Splunk Enterprise Security

Threat Intel lookup - Can we change how frequently ES reads new information?


Hi all,

We have few Custom CSV lookups that have been added to ES for Threat Intel. For the existing data, we can lookup the artifacts and confirm that those are present in ES but when adding new data to those lookups and reducing the "interval" option in Threat Intel Management, they still do not get added to ES.

Current setting for the data sources is 43200 seconds (12 hrs) but even after reducing it to few minutes the new entries never make it to ES. In Threat Intel Audit I do see the intel download time change but that doesn't seem to be making any difference.


Is there a way to manually force ES to re-read and add updated entries from the lookup?


~ Abhi

Labels (1)
Tags (3)
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!