Known Limitations

• Score and Status Changes - reducing the set of indicators in Splunk comes at the expense of inability to detect change of scores and/or statuses in indicators. ThreatQuotient recommends that users use the "Whitelisted" status in ThreatQ to mark indicators as false positives rather than reducing the indicator score or using custom statuses.
• Advanced Filters - if you want to use advanced filters (such as adversaries, attributes or sources) to export only a subset of indicators from ThreatQuotient to Splunk, there are two ways to do it:
  1. Duplicate the default export and configure advanced filters. On the Splunk Add-On App, configuring the scoring filter in such a way that all indicators are accepted (i.e. value of 0).
  2. Configure a scoring policy to influence indicator scores on certain adversaries, sources or attributes only. On the Splunk Add-On App, configure the scoring filter to accept only certain scores (i.e. value >= 8 for example).
• Exporting Large Number of Indicators - it is not recommended that you export an exceptionally large number of indicators from ThreatQ to Splunk. ThreatQuotient recommends that at any one time, users export no more than 500K indicators. If this limit is not observed, you may encounter problems including loading the data to Splunk, and assuming the data was loaded correctly anyway, with the performance of your Splunk deployment itself.

  If there is a need to re-import the data from ThreatQ, revert the pagination setting for the input to True. This will ensure that the data is imported in batches of 10,000 records at a time.

  The default export shipped with the ThreatQ appliance does not apply any filters on the indicators to restrict the set of data being exported. However, you may make a copy of this export and specify any additional filters under Special Parameters. An example is shown in the picture below in which a user has configured a filter with score > 5.