Splunk Enterprise Security

How to remove Splunk App for Enterprise Security custom threat feeds?

john_miller1
Explorer

We were testing two externally hosted threat feeds. After adding them to the Splunk App for Enterprise Security using the ES documentation ,the feeds began giving us a tremendous amount of false positives.

We removed the feeds from Settings > Data Inputs > Threat Intelligence Downloads, ensured all CSV files were not in any DA-ESS-Threat* subfolder and all SA-Threat* subfolder.

Restarted the server.

We are still getting threat activity matching to these sources. Are there any other steps we need to take to make sure our data is no longer matched against this bad data feed? Is it stored in a summary index or other index that we should clean?

Any help would be greatly appreciated!

1 Solution

lcrielaa
Communicator

It's been moved into the Threat intelligence KVStore. Here's some help on how to clean it : http://answers.splunk.com/answers/237859/can-i-delete-all-data-from-a-kv-store-at-once.html

View solution in original post

lcrielaa
Communicator

It's been moved into the Threat intelligence KVStore. Here's some help on how to clean it : http://answers.splunk.com/answers/237859/can-i-delete-all-data-from-a-kv-store-at-once.html

john_miller1
Explorer

Figured it had been sucked into something just didn't know where. Thank you!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...