Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Change existing intelligence in Splunk Enterprise Security

After you add intelligence to Splunk Enterprise Security, you can make changes to the settings to make sure the intelligence you correlate with events is useful.

Disable an intelligence source

Disable an intelligence source to stop downloading information from the source. This also prevents new threat indicators from the disabled source from being added to the threat intelligence collections.

  1. From the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Management.
  2. Find the intelligence source.
  3. Under Status, click Disable.

Disable individual threat artifacts

To prevent individual threat artifacts on a threat list from creating notable events if they match events in your environment, disable individual threat artifacts. If you have command line access to the Enterprise Security search head, you can disable individual threat artifacts using the REST API. See Threat Intelligence API reference in Splunk Enterprise Security REST API Reference.

Edit an intelligence source

Change information about an existing intelligence source, such as the retention period or the download interval for the source.

  1. From the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Management.
  2. Click the name of the intelligence source you want to edit.
  3. Make changes to the fields as needed.
  4. Save your changes.

By default, only administrators can edit intelligence sources. To allow non-admin users to edit intelligence sources, see Adding capabilities to a role in the Installation and Upgrade Manual.

Configure threat source retention

Remove threat intelligence from the KV Store collections in Splunk Enterprise Security based on the date that the threat intelligence was added to Enterprise Security.

The default maximum age is -30d for 30 days of retention in the KV Store. To remove the data more often, use a smaller number such as -7d for one week of retention. To keep the data indefinitely, use a blank field. However, if the KV Store collection is stored indefinitely, the .csv files that result from lookup-generating searches can grow large enough to impact search head cluster replication performance. If you manually delete the data from the .csv file, the maximum age timer does not reset based on the edit date, and the data is still removed from the KV Store after the maximum age expires.

If the threat intelligence source is not a TAXII feed, define the maximum age of the threat intelligence. This field is not used for TAXII feeds.

  1. From the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Management.
  2. Select an intelligence source.
  3. Change the Maximum age setting using a relative time specifier.

Configure threat intelligence file retention

Configure how long files are stored by Splunk Enterprise Security after processing. Modular inputs managed on the Threat Intelligence Management page handle file parsing of intelligence sources. Modify the settings to manage global file retention for intelligence sources, or modify individual settings for each download or upload to more granularly control file retention.

Splunk Enterprise Security does not sinkhole (delete a file after processing) an uploaded (file:// threat intel types) or lookup files (lookup:// threat intel types). Otherwise, if sinkhole is set to True, Splunk Enterprise Security deletes the intelligence file after processing.

Remove files associated with a specific download

Use the sinkhole check box to remove files associated with a threat intelligence download.

  1. From the Enterprise Security menu bar, select Configure > Data Enrichment > Threat Intelligence Management.
  2. Locate the threat intelligence download.
  3. Click on the Advanced tab.
  4. Select the Sinkhole check box.
  5. Save your changes.
Last modified on 07 December, 2020
Verify that you have added intelligence successfully to Splunk Enterprise Security
Add intelligence to Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.4.0, 6.4.1, 6.5.0 Cloud only

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters