We were testing two externally hosted threat feeds. After adding them to the Splunk App for Enterprise Security using the ES documentation ,the feeds began giving us a tremendous amount of false positives.
We removed the feeds from Settings > Data Inputs > Threat Intelligence Downloads, ensured all CSV files were not in any DA-ESS-Threat* subfolder and all SA-Threat* subfolder.
Restarted the server.
We are still getting threat activity matching to these sources. Are there any other steps we need to take to make sure our data is no longer matched against this bad data feed? Is it stored in a summary index or other index that we should clean?
Any help would be greatly appreciated!