Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Change existing intelligence in Splunk Enterprise Security

After you add intelligence to Splunk Enterprise Security, you can make changes to the settings to make sure the intelligence you correlate with events is useful.

Disable an intelligence source

Disable an intelligence source to stop downloading information from the source. This also prevents new threat indicators from the disabled source from being added to the threat intelligence collections.

  1. From the Enterprise Security menu bar, select Configure > Data Enrichment > Intelligence Downloads.
  2. Find the intelligence source.
  3. Under Status, click Disable.

Disable individual threat artifacts

To prevent individual threat artifacts on a threat list from creating notable events if they match events in your environment, disable individual threat artifacts. If you have command line access to the Enterprise Security search head, you can disable individual threat artifacts using the REST API. See Threat Intelligence API reference in Splunk Enterprise Security REST API Reference.

Edit an intelligence source

Change information about an existing intelligence source, such as the retention period or the download interval for the source.

  1. From the Enterprise Security menu bar, select Configure > Data Enrichment > Intelligence Downloads.
  2. Click the name of the intelligence source you want to edit.
  3. Make changes to the fields as needed.
  4. Save your changes.

By default, only administrators can edit intelligence sources. To allow non-admin users to edit intelligence sources, see Adding capabilities to a role in the Installation and Upgrade Manual.

Configure threat source retention

Remove threat intelligence from the KV Store collections in Splunk Enterprise Security based on the date that the threat intelligence was added to Enterprise Security.

The default maximum age is -30d for 30 days of retention in the KV Store. To remove the data more often, use a smaller number such as -7d for one week of retention. To keep the data indefinitely, use a blank field. However, if the KV Store collection is stored indefinitely, the .csv files that result from lookup-generating searches can grow large enough to impact search head cluster replication performance. If you manually delete the data from the .csv file, the maximum age timer does not reset based on the edit date, and the data is still removed from the KV Store after the maximum age expires.

  1. If the threat intelligence source is not a TAXII feed, define the maximum age of the threat intelligence. This field is not used for TAXII feeds.
    1. From the Enterprise Security menu bar, select Configure > Data Enrichment > Intelligence Downloads.
    2. Select an intelligence source.
    3. Change the Maximum age setting using a relative time specifier.
  2. Enable the retention search for the collection.
    1. From the Splunk platform menu bar, select Settings and click Searches, reports, and alerts.
    2. Search for "retention" using the search filter.
    3. Enable the retention search for the collection that hosts the threat source. All retention searches are disabled by default.

Configure threat intelligence file retention

Configure how long files are stored by Splunk Enterprise Security after processing. Modular inputs managed on the Threat Intelligence Management page handle file parsing of intelligence sources. Modify the settings of the local modular inputs to manage global file retention for intelligence sources, or modify individual settings for each download or upload to more granularly control file retention.

Use the following table to determine the conditions under which Splunk Enterprise Security deletes a file after processing. For files placed into a directory by a script, for example, use the modular input sinkhole.

Sinkhole set for modular input Sinkhole set for individual file Result
False False File not deleted.
False True File deleted.
True True File deleted.
True False File deleted.

Remove files managed by a specific modular input

Use the sinkhole or the remove unusable settings to selectively remove files managed by a modular input.

  1. From the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Management.
  2. Select the modular input for the file retention settings that you want to modify.
    1. For downloaded files, select the sa_threat_local modular input.
    2. For uploaded files, select the da_ess_threat_local modular input.
  3. Select the Sinkhole check box so that the modular input deletes each file in the directory after processing.
  4. Select the Remove Unusuable check box so that the modular input deletes a file after processing if it has no actionable intelligence.
  5. Save your changes.

Remove files associated with a specific download

Use the sinkhole check box to remove files associated with a threat intelligence download.

  1. From the Enterprise Security menu bar, select Configure > Data Enrichment > Intelligence Downloads.
  2. Locate the threat intelligence download.
  3. Select the Sinkhole check box.
  4. Save your changes.

Remove files associated with a specific upload

When you upload the file, select the sinkhole check box to delete the file after processing.

Last modified on 06 November, 2020
Verify that you have added intelligence successfully to Splunk Enterprise Security
Example: Add a ransomware threat feed to Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters