The threat_activity index isn't populating anymore, and to be honest, I'm not sure how it's supposed to populate. There's a scheduled search in particular - Threat - Source And Destination Matches - Threat Gen that runs every 30 minutes and I believe it save its results into this index. However, it recently stopped. Does anyone know how this search is supposed to populate the threat_activity index? It doesn't have a summary index configured.
If you look at the configuration for "Threat - Source And Destination Matches - Threat Gen" in savedsearches.conf, you should be able to see this "action.threat_activity=1" which is a reference to “alert_actions.conf” in DA-ESS-ThreatIntelligence app which has [threat_activity] stanza. It is a reference to call that alert action
If you look at this stanza in alert_actions.conf, you can see that it is "summaryindex" ing to threat_activity index (highlighted)
Please note "summaryindex" is an alias to "collect" command.
The part where summaryindex command is present in "threat_activity" alert action is given below.
Not an expert on this app, but I think the summarizing part is defined in alert_actions.conf. The stanza in savedsearches.conf should have a setting like action.<name> = 1 and the corresponding summarization is handled in the alert_actions file. This lets multiple searches reuse the same alert throttling logic.