I upgraded the ES app from 4.5 to 4.7. I work on a closed system so I do not make use of the Threat Intel downloads. Now despite having disabled each and every threat intel download source, I am still getting "failed to download threat intel" messages for each and every external source. I went through the inputs.conf file and confirmed that the "disabled" field is set to 1.
What could be causing this to still happen? I wound up making a backup copy of the inputs.conf file in the defaults directory and editing out the threat intel stanzas in the original file. This seems to have worked for now, at least until the next upgrade.
I contacted support and this was their response, which worked for me:
In DA-ESS-ThreatIntelligence/bin/configuration_checks/confcheck_failed_threat_download.py if you could change the line from the first line to the second
job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest=earliest)
job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest_time=earliest)
The workaround of SOLNESS-12077 is
Edit splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/configuration_checks/confcheck_failed_threat_download.py as below
--- confcheck_failed_threat_download.old.py
+++ confcheck_failed_threat_download.py
@@ -33,7 +33,7 @@
messages = []
- job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest=earliest)
+ job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest_time=earliest)
while elapsed < srch_timeout:
if job.isDone:
if job.resultCount > 0 or job.eventCount > 0:
Fixed version: 4.7.2
There's a chance you're running into SOLNESS-12077. The search that reports on threat source download failures will always show any past failures logged, and will not reflect more recent threat downloads that were successful. That issue was fixed in ES 4.7.2.
Is there any remediation besides upgrading to 4.7.2? I'm running ES 4.7.1 and cannot upgrade at this time, but I need to stop the "failed threatlist downloads" messages that appear every 3 hours.
Yes. File a support case, and ask for the workaround listed in SOLNESS-12077.
I take back my comment about the workaround. Even editing out the intel threat stanzas in the SA-Intelligence inputs.conf file did not work. Is there perhaps another input.confs file I could edit?
I am seeing this issue in both 4.7.0 and 4.7.1 as well. It almost seems like it isn't paying attention to the configuration and just doing what is configured by default out of the box.