Change existing intelligence in Splunk Enterprise Security
After you add intelligence to Splunk Enterprise Security, you can make changes to the settings to make sure the intelligence you correlate with events is useful.
Disable an intelligence source
Disable an intelligence source to stop downloading information from the source. This also prevents new threat indicators from the disabled source from being added to the threat intelligence collections.
- From the Enterprise Security menu bar, select Configure > Data Enrichment > Intelligence Downloads.
- Find the intelligence source.
- Under Status, click Disable.
Disable individual threat artifacts
To prevent individual threat artifacts on a threat list from creating notable events if they match events in your environment, disable individual threat artifacts. If you have command line access to the Enterprise Security search head, you can disable individual threat artifacts using the REST API. See Threat Intelligence API reference in Splunk Enterprise Security REST API Reference.
Edit an intelligence source
Change information about an existing intelligence source, such as the retention period or the download interval for the source.
- From the Enterprise Security menu bar, select Configure > Data Enrichment > Intelligence Downloads.
- Click the name of the intelligence source you want to edit.
- Make changes to the fields as needed.
- Save your changes.
By default, only administrators can edit intelligence sources. To allow non-admin users to edit intelligence sources, see Adding capabilities to a role in the Installation and Upgrade Manual.
Configure threat source retention
Remove threat intelligence from the KV Store collections in Splunk Enterprise Security based on the date that the threat intelligence was added to Enterprise Security.
The default maximum age is -30d
for 30 days of retention in the KV Store. To remove the data more often, use a smaller number such as -7d
for one week of retention. To keep the data indefinitely, use a blank field. However, if the KV Store collection is stored indefinitely, the .csv files that result from lookup-generating searches can grow large enough to impact search head cluster replication performance. If you manually delete the data from the .csv file, the maximum age timer does not reset based on the edit date, and the data is still removed from the KV Store after the maximum age expires.
- If the threat intelligence source is not a TAXII feed, define the maximum age of the threat intelligence. This field is not used for TAXII feeds.
- From the Enterprise Security menu bar, select Configure > Data Enrichment > Intelligence Downloads.
- Select an intelligence source.
- Change the Maximum age setting using a relative time specifier.
- Enable the retention search for the collection.
- From the Splunk platform menu bar, select Settings and click Searches, reports, and alerts.
- Search for "retention" using the search filter.
- Enable the retention search for the collection that hosts the threat source. All retention searches are disabled by default.
Configure threat intelligence file retention
Configure how long files are stored by Splunk Enterprise Security after processing. Modular inputs managed on the Threat Intelligence Management page handle file parsing of intelligence sources. Modify the settings of the local modular inputs to manage global file retention for intelligence sources, or modify individual settings for each download or upload to more granularly control file retention.
Use the following table to determine the conditions under which Splunk Enterprise Security deletes a file after processing. For files placed into a directory by a script, for example, use the modular input sinkhole.
Sinkhole set for modular input | Sinkhole set for individual file | Result |
---|---|---|
False | False | File not deleted. |
False | True | File deleted. |
True | True | File deleted. |
True | False | File deleted. |
Remove files managed by a specific modular input
Use the sinkhole or the remove unusable settings to selectively remove files managed by a modular input.
- From the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Management.
- Select the modular input for the file retention settings that you want to modify.
- For downloaded files, select the
sa_threat_local
modular input. - For uploaded files, select the
da_ess_threat_local
modular input.
- For downloaded files, select the
- Select the Sinkhole check box so that the modular input deletes each file in the directory after processing.
- Select the Remove Unusuable check box so that the modular input deletes a file after processing if it has no actionable intelligence.
- Save your changes.
Remove files associated with a specific download
Use the sinkhole check box to remove files associated with a threat intelligence download.
- From the Enterprise Security menu bar, select Configure > Data Enrichment > Intelligence Downloads.
- Locate the threat intelligence download.
- Select the Sinkhole check box.
- Save your changes.
Remove files associated with a specific upload
When you upload the file, select the sinkhole check box to delete the file after processing.
Verify that you have added intelligence successfully to Splunk Enterprise Security | Example: Add a ransomware threat feed to Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 5.3.0, 5.3.1, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only
Feedback submitted, thanks!