Splunk Enterprise Security

Splunk Enterprise Security: How to troubleshoot why the threat_activity index is no longer populating with data?

niemesrw
Path Finder

The threat_activity index isn't populating anymore, and to be honest, I'm not sure how it's supposed to populate. There's a scheduled search in particular - Threat - Source And Destination Matches - Threat Gen that runs every 30 minutes and I believe it save its results into this index. However, it recently stopped. Does anyone know how this search is supposed to populate the threat_activity index? It doesn't have a summary index configured.

chethankumarcba
Engager

If you look at the configuration for "Threat - Source And Destination Matches - Threat Gen" in savedsearches.conf, you should be able to see this "action.threat_activity=1" which is a reference to “alert_actions.conf” in DA-ESS-ThreatIntelligence app which has [threat_activity] stanza. It is a reference to call that alert action

If you look at this stanza in alert_actions.conf, you can see that it is "summaryindex" ing to threat_activity index (highlighted)

Please note "summaryindex" is an alias to "collect" command.

The part where summaryindex command is present in "threat_activity" alert action is given below.

| summaryindex spool=t uselb=t addtime=t index="$action.threat_activity._name{required=yes}$"

0 Karma

stefan1988
Path Finder

A modification to a Gen search in GUI could cause a empty stanza in DA-ESS-ThreatIntelligence/local/savedsearch.conf such as alert.suppress.fields =

Check your savedsearches.conf in local and remove the wrong options.

0 Karma

cphair
Builder

Not an expert on this app, but I think the summarizing part is defined in alert_actions.conf. The stanza in savedsearches.conf should have a setting like action.<name> = 1 and the corresponding summarization is handled in the alert_actions file. This lets multiple searches reuse the same alert throttling logic.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...