I am having a problem with Enterprise Security. All of the threat intelligences are not able to download, as I am getting the following errors: Search peer SEARCH_HEAD_HOSTNAME has the following message: msg="A threat intelligence download has failed" stanza="iblocklist_web_attacker" status="threat list download failed after multiple retries".
I found that in /SPLUNK_HOME/etc/apps/SA=ThreatIntelligence/default/input.conf there is a stanza for each threat intelligence:
disabled = 0
delim_regex = :
description = Addresses that are commonly associated with known traffic-proxy sites
fields = ip:$2,description:$1
type = threatlist
url = http://list.iblocklist.com/?list=bt_proxy
The url field in each stanza shows the exact URL that Splunk will try to access to download the threat intelligence. However, what script or piece of code in Splunk or the Enterprise Security app attempts to access the URLs? I want to run that script manually to see what kind of errors I'm receiving.
Information about the threat intelligence framework and sources
Splunk Enterprise Security includes a threat intelligence framework and threat intelligence sources that attempt to perform these downloads. A modular input performs the download requests (that's what you found in the input.conf file)
Troubleshooting your specific problem
If the threat sources are failing to download, there are several potential root causes:
Is your instance connected to the internet? Are there firewall or proxy rules in place that might prevent the modular input from making these calls to the internet?
Are you using a version of Splunk Enterprise Security with a known bug that produces these messages in error (says that the downloads are failing when they are not)? Versions 4.7.0 and 4.7.1 have this bug.
Thank you very much for the information and feedback. I'm working through troubleshooting this some more using the info you provided. The version of ES I'm running is the latest version, 4.7.2. I think the first bullet you suggested is correct, there has to be something blocking the splunk server from reaching out to the threat intelligences, my next step is to just figure out what exactly that is. I will update this post with an answer when I figure it out, or some more questions if I get stuck again. Thanks!