cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
PT088
Engager
Member since: ‎09-09-2016
‎06-05-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎09-09-2016
View All

Re: How do I remove IOCs from a KV store?

by in Splunk Enterprise Security
‎08-31-2018 09:47 AM
‎08-31-2018 09:47 AM
This is excellent. Thanks for taking the time to explain this. ... View more

How do I remove IOCs from a KV store?

by in Splunk Enterprise Security
‎08-30-2018 06:16 AM
‎08-30-2018 06:16 AM
When we first got Splunk ES, one of my colleagues decided to try adding in IOCs from the Mandiant APT1 report. These were added to the path: /opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/default/data/threat_intel/Appendix_G_IOCs_No_OpenIOC.xml The problem is that these are constantly producing false positives from the ES “Threat Activity Detected” correlation search, matching on simple common file names like “setup.exe”. I have removed the original .xml file, but the IOCs have obviously been ingested into the KV store. Is there any way that we can clear them out without affecting other IOCs that we want to keep? I understand that there is a way to “age out” IOCs with expiry times. I think this is one of the lookup options, but I can’t for the life of me find that setting again or the documentation that led me to it. Any advice appreciated. ... View more

Re: How to retrieve a forgotten Splunk.com usernam...

by in Security
‎09-09-2016 02:46 AM
‎09-09-2016 02:46 AM
This still seems to be an issue in 2016. You have to phone support to get them to look it up in their database. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma given to
View All