Enterprise Security comes pre-configured with several blocklists, however we have a valid business case for some of them and want to remove the items from Threat Artifacts. We can disable the download for a threat feed, but the data is still showing under threat artifacts and still creates incidents and triggers alerts. How do we actually remove or hide the threat intelligence data from a feed that has already been downloaded and indexed in Splunk?
I cleared out all of the lookup tables - they're all kvstore inputs in the collections.conf file inside /opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/default
| inputlookup ip_intel | head 10 | outputlookup ip_intel | inputlookup certificate_intel | head 1 | outputlookup certificate_intel | inputlookup file_intel | head 1 | outputlookup file_intel | inputlookup process_intel | head 1 | outputlookup process_intel
There's probably a cleaner way to do this, but that's how I'm trying to get rid of them.
Disabling the threat downloads will stop the new data from coming in. Using the searches above will clear out the kvstore. I would not do the head statements. All data in the kvstore will have a threat_key so keying on that will get all intel out.
|inputlookup certificateintel |search threatkey=!* |outputlookup certificate_intel
If you are keying on a specific set of data you want to exclude you can use that threat_key to get rid of a specific feed.
The lookup generation will populate csv files called threatintelby*.csv found in /apps/DA-ESS-ThreatIntelligence/lookups/ and if you want to get rid of the residual data also check there.