Solved: How to remove Splunk App for Enterprise Security c...

john_miller1 · ‎09-03-2015

We were testing two externally hosted threat feeds. After adding them to the Splunk App for Enterprise Security using the ES documentation ,the feeds began giving us a tremendous amount of false positives.

We removed the feeds from Settings > Data Inputs > Threat Intelligence Downloads, ensured all CSV files were not in any DA-ESS-Threat* subfolder and all SA-Threat* subfolder.

Restarted the server.

We are still getting threat activity matching to these sources. Are there any other steps we need to take to make sure our data is no longer matched against this bad data feed? Is it stored in a summary index or other index that we should clean?

Any help would be greatly appreciated!

lcrielaa · ‎09-03-2015

It's been moved into the Threat intelligence KVStore. Here's some help on how to clean it : http://answers.splunk.com/answers/237859/can-i-delete-all-data-from-a-kv-store-at-once.html

View solution in original post

lcrielaa · ‎09-03-2015

It's been moved into the Threat intelligence KVStore. Here's some help on how to clean it : http://answers.splunk.com/answers/237859/can-i-delete-all-data-from-a-kv-store-at-once.html

john_miller1 · ‎09-03-2015

Figured it had been sucked into something just didn't know where. Thank you!

How to remove Splunk App for Enterprise Security custom threat feeds?

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!