Splunk Enterprise Security

Splunk Enterprise Security: How to troubleshoot why the threat_activity index is no longer populating with data?

niemesrw
Path Finder

The threat_activity index isn't populating anymore, and to be honest, I'm not sure how it's supposed to populate. There's a scheduled search in particular - Threat - Source And Destination Matches - Threat Gen that runs every 30 minutes and I believe it save its results into this index. However, it recently stopped. Does anyone know how this search is supposed to populate the threat_activity index? It doesn't have a summary index configured.

chethankumarcba
Engager

If you look at the configuration for "Threat - Source And Destination Matches - Threat Gen" in savedsearches.conf, you should be able to see this "action.threat_activity=1" which is a reference to “alert_actions.conf” in DA-ESS-ThreatIntelligence app which has [threat_activity] stanza. It is a reference to call that alert action

If you look at this stanza in alert_actions.conf, you can see that it is "summaryindex" ing to threat_activity index (highlighted)

Please note "summaryindex" is an alias to "collect" command.

The part where summaryindex command is present in "threat_activity" alert action is given below.

| summaryindex spool=t uselb=t addtime=t index="$action.threat_activity._name{required=yes}$"

0 Karma

stefan1988
Path Finder

A modification to a Gen search in GUI could cause a empty stanza in DA-ESS-ThreatIntelligence/local/savedsearch.conf such as alert.suppress.fields =

Check your savedsearches.conf in local and remove the wrong options.

0 Karma

cphair
Builder

Not an expert on this app, but I think the summarizing part is defined in alert_actions.conf. The stanza in savedsearches.conf should have a setting like action.<name> = 1 and the corresponding summarization is handled in the alert_actions file. This lets multiple searches reuse the same alert throttling logic.

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!