Splunk Enterprise Security

Enterprise Security 4.7 - Threat Intel Downloads Won't Stop Despite Disabling

thomas_porter
Explorer

I upgraded the ES app from 4.5 to 4.7. I work on a closed system so I do not make use of the Threat Intel downloads. Now despite having disabled each and every threat intel download source, I am still getting "failed to download threat intel" messages for each and every external source. I went through the inputs.conf file and confirmed that the "disabled" field is set to 1.

What could be causing this to still happen? I wound up making a backup copy of the inputs.conf file in the defaults directory and editing out the threat intel stanzas in the original file. This seems to have worked for now, at least until the next upgrade.

ericlarsen
Path Finder

I contacted support and this was their response, which worked for me:

In DA-ESS-ThreatIntelligence/bin/configuration_checks/confcheck_failed_threat_download.py if you could change the line from the first line to the second

job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest=earliest)

job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest_time=earliest)

0 Karma

dkolekar_splunk
Splunk Employee
Splunk Employee

The workaround of SOLNESS-12077 is

Edit splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/configuration_checks/confcheck_failed_threat_download.py as below
--- confcheck_failed_threat_download.old.py
+++ confcheck_failed_threat_download.py
@@ -33,7 +33,7 @@

     messages = []

-    job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest=earliest)
+    job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest_time=earliest)
     while elapsed < srch_timeout:
         if job.isDone:
             if job.resultCount > 0 or job.eventCount > 0:

Fixed version: 4.7.2

ekost
Splunk Employee
Splunk Employee

There's a chance you're running into SOLNESS-12077. The search that reports on threat source download failures will always show any past failures logged, and will not reflect more recent threat downloads that were successful. That issue was fixed in ES 4.7.2.

ericlarsen
Path Finder

Is there any remediation besides upgrading to 4.7.2? I'm running ES 4.7.1 and cannot upgrade at this time, but I need to stop the "failed threatlist downloads" messages that appear every 3 hours.

0 Karma

ekost
Splunk Employee
Splunk Employee

Yes. File a support case, and ask for the workaround listed in SOLNESS-12077.

thomas_porter
Explorer

I take back my comment about the workaround. Even editing out the intel threat stanzas in the SA-Intelligence inputs.conf file did not work. Is there perhaps another input.confs file I could edit?

0 Karma

delink
Communicator

I am seeing this issue in both 4.7.0 and 4.7.1 as well. It almost seems like it isn't paying attention to the configuration and just doing what is configured by default out of the box.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!