05-18-2020 03:53 PM
Hi all,
I've searched the doc and the forum but did not see a clear answer on this.
What is the retention policy of the data from the external feed? or is there one by age or size?
The feed configuration "Age of Threat Feeds" and "Time Span of Poll Segment" define the date range of data to retrieve. Not how long the data will be active on the system.
Also, will ESA de-dup the data it receives? For example: if ip 132.23.14.1 was received in multiple polls, will it result in just one lookup record in ESA?
Thanks in advance!
06-02-2020 09:51 PM
Anyone? Am I asking a bad question? Please enlighten!
06-03-2020 03:54 AM
I can give you a partial answer. Every threat feed is considered its individual data feed. This means should you have 3 feeds and all get the same bad URL your ESA will have the data 3 times.
While you can argue this is not good, I think it comes from the idea that your feed providers might be different and you have set different update and retention policies.
For your first question I can only speculate, I would assume that it is an all or nothign collection, meaning that when you request another update the old data will be overwritten. That is at least how most other STIX TAXII servers work and I would assume they copied that behaviour.
-Marc
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide