All Apps and Add-ons

Why is there an error stating "Splunk threat intelligence download has failed"?

vinkumar_splunk
Splunk Employee
Splunk Employee

We have noticed a message saying that the Splunk threat intelligence download has failed. Got the below error. Can someone advise on this?

A threat intelligence download has failed. stanza="maxmin_geoip_asn_ipv4" host="xxxx" status="threat list download failed after multiple retries"

1 Solution

mbadhusha_splun
Splunk Employee
Splunk Employee

The base URL for "maxmind_geoip_asn_ipv4" threat list is https://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum2.zip

However, this now throws a 404 error when accessed. It looks like MaxMind \ GeoLite has changed their download URL.

From here: https://download.maxmind.com/download/geoip/database/asnum/

To: https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN-CSV.zip

Note that that new *.zip contains both: GeoLite2-ASN-Blocks-IPv4.csv and GeoLite2-ASN-Blocks-IPv6.csv.

This has been notified to Splunk engineering team via SOLNESS-17731. Currently, this framework does not support the ES and an ER was requested but closed as won’t fix. If you would like to use other subscription-based services you are welcome to do so.

In general, the third-party Intelligence Downloads are out of our control, which is why I guess the troubleshooting guide is so trite or to the point:

  1. Attempt to visit the URL or curl the threat source manually.
  2. Disable the intelligence source if it is no longer available to download.
  3. Configure or stage your internal download locations for the MaxMind GeoIP data (e.g. GitHub)

Cheers!

View solution in original post

mbadhusha_splun
Splunk Employee
Splunk Employee

The base URL for "maxmind_geoip_asn_ipv4" threat list is https://download.maxmind.com/download/geoip/database/asnum/GeoIPASNum2.zip

However, this now throws a 404 error when accessed. It looks like MaxMind \ GeoLite has changed their download URL.

From here: https://download.maxmind.com/download/geoip/database/asnum/

To: https://geolite.maxmind.com/download/geoip/database/GeoLite2-ASN-CSV.zip

Note that that new *.zip contains both: GeoLite2-ASN-Blocks-IPv4.csv and GeoLite2-ASN-Blocks-IPv6.csv.

This has been notified to Splunk engineering team via SOLNESS-17731. Currently, this framework does not support the ES and an ER was requested but closed as won’t fix. If you would like to use other subscription-based services you are welcome to do so.

In general, the third-party Intelligence Downloads are out of our control, which is why I guess the troubleshooting guide is so trite or to the point:

  1. Attempt to visit the URL or curl the threat source manually.
  2. Disable the intelligence source if it is no longer available to download.
  3. Configure or stage your internal download locations for the MaxMind GeoIP data (e.g. GitHub)

Cheers!

Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...