Splunk® Enterprise Security

Administer Splunk Enterprise Security

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Manage UI issues impacting threat intelligence after upgrading Splunk Enterprise Security

Upgrading the Splunk Enterprise Security app to versions 6.4.0 or higher may cause the following issues:

UI may not display some views

The following views are not found:

  • Threat intelligence manager is no longer available from the Splunk Enterprise menu bar at Configure > Settings > Data inputs > Threat Intelligence Manager.
  • Threat intelligence uploads are no longer available from the Enterprise Security menu bar at Configure > Data Enrichment > Threat Intelligence Uploads.

Older views are replaced by one integrated interface from the Enterprise Security menu bar at Configure > Data Enrichment > Threat Intelligence Management. The threat intelligence navigation bar and management page do not display if you have customized the menu bar in Splunk Enterprise Security. See Restore the default navigation or Recover the new view of threat intelligence pages.

Recover the new view of threat intelligence pages

If you prefer not to restore the default navigation menu, you can append the following path to your Splunk server URL to go directly to the new threat intelligence management page: /app/SplunkEnterpriseSecuritySuite/ess_threat_intelligence_management

Health check warnings appear

Health check warnings may appear if deprecated threat intelligence manager inputs are detected upon upgrade to Enterprise Security version 6.4.0.

In previous ES versions, the [threat_intelligence_manager] stanza acted as a dropbox folder where [threatlist] stanzas and other sources dropped their intelligence documents that were later processed by the threat_intelligence_manager modular input.

In ES 6.4.0, the threat intelligence manager inputs are no longer required to process the intelligence documents that are downloaded. Instead, intelligence downloads are now directly processed by the threatlist modular input. All threatlist sources need a corresponding [threatlist] stanza.

To remove the health check warnings, you can migrate these legacy inputs or remove them, if they are no longer required.

You may recreate the legacy inputs as [threatlist] stanzas for each individual threat intelligence source in the inputs.conf configuration file. Alternatively, you may remove the threat intelligence manager stanzas in the inputs.conf file if the legacy inputs are no longer required.

For more information on how the threatlist modular input processes intelligence downloads using workloads, see Configure workloads.

Last modified on 11 February, 2021
PREVIOUS
Overwrite asset or identity data with entitymerge in Splunk Enterprise Security
  NEXT
Add threat intelligence to Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters