https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-troubleshoot-why-the-threat/m-p/216981#M1287 <P>Not an expert on this app, but I think the summarizing part is defined in alert_actions.conf. The stanza in savedsearches.conf should have a setting like action.&lt;name&gt; = 1 and the corresponding summarization is handled in the alert_actions file. This lets multiple searches reuse the same alert throttling logic.</P> Tue, 29 Sep 2020 14:20:01 GMT cphair 2020-09-29T14:20:01Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-troubleshoot-why-the-threat/m-p/216980#M1286 <P>The threat_activity index isn't populating anymore, and to be honest, I'm not sure how it's supposed to populate. There's a scheduled search in particular - Threat - Source And Destination Matches - Threat Gen that runs every 30 minutes and I believe it save its results into this index. However, it recently stopped. Does anyone know how this search is supposed to populate the threat_activity index? It doesn't have a summary index configured.</P> Tue, 29 Sep 2020 08:53:59 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-troubleshoot-why-the-threat/m-p/216980#M1286 niemesrw 2020-09-29T08:53:59Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-troubleshoot-why-the-threat/m-p/216981#M1287 <P>Not an expert on this app, but I think the summarizing part is defined in alert_actions.conf. The stanza in savedsearches.conf should have a setting like action.&lt;name&gt; = 1 and the corresponding summarization is handled in the alert_actions file. This lets multiple searches reuse the same alert throttling logic.</P> Tue, 29 Sep 2020 14:20:01 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-troubleshoot-why-the-threat/m-p/216981#M1287 cphair 2020-09-29T14:20:01Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-troubleshoot-why-the-threat/m-p/216982#M1288 <P>A modification to a Gen search in GUI could cause a empty stanza in DA-ESS-ThreatIntelligence/local/savedsearch.conf such as alert.suppress.fields =</P> <P>Check your savedsearches.conf in local and remove the wrong options.</P> Fri, 08 Sep 2017 09:10:55 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-troubleshoot-why-the-threat/m-p/216982#M1288 stefan1988 2017-09-08T09:10:55Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-troubleshoot-why-the-threat/m-p/216983#M1289 <P>If you look at the configuration for "Threat - Source And Destination Matches - Threat Gen" in savedsearches.conf, you should be able to see this "action.threat_activity=1" which is a reference to “alert_actions.conf” in DA-ESS-ThreatIntelligence app which has [threat_activity] stanza. It is a reference to call that alert action</P> <P>If you look at this stanza in alert_actions.conf, you can see that it is "summaryindex" ing to threat_activity index (highlighted)</P> <P>Please note "summaryindex" is an alias to "collect" command.</P> <P>The part where summaryindex command is present in "threat_activity" alert action is given below.</P> <P><STRONG>| summaryindex spool=t uselb=t addtime=t index="$action.threat_activity._name{required=yes}$"</STRONG> </P> Wed, 30 Sep 2020 04:37:51 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-How-to-troubleshoot-why-the-threat/m-p/216983#M1289 chethankumarcba 2020-09-30T04:37:51Z