Splunk Enterprise Security

Does an IOC get removed from ip_intel if you remove it from the local lookup

New Member

Hi all,

So I followed the guide here https://docs.splunk.com/Documentation/ES/4.5.1/User/Configureblocklists in order to upload a custom csv file with some IOCs in it, and created a new intelligence download referring to the lookup, with 'lookup://lookup_name'.

My assumption was that this lookup is dynamic so when you remove an IOC from the original lookup, this gets reflected in the ip_intel and other collections as well once the threat searches are run. I tried this and the IOC still exists in the collection and threat searches still run against it. When I add an IOC to the lookup, this gets added to ip_intel as well so that's working as expected.

Am I wrong in thinking that IOCs get removed from ip_intel and other collections when you remove an IOC from the original lookup? Is the only way to remove an IOC to re-write the ip_intel without the said IOC using 'outputlookup'?

Thanks for all your help!

0 Karma
Get Updates on the Splunk Community!

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...