Splunk Enterprise Security

Help with troubleshooting errors in Splunk Enterprise Security: what script is ran to show this error message?

Path Finder

Hello Splunk community,

I am having a problem with Enterprise Security. All of the threat intelligences are not able to download, as I am getting the following errors: Search peer SEARCH_HEAD_HOSTNAME has the following message: msg="A threat intelligence download has failed" stanza="iblocklist_web_attacker" status="threat list download failed after multiple retries".

I found that in /SPLUNK_HOME/etc/apps/SA=ThreatIntelligence/default/input.conf there is a stanza for each threat intelligence:
disabled = 0
delim_regex = :
description = Addresses that are commonly associated with known traffic-proxy sites
fields = ip:$2,description:$1
type = threatlist
url = http://list.iblocklist.com/?list=bt_proxy

The url field in each stanza shows the exact URL that Splunk will try to access to download the threat intelligence. However, what script or piece of code in Splunk or the Enterprise Security app attempts to access the URLs? I want to run that script manually to see what kind of errors I'm receiving.

0 Karma

Splunk Employee
Splunk Employee

Information about the threat intelligence framework and sources
Splunk Enterprise Security includes a threat intelligence framework and threat intelligence sources that attempt to perform these downloads. A modular input performs the download requests (that's what you found in the input.conf file)

Troubleshooting your specific problem
If the threat sources are failing to download, there are several potential root causes:

  • Is your instance connected to the internet? Are there firewall or proxy rules in place that might prevent the modular input from making these calls to the internet?
  • Are you using a version of Splunk Enterprise Security with a known bug that produces these messages in error (says that the downloads are failing when they are not)? Versions 4.7.0 and 4.7.1 have this bug.

Review the log files related to see the exact error messages, and other verification steps, see: http://docs.splunk.com/Documentation/ES/4.7.2/Admin/Verifythreatintel

Path Finder

Thank you very much for the information and feedback. I'm working through troubleshooting this some more using the info you provided. The version of ES I'm running is the latest version, 4.7.2. I think the first bullet you suggested is correct, there has to be something blocking the splunk server from reaching out to the threat intelligences, my next step is to just figure out what exactly that is. I will update this post with an answer when I figure it out, or some more questions if I get stuck again. Thanks!

0 Karma

Splunk Employee
Splunk Employee

Thanks for the update! I hope it's easy to fix after you find out what's causing the problem. Good luck!

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!