Manage UI issues impacting threat intelligence after upgrading Splunk Enterprise Security
Upgrading the Splunk Enterprise Security app to versions 6.4.0 or higher may cause the following issues:
UI may not display some views
The following views are not found:
- Threat intelligence manager is no longer available from the Splunk Enterprise menu bar at Configure > Settings > Data inputs > Threat Intelligence Manager.
- Threat intelligence uploads are no longer available from the Enterprise Security menu bar at Configure > Data Enrichment > Threat Intelligence Uploads.
Older views are replaced by one integrated interface from the Enterprise Security menu bar at Configure > Data Enrichment > Threat Intelligence Management. The threat intelligence navigation bar and management page do not display if you have customized the menu bar in Splunk Enterprise Security. See Restore the default navigation or Recover the new view of threat intelligence pages.
Recover the view of threat intelligence pages
Follow these steps to recover the original view of threat intelligence pages:
- In Splunk Enterprise Security, select Configure > General > Navigation to open the Navigation Editor.
- Scroll to the Data Enrichment collection and modify the Identity view to Asset and Identity Management and the link to the following URL:
/app/SplunkEnterpriseSecuritySuite/ess_entity_management
- Modify the link for Threat Intelligence Manager to the following URL:
/app/SplunkEnterpriseSecuritySuite/ess_threat_intelligence_management
- Remove Threat intelligence Uploads and add Whois Management view with the following URL:
/manager/SplunkEnterpriseSecuritySuite/data/inputs/whois
If you prefer not to restore the default navigation menu, you can append the following path to your Splunk server URL to go directly to the new threat intelligence management page:
/app/SplunkEnterpriseSecuritySuite/ess_threat_intelligence_management
Health check warnings appear
Health check warnings may appear if deprecated threat intelligence manager inputs are detected upon upgrade to Enterprise Security version 6.4.0.
In previous ES versions, the [threat_intelligence_manager]
stanza acted as a dropbox folder where [threatlist] stanzas and other sources dropped their intelligence documents that were later processed by the threat_intelligence_manager
modular input.
In ES 6.4.0, the threat intelligence manager inputs are no longer required to process the intelligence documents that are downloaded. Instead, intelligence downloads are now directly processed by the threatlist modular input. All threatlist sources need a corresponding [threatlist]
stanza.
To remove the health check warnings, you can migrate these legacy inputs or remove them, if they are no longer required.
You may recreate the legacy inputs as [threatlist]
stanzas for each individual threat intelligence source in the inputs.conf
configuration file. Alternatively, you may remove the threat intelligence manager stanzas in the inputs.conf
file if the legacy inputs are no longer required.
For more information on how the threatlist modular input processes intelligence downloads using workloads, see Configure workloads.
Overwrite asset or identity data with entitymerge in Splunk Enterprise Security | Add threat intelligence to Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2
Feedback submitted, thanks!