Change existing threat intelligence in Splunk Enterprise Security
After you add threat intelligence to Splunk Enterprise Security, you can make changes to the settings to make sure the threat intelligence you correlate with events is useful.
Enable or disable a threat intelligence source
Enable or disable a threat intelligence source to prevent your events from matching data in the collections of threat intelligence.
- From the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Downloads.
- Find the threat intelligence source.
- Under Status, click Enable or Disable.
Disable individual threat artifacts
To prevent individual threat artifacts on a threat list from creating notable events if they match events in your environment, disable individual threat artifacts. If you have command line access to the Enterprise Security search head, you can disable individual threat artifacts using the REST API. See Threat Intelligence API reference in Splunk Enterprise Security REST API Reference.
Edit a threat source
Change information about an existing threat source, such as the retention period or the download interval for a threat source.
- From the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Downloads.
- Click the name of the threat source you want to edit.
- Make changes to the fields as needed.
- Save your changes.
By default, only administrators can edit threat sources. To allow non-admin users to edit threat sources, see Adding capabilities to a role in the Installation and Upgrade Manual.
Configure threat source retention
Remove threat intelligence from the KV Store collections in Splunk Enterprise Security based on the date that the intelligence was added to Enterprise Security.
- If the threat intelligence source is not a TAXII feed, define the maximum age of the threat intelligence. This field is not used for TAXII feeds.
- From the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Downloads.
- Select a threat source.
- Change the Maximum age setting using a relative time specifier. For example,
-7d
or-30d
.
- Enable the retention search for the collection.
- From the Splunk platform menu bar, select Settings and click Searches, reports, and alerts.
- Search for "retention" using the search filter.
- Enable the retention search for the collection that hosts the threat source. All retention searches are disabled by default.
Configure threat intelligence file retention
Configure how long files are stored by Splunk Enterprise Security after processing. Modular inputs managed on the Threat Intelligence Management page handle file parsing of threat intelligence sources. Modify the settings of the local modular inputs to manage file retention for intelligence sources.
- From the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Management.
- Select the modular input for the file retention settings that you want to modify.
- For downloaded files, select the
sa_threat_local
modular input. - For uploaded files, select the
da_ess_threat_local
modular input.
- For downloaded files, select the
- Select the Sinkhole check box so that the modular input deletes each file in the directory after processing.
- Select the Remove Unusuable check box so that the modular input deletes a file after processing if it has no actionable intelligence.
- Save your changes.
Verify that you have added threat intelligence successfully to Splunk Enterprise Security | Managing content in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6
Feedback submitted, thanks!