Splunk® Enterprise Security

Administer Splunk Enterprise Security

Modify existing intelligence sources in Splunk Enterprise Security

After you add intelligence sources to Splunk Enterprise Security using the threat intelligence management system, you can make changes to the settings to make sure the intelligence you correlate with events is useful.

Turn off an intelligence source

Turn off an intelligence source to stop downloading information from the source. This also prevents new threat indicators from the deactivated source from being added to the threat intelligence collections.

  1. In Splunk Enterprise Security, select Configure then Intelligence and then Threat intelligence management.
  2. Find the intelligence source.
  3. In the Status column, toggle the switch to Off.

Edit an intelligence source

Change information about an existing intelligence source, such as the retention period or the download interval for the source.

  1. In Splunk Enterprise Security, select Configure then Intelligence and then Threat intelligence management.
  2. Find the intelligence source you want to edit and select the three dots (more) icon.
  3. Select Edit.
  4. Make changes to the fields as needed.
  5. Save your changes.

By default, only administrators can edit intelligence sources. To allow non-admin users to edit intelligence sources, see Adding capabilities to a role in the Install and Upgrade Manual.

Configure threat source retention

Remove threat intelligence from the KV Store collections in Splunk Enterprise Security based on the date that the threat intelligence was added to Splunk Enterprise Security.

The default maximum age is -30d for 30 days of retention in the KV Store. To remove the data more often, use a smaller number such as -7d for one week of retention. The maximum age field cannot be left blank because storing the collection indefinitely can impact performance.

Follow these steps to define the maximum age of the threat intelligence:

  1. In Splunk Enterprise Security, select Configure then Intelligence and then Threat intelligence management.
  2. Find the intelligence source you want to edit and select the three dots (more) icon.
  3. Select Advanced edit.
  4. Change the Maximum age setting using a relative time specifier.

Review the logic for retention

Threat intelligence entries are removed when you meet the following conditions:

  • The entry is no longer in the source threat list
  • The threat list is processed
  • The time that the threat list was last seen and processed is earlier than the max_age time setting
  • The threat retention input runs every 24 hours

As of Splunk Enterprise Security 6.4.0, threat collection data is no longer deleted from the KV Store based only on the max_age time setting defined in the inputs.conf file compared to the time field in each threat intelligence collection.

The time field in the threat collection is updated when any of the following items are true:

  • The [threatlist] stanza has been updated.
  • Non-TAXII document's hash value has changed.
  • TAXII document's mod-time has changed.

Additional fields are now included in the [threat_group_intel] stanza called last_seen and last_processed. The delete processing logic follows:

Last processed
When the threat intelligence document is processed, the last_processed field is updated. It is processed based on the interval in threat intelligence management.
Time
When threat intelligence data is inserted after processing, the time field is updated. This happens when the data is new or when the data contains changes.
Last seen
Whether or not anything is inserted or revised after processing, the last_seen field is updated.

If threat intelligence has not been processed but it has been seen within the maximum age time frame, the data is not deleted. The time field isn't taken at face value because the data has not been processed, therefore the contents of the document are unknown. After the document has been processed, only then can it be determined which items to remove. For example, the process time falls within the max age time.

Otherwise, data gets deleted if the time field exceeds the max_age field.

Configure threat intelligence file retention

Configure how long files are stored by Splunk Enterprise Security after processing. You can modify the settings to manage global file retention for intelligence sources, or modify individual settings for each download or upload to more granularly control file retention.

Modular inputs for threat intelligence management handle file parsing of intelligence sources. The parsing process includes analyzing the downloaded file, extracting relevant values, saving it into a lookup, and storing matching data into an index. You have the option to parse the file and delete it, also called sinkhole, or parse the file and keep it as a reference.

Splunk Enterprise Security does not sinkhole an uploaded file (file:// threat intel types) or lookup files (lookup:// threat intel types). Otherwise, if sinkhole is set to True, Splunk Enterprise Security deletes the intelligence file after processing.

Remove files associated with a specific download

Follow these steps to use the sinkhole check box to remove files associated with a threat intelligence download:

  1. In Splunk Enterprise Security, select Configure then Intelligence and then Threat intelligence management.
  2. Find the intelligence source you want to edit and select the three dots (more) icon.
  3. Select Advanced edit.
  4. Select the Sinkhole check box.
  5. Save your changes.

See also

For more information on threat intelligence management, see the product documentation:

Last modified on 25 September, 2024
Configure threat lists in Splunk Enterprise Security   Use the inputintelligence command to use generic intelligence in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters