Splunk Enterprise Security

How do you remove threat feed data already in Enterprise Security?

cheaston
New Member

Enterprise Security comes pre-configured with several blocklists, however we have a valid business case for some of them and want to remove the items from Threat Artifacts. We can disable the download for a threat feed, but the data is still showing under threat artifacts and still creates incidents and triggers alerts. How do we actually remove or hide the threat intelligence data from a feed that has already been downloaded and indexed in Splunk?

0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

Disabling the threat downloads will stop the new data from coming in. Using the searches above will clear out the kvstore. I would not do the head statements. All data in the kvstore will have a threat_key so keying on that will get all intel out.

|inputlookup certificate_intel |search threat_key=!* |outputlookup certificate_intel

If you are keying on a specific set of data you want to exclude you can use that threat_key to get rid of a specific feed.

The lookup generation will populate csv files called threatintel_by_*.csv found in /apps/DA-ESS-ThreatIntelligence/lookups/ and if you want to get rid of the residual data also check there.

chris
Motivator

Could that be added to a macro in ES to make the deleting process easier?

0 Karma

jstoner_splunk
Splunk Employee
Splunk Employee

i don't see why it couldn't, but i would secure those macros.

0 Karma

niemesrw
Path Finder

I cleared out all of the lookup tables - they're all kvstore inputs in the collections.conf file inside /opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/default

| inputlookup ip_intel | head 10 | outputlookup ip_intel
| inputlookup certificate_intel | head 1 | outputlookup certificate_intel
| inputlookup file_intel | head 1 | outputlookup file_intel
| inputlookup process_intel | head 1 | outputlookup process_intel

There's probably a cleaner way to do this, but that's how I'm trying to get rid of them.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...