Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you remove threat feed data already in Enterprise Security?

cheaston
New Member
‎04-25-2016 07:24 AM

Enterprise Security comes pre-configured with several blocklists, however we have a valid business case for some of them and want to remove the items from Threat Artifacts. We can disable the download for a threat feed, but the data is still showing under threat artifacts and still creates incidents and triggers alerts. How do we actually remove or hide the threat intelligence data from a feed that has already been downloaded and indexed in Splunk?

0 Karma
Reply

jstoner_splunk
Splunk Employee
Splunk Employee
‎12-08-2016 10:44 AM

Disabling the threat downloads will stop the new data from coming in. Using the searches above will clear out the kvstore. I would not do the head statements. All data in the kvstore will have a threat_key so keying on that will get all intel out.

|inputlookup certificate_intel |search threat_key=!* |outputlookup certificate_intel

If you are keying on a specific set of data you want to exclude you can use that threat_key to get rid of a specific feed.

The lookup generation will populate csv files called threatintel_by_*.csv found in /apps/DA-ESS-ThreatIntelligence/lookups/ and if you want to get rid of the residual data also check there.

Reply

chris
Motivator
‎11-28-2017 10:22 AM

Could that be added to a macro in ES to make the deleting process easier?

0 Karma
Reply

jstoner_splunk
Splunk Employee
Splunk Employee
‎11-28-2017 10:35 AM

i don't see why it couldn't, but i would secure those macros.

0 Karma
Reply

niemesrw
Path Finder
‎12-01-2016 01:26 PM

I cleared out all of the lookup tables - they're all kvstore inputs in the collections.conf file inside /opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/default

| inputlookup ip_intel | head 10 | outputlookup ip_intel
| inputlookup certificate_intel | head 1 | outputlookup certificate_intel
| inputlookup file_intel | head 1 | outputlookup file_intel
| inputlookup process_intel | head 1 | outputlookup process_intel

There's probably a cleaner way to do this, but that's how I'm trying to get rid of them.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...

Manual Instrumentation with Splunk Observability Cloud: How to Instrument Frontend ...

Although it might seem daunting, as we’ve seen in this series, manual instrumentation can be straightforward ...