Enterprise Security comes pre-configured with several blocklists, however we have a valid business case for some of them and want to remove the items from Threat Artifacts. We can disable the download for a threat feed, but the data is still showing under threat artifacts and still creates incidents and triggers alerts. How do we actually remove or hide the threat intelligence data from a feed that has already been downloaded and indexed in Splunk?
Disabling the threat downloads will stop the new data from coming in. Using the searches above will clear out the kvstore. I would not do the head statements. All data in the kvstore will have a threat_key so keying on that will get all intel out.