I have enabled threat feed into my Splunk Enterprise Security app and the data was working fine until few days back when we disabled the acceleration of one of the datamodels. Since then, we are not seeing any threat activity for few of the datamodels in the setup.
Does the threat intel work only on accelerated datamodels? or is it a different issue?
Thanks in advance...!!!
Most of the Threat Intelligence framework searches use
| tstats summariesonly=true, which means they will only work with complete data model accelerations.
Thanks for the answer. But is there a way we can enable the TI to search for threat activity in unaccelerated datamodels?
Also, is there a way to validate if the threat activities from all the accelerated datamodels are being detected? Because I see many things that can be categorized in my Web datamodel, but are not being captured in the threat intelligence dashboards/index.
You can modify the TI searches to use
| tstats summariesonly=false.
I don't have an answer for the second question.
Thanks for the answer Rich. The issue was that I did not accelerate all the datamodels. I have now accelerated all the datamodels and its giving expected output 🙂