Splunk Enterprise Security
Highlighted

How do you remove threat feed data already in Enterprise Security?

New Member

Enterprise Security comes pre-configured with several blocklists, however we have a valid business case for some of them and want to remove the items from Threat Artifacts. We can disable the download for a threat feed, but the data is still showing under threat artifacts and still creates incidents and triggers alerts. How do we actually remove or hide the threat intelligence data from a feed that has already been downloaded and indexed in Splunk?

0 Karma
Highlighted

Re: How do you remove threat feed data already in Enterprise Security?

Path Finder

I cleared out all of the lookup tables - they're all kvstore inputs in the collections.conf file inside /opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/default

| inputlookup ip_intel | head 10 | outputlookup ip_intel
| inputlookup certificate_intel | head 1 | outputlookup certificate_intel
| inputlookup file_intel | head 1 | outputlookup file_intel
| inputlookup process_intel | head 1 | outputlookup process_intel

There's probably a cleaner way to do this, but that's how I'm trying to get rid of them.

0 Karma
Highlighted

Re: How do you remove threat feed data already in Enterprise Security?

Splunk Employee
Splunk Employee

Disabling the threat downloads will stop the new data from coming in. Using the searches above will clear out the kvstore. I would not do the head statements. All data in the kvstore will have a threat_key so keying on that will get all intel out.

|inputlookup certificateintel |search threatkey=!* |outputlookup certificate_intel

If you are keying on a specific set of data you want to exclude you can use that threat_key to get rid of a specific feed.

The lookup generation will populate csv files called threatintelby*.csv found in /apps/DA-ESS-ThreatIntelligence/lookups/ and if you want to get rid of the residual data also check there.

Highlighted

Re: How do you remove threat feed data already in Enterprise Security?

Motivator

Could that be added to a macro in ES to make the deleting process easier?

0 Karma
Highlighted

Re: How do you remove threat feed data already in Enterprise Security?

Splunk Employee
Splunk Employee

i don't see why it couldn't, but i would secure those macros.

0 Karma