Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

In Splunk Enterprise Security, how come old threatlist information isn't properly being cleaned?

mmoermans
Path Finder
‎12-10-2018 07:02 AM

We've got several threatlists running and I see that old threatlist information isn't properly cleaned. The max age is put on -1d but the data is still sometimes old and showing domains that have long been removed. How can you schedule a cleanup for this data?

0 Karma
Reply

hansuleberg
Path Finder
‎03-11-2021 09:22 AM

Hi. Was this resolved. Did you find the solution?

0 Karma
Reply

smoir_splunk
Splunk Employee
Splunk Employee
‎12-10-2018 10:38 AM

See the documentation here. You need to enable a search to take action based on the max age setting: https://docs.splunk.com/Documentation/ES/5.1.1/Admin/Changethreatintel#Configure_threat_source_reten...

Reply

mmoermans
Path Finder
‎12-11-2018 02:12 AM

I've done this but somehow it still shows up in notables.
In |inputlookup ip_intel I can't find the domain but it's still getting matched, even though there's a max age and the retention searches have been scheduled and executed. The correlation search is looking in the data model threat_actvity which looks at ip_intel so I don't understand how it's still matching.

Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...