When we first got Splunk ES, one of my colleagues decided to try adding in IOCs from the Mandiant APT1 report. These were added to the path:
The problem is that these are constantly producing false positives from the ES “Threat Activity Detected” correlation search, matching on simple common file names like “setup.exe”.
I have removed the original .xml file, but the IOCs have obviously been ingested into the KV store. Is there any way that we can clear them out without affecting other IOCs that we want to keep?
I understand that there is a way to “age out” IOCs with expiry times. I think this is one of the lookup options, but I can’t for the life of me find that setting again or the documentation that led me to it.
Any advice appreciated.
... View more