Modify existing intelligence sources in Splunk Enterprise Security
After you add intelligence sources to Splunk Enterprise Security using the threat intelligence management system, you can make changes to the settings to make sure the intelligence you correlate with events is useful.
Turn off an intelligence source
Turn off an intelligence source to stop downloading information from the source. This also prevents new threat indicators from the deactivated source from being added to the threat intelligence collections.
- In Splunk Enterprise Security, select Configure then Intelligence and then Threat intelligence management.
- Find the intelligence source.
- In the Status column, toggle the switch to Off.
Edit an intelligence source
Change information about an existing intelligence source, such as the retention period or the download interval for the source.
- In Splunk Enterprise Security, select Configure then Intelligence and then Threat intelligence management.
- Find the intelligence source you want to edit and select the three dots (more) icon.
- Select Edit.
- Make changes to the fields as needed.
- Save your changes.
By default, only administrators can edit intelligence sources. To allow non-admin users to edit intelligence sources, see Adding capabilities to a role in the Install and Upgrade Manual.
Configure threat source retention
Remove threat intelligence from the KV Store collections in Splunk Enterprise Security based on the date that the threat intelligence was added to Splunk Enterprise Security.
The default maximum age is -30d
for 30 days of retention in the KV Store. To remove the data more often, use a smaller number such as -7d
for one week of retention. The maximum age field cannot be left blank because storing the collection indefinitely can impact performance.
Follow these steps to define the maximum age of the threat intelligence:
- In Splunk Enterprise Security, select Configure then Intelligence and then Threat intelligence management.
- Find the intelligence source you want to edit and select the three dots (more) icon.
- Select Advanced edit.
- Change the Maximum age setting using a relative time specifier.
Review the logic for retention
Threat intelligence entries are removed when you meet the following conditions:
- The entry is no longer in the source threat list
- The threat list is processed
- The time that the threat list was last seen and processed is earlier than the
max_age
time setting - The threat retention input runs every 24 hours
As of Splunk Enterprise Security 6.4.0, threat collection data is no longer deleted from the KV Store based only on the max_age
time setting defined in the inputs.conf
file compared to the time
field in each threat intelligence collection.
The time
field in the threat collection is updated when any of the following items are true:
- The
[threatlist]
stanza has been updated. - Non-TAXII document's hash value has changed.
- TAXII document's mod-time has changed.
Additional fields are now included in the [threat_group_intel]
stanza called last_seen
and last_processed
. The delete processing logic follows:
- Last processed
- When the threat intelligence document is processed, the last_processed field is updated. It is processed based on the interval in threat intelligence management.
- Time
- When threat intelligence data is inserted after processing, the time field is updated. This happens when the data is new or when the data contains changes.
- Last seen
- Whether or not anything is inserted or revised after processing, the last_seen field is updated.
If threat intelligence has not been processed but it has been seen within the maximum age time frame, the data is not deleted. The time
field isn't taken at face value because the data has not been processed, therefore the contents of the document are unknown. After the document has been processed, only then can it be determined which items to remove. For example, the process time falls within the max age time.
Otherwise, data gets deleted if the time
field exceeds the max_age
field.
Configure threat intelligence file retention
Configure how long files are stored by Splunk Enterprise Security after processing. You can modify the settings to manage global file retention for intelligence sources, or modify individual settings for each download or upload to more granularly control file retention.
Modular inputs for threat intelligence management handle file parsing of intelligence sources. The parsing process includes analyzing the downloaded file, extracting relevant values, saving it into a lookup, and storing matching data into an index. You have the option to parse the file and delete it, also called sinkhole, or parse the file and keep it as a reference.
Splunk Enterprise Security does not sinkhole an uploaded file (file:// threat intel types) or lookup files (lookup:// threat intel types). Otherwise, if sinkhole is set to True, Splunk Enterprise Security deletes the intelligence file after processing.
Remove files associated with a specific download
Follow these steps to use the sinkhole check box to remove files associated with a threat intelligence download:
- In Splunk Enterprise Security, select Configure then Intelligence and then Threat intelligence management.
- Find the intelligence source you want to edit and select the three dots (more) icon.
- Select Advanced edit.
- Select the Sinkhole check box.
- Save your changes.
See also
For more information on threat intelligence management, see the product documentation:
Configure threat lists in Splunk Enterprise Security | Use the inputintelligence command to use generic intelligence in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!