Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

In Splunk Enterprise Security, how come old threatlist information isn't properly being cleaned?

mmoermans
Path Finder
‎12-10-2018 07:02 AM

We've got several threatlists running and I see that old threatlist information isn't properly cleaned. The max age is put on -1d but the data is still sometimes old and showing domains that have long been removed. How can you schedule a cleanup for this data?

0 Karma
Reply

hansuleberg
Path Finder
‎03-11-2021 09:22 AM

Hi. Was this resolved. Did you find the solution?

0 Karma
Reply

smoir_splunk
Splunk Employee
Splunk Employee
‎12-10-2018 10:38 AM

See the documentation here. You need to enable a search to take action based on the max age setting: https://docs.splunk.com/Documentation/ES/5.1.1/Admin/Changethreatintel#Configure_threat_source_reten...

Reply

mmoermans
Path Finder
‎12-11-2018 02:12 AM

I've done this but somehow it still shows up in notables.
In |inputlookup ip_intel I can't find the domain but it's still getting matched, even though there's a max age and the retention searches have been scheduled and executed. The correlation search is looking in the data model threat_actvity which looks at ip_intel so I don't understand how it's still matching.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...