Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1371
Views
0
Helpful
2
Replies

external thread feed data expiration?

nafooesi
Level 1
Level 1

‎05-18-2020 03:53 PM

Hi all,

 

I've searched the doc and the forum but did not see a clear answer on this.

What is the retention policy of the data from the external feed? or is there one by age or size?

 

The feed configuration "Age of Threat Feeds" and "Time Span of Poll Segment" define the date range of data to retrieve.  Not how long the data will be active on the system.

 

Also, will ESA de-dup the data it receives?  For example: if ip 132.23.14.1 was received in multiple polls, will it result in just one lookup record in ESA? 

 

Thanks in advance!

Labels:
0 Helpful
2 Replies 2

nafooesi
Level 1
Level 1

‎06-02-2020 09:51 PM

Anyone?  Am I asking a bad question?  Please enlighten!

0 Helpful

marc.luescherFRE
Spotlight
Spotlight

‎06-03-2020 03:54 AM

I can give you a partial answer. Every threat feed is considered its individual data feed. This means should you have 3 feeds and all get the same bad URL your ESA will have the data 3 times.

 

While you can argue this is not good, I think it comes from the idea that your feed providers might be different and you have set different update and retention policies.

 

For your first question I can only speculate, I would assume that it is an all or nothign collection, meaning that when you request another update the old data will be overwritten. That is at least how most other STIX TAXII servers work and I would assume they copied that behaviour.

 

 

-Marc

0 Helpful
Customers Also Viewed These Support Documents