Hi, they have to be renamed at the config file level because there are two configuration files involved.
cd ~/Downloads/SplunkEnterpriseSecurityInstaller/default/src/etc/apps/SA-ThreatIntelligence/default/ grep "Rule\]" savedsearches.conf [Threat - Threat List Activity - Rule] [Threat - Watchlisted Events - Rule] grep "Rule\]" correlationsearches.conf [Threat - Threat List Activity - Rule] [Threat - Watchlisted Events - Rule]
I hope this helps you!
The above poster's answer does not work on the latest Enterprise Security version.
You must visit the following file
Then modify two lines. I copied and pasted my config below with the parts that need to be modified in bold.
[Threat - User Failed to Login More Than 100 Times - Rule]
action.correlationsearch.enabled = 1
action.correlationsearch.label = User Failed to Login More Than 100 Times
Restart your Splunk instance after by running the following
sudo YOUR_SPLUNK_DIRECTORY/bin/splunk restart
Upgrade correlation searches in Splunk Enterprise Security
Starting in Splunk Enterprise Security version 4.6.0, correlationsearches.conf is no longer used to define correlation searches. Instead, savedsearches.conf uniquely identifies correlation searches using the action.correlationsearch.enabled=1 parameter. The correlationsearches.conf file is deprecated.