Splunk Enterprise Security

How to reinstall removed DA-ESS-ThreatIntelligence

rashid47010
Communicator

mistaken I remove Enterprise App named DA-ESS-ThreatIntelligence.

how how can I download this and integrate it with ES framework.

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

You can download same version of Splunk ES which you are running on your Splunk Instance from https://splunkbase.splunk.com (When you login with your userid, your id must have ES entitlement otherwise you will not able to download ES)

Once you download the ES .spl file then you need to extract in some temp folder and then copy DA-ESS-ThreatIntelligence tar from temp folder to splunk apps directory, here I am giving example of Linux commands for Splunk ES running on Single Search Head (Not on SHC)

tar -xzf splunk-enterprise-security_<version>.spl -C /var/tmp/
cd /var/tmp/SplunkEnterpriseSecuritySuite/install
cp DA-ESS-ThreatIntelligence-<version>.spl $SPLUNK_HOME/etc/apps/
tar -xzf DA-ESS-ThreatIntelligence-<version>.spl 

Restart Splunk service.

After Splunk restart you need to configure your Threat Intel again because your earlier Threat Intel configuration is removed when you accidentally deleted DA-ESS-ThreatIntelligence app.

View solution in original post

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi,

You can download same version of Splunk ES which you are running on your Splunk Instance from https://splunkbase.splunk.com (When you login with your userid, your id must have ES entitlement otherwise you will not able to download ES)

Once you download the ES .spl file then you need to extract in some temp folder and then copy DA-ESS-ThreatIntelligence tar from temp folder to splunk apps directory, here I am giving example of Linux commands for Splunk ES running on Single Search Head (Not on SHC)

tar -xzf splunk-enterprise-security_<version>.spl -C /var/tmp/
cd /var/tmp/SplunkEnterpriseSecuritySuite/install
cp DA-ESS-ThreatIntelligence-<version>.spl $SPLUNK_HOME/etc/apps/
tar -xzf DA-ESS-ThreatIntelligence-<version>.spl 

Restart Splunk service.

After Splunk restart you need to configure your Threat Intel again because your earlier Threat Intel configuration is removed when you accidentally deleted DA-ESS-ThreatIntelligence app.

0 Karma

rashid47010
Communicator

thanks.It works.

can you please share the information about "configure Threat Intel"

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

When you go to Apps-> Enterprise Security -> Configure -> Data Enrichment -> Intelligence Downloads, there are number of threat intel belongs to DA-ESS-ThreatIntelligence. For example all threatlist starting with local_*, those are enabled by deafult, if you were not using any of such ThreatList before you deleted DA-ESS-ThreatIntelligence then you need to disable those again.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...