Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Losing data from URL-based Threat Intelligence Feed

aingragunathan
Engager
‎04-30-2020 02:35 PM

Hi All,

Looking for some help troubleshooting some odd behaviour around storing IOCs from a custom URL-based Threat Intelligence feed.
We have successfully set it up to a point where we can receive the IOCs (in 2hr intervals), store them and search with them.

But the IOCs seem to randomly disappear. One moment we may have 5000+ IOCs, the next we may have 0 or 2000 or 4000.
Our Threat Intelligence Management page states that the max size DA-ESS-ThreatIntelligence is 100MB and I haven't seen the threat_intel files pass 40MB

Any help troubleshooting this issue is appreciated!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...