- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We were testing two externally hosted threat feeds. After adding them to the Splunk App for Enterprise Security using the ES documentation ,the feeds began giving us a tremendous amount of false positives.
We removed the feeds from Settings > Data Inputs > Threat Intelligence Downloads, ensured all CSV files were not in any DA-ESS-Threat* subfolder and all SA-Threat* subfolder.
Restarted the server.
We are still getting threat activity matching to these sources. Are there any other steps we need to take to make sure our data is no longer matched against this bad data feed? Is it stored in a summary index or other index that we should clean?
Any help would be greatly appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's been moved into the Threat intelligence KVStore. Here's some help on how to clean it : http://answers.splunk.com/answers/237859/can-i-delete-all-data-from-a-kv-store-at-once.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's been moved into the Threat intelligence KVStore. Here's some help on how to clean it : http://answers.splunk.com/answers/237859/can-i-delete-all-data-from-a-kv-store-at-once.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured it had been sucked into something just didn't know where. Thank you!
