Splunk® Enterprise Security

Administer Splunk Enterprise Security

Manage UI issues impacting threat intelligence after upgrading Splunk Enterprise Security

Upgrading the Splunk Enterprise Security app to versions 6.4.0 or higher may cause the following issues:

UI may not display some views

The following views are not found:

  • Threat intelligence manager is no longer available from the Splunk Enterprise menu bar at Configure > Settings > Data inputs > Threat Intelligence Manager.
  • Threat intelligence uploads are no longer available from the Enterprise Security menu bar at Configure > Data Enrichment > Threat Intelligence Uploads.

Older views are replaced by one integrated interface from the Enterprise Security menu bar at Configure > Data Enrichment > Threat Intelligence Management. The threat intelligence navigation bar and management page do not display if you have customized the menu bar in Splunk Enterprise Security. See Restore the default navigation or Recover the new view of threat intelligence pages.

Recover the view of threat intelligence pages

Follow these steps to recover the original view of threat intelligence pages:

  1. In Splunk Enterprise Security, select Configure > General > Navigation to open the Navigation Editor.
  2. Scroll to the Data Enrichment collection and modify the Identity view to Asset and Identity Management and the link to the following URL: /app/SplunkEnterpriseSecuritySuite/ess_entity_management
  3. Modify the link for Threat Intelligence Manager to the following URL: /app/SplunkEnterpriseSecuritySuite/ess_threat_intelligence_management
  4. Remove Threat intelligence Uploads and add Whois Management view with the following URL: /manager/SplunkEnterpriseSecuritySuite/data/inputs/whois

If you prefer not to restore the default navigation menu, you can append the following path to your Splunk server URL to go directly to the new threat intelligence management page: /app/SplunkEnterpriseSecuritySuite/ess_threat_intelligence_management

Health check warnings appear

Health check warnings may appear if deprecated threat intelligence manager inputs are detected upon upgrade to Enterprise Security version 6.4.0.

In previous ES versions, the [threat_intelligence_manager] stanza acted as a dropbox folder where [threatlist] stanzas and other sources dropped their intelligence documents that were later processed by the threat_intelligence_manager modular input.

In ES 6.4.0, the threat intelligence manager inputs are no longer required to process the intelligence documents that are downloaded. Instead, intelligence downloads are now directly processed by the threatlist modular input. All threatlist sources need a corresponding [threatlist] stanza.

To remove the health check warnings, you can migrate these legacy inputs or remove them, if they are no longer required.

You may recreate the legacy inputs as [threatlist] stanzas for each individual threat intelligence source in the inputs.conf configuration file. Alternatively, you may remove the threat intelligence manager stanzas in the inputs.conf file if the legacy inputs are no longer required.

For more information on how the threatlist modular input processes intelligence downloads using workloads, see Configure workloads.

Last modified on 31 March, 2022
Overwrite asset or identity data with entitymerge in Splunk Enterprise Security   Add threat intelligence to Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2, 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters