Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Enterprise Security: How to troubleshoot why the threat_activity index is no longer populating with data?

niemesrw
Path Finder
‎02-23-2016 12:21 PM

The threat_activity index isn't populating anymore, and to be honest, I'm not sure how it's supposed to populate. There's a scheduled search in particular - Threat - Source And Destination Matches - Threat Gen that runs every 30 minutes and I believe it save its results into this index. However, it recently stopped. Does anyone know how this search is supposed to populate the threat_activity index? It doesn't have a summary index configured.

Reply

chethankumarcba
Engager
‎03-12-2020 10:34 PM

If you look at the configuration for "Threat - Source And Destination Matches - Threat Gen" in savedsearches.conf, you should be able to see this "action.threat_activity=1" which is a reference to “alert_actions.conf” in DA-ESS-ThreatIntelligence app which has [threat_activity] stanza. It is a reference to call that alert action

If you look at this stanza in alert_actions.conf, you can see that it is "summaryindex" ing to threat_activity index (highlighted)

Please note "summaryindex" is an alias to "collect" command.

The part where summaryindex command is present in "threat_activity" alert action is given below.

| summaryindex spool=t uselb=t addtime=t index="$action.threat_activity._name{required=yes}$"

0 Karma
Reply

stefan1988
Path Finder
‎09-08-2017 02:10 AM

A modification to a Gen search in GUI could cause a empty stanza in DA-ESS-ThreatIntelligence/local/savedsearch.conf such as alert.suppress.fields =

Check your savedsearches.conf in local and remove the wrong options.

0 Karma
Reply

cphair
Builder
‎06-07-2017 08:54 AM

Not an expert on this app, but I think the summarizing part is defined in alert_actions.conf. The stanza in savedsearches.conf should have a setting like action.<name> = 1 and the corresponding summarization is handled in the alert_actions file. This lets multiple searches reuse the same alert throttling logic.

Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...