelligence file retention

Configure how long files are stored by Splunk Enterprise Security after processing. Modular inputs managed on the Threat Intelligence Management page handle file parsing of threat intelligence sources. Modify the settings of the local modular inputs to manage file retention for intelligence sources.

  1. From the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Management.
  2. Select the modular input for the file retention settings that you want to modify.
    1. For downloaded files, select the sa_threat_local modular input.
    2. For uploaded files, select the da_ess_threat_local modular input.
  3. Select the Sinkhole check box so that the modular input deletes each file in the directory after processing.
  4. Select the Remove Unusuable check box so that the modular input deletes a file after processing if it has no actionable intelligence.
  5. Save your changes.
Last modified on 15 August, 2017
Verify that you have added threat intelligence successfully to Splunk Enterprise Security   Managing content in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters