Splunk Enterprise Security

Help with troubleshooting errors in Splunk Enterprise Security: what script is ran to show this error message?

R_B
Path Finder

Hello Splunk community,

I am having a problem with Enterprise Security. All of the threat intelligences are not able to download, as I am getting the following errors: Search peer SEARCH_HEAD_HOSTNAME has the following message: msg="A threat intelligence download has failed" stanza="iblocklist_web_attacker" status="threat list download failed after multiple retries".

I found that in /SPLUNK_HOME/etc/apps/SA=ThreatIntelligence/default/input.conf there is a stanza for each threat intelligence:
[threatlist://iblocklist_proxy]
disabled = 0
delim_regex = :
description = Addresses that are commonly associated with known traffic-proxy sites
fields = ip:$2,description:$1
type = threatlist
url = http://list.iblocklist.com/?list=bt_proxy

The url field in each stanza shows the exact URL that Splunk will try to access to download the threat intelligence. However, what script or piece of code in Splunk or the Enterprise Security app attempts to access the URLs? I want to run that script manually to see what kind of errors I'm receiving.

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Information about the threat intelligence framework and sources
Splunk Enterprise Security includes a threat intelligence framework and threat intelligence sources that attempt to perform these downloads. A modular input performs the download requests (that's what you found in the input.conf file)

Troubleshooting your specific problem
If the threat sources are failing to download, there are several potential root causes:

  • Is your instance connected to the internet? Are there firewall or proxy rules in place that might prevent the modular input from making these calls to the internet?
  • Are you using a version of Splunk Enterprise Security with a known bug that produces these messages in error (says that the downloads are failing when they are not)? Versions 4.7.0 and 4.7.1 have this bug.

Review the log files related to see the exact error messages, and other verification steps, see: http://docs.splunk.com/Documentation/ES/4.7.2/Admin/Verifythreatintel

R_B
Path Finder

Thank you very much for the information and feedback. I'm working through troubleshooting this some more using the info you provided. The version of ES I'm running is the latest version, 4.7.2. I think the first bullet you suggested is correct, there has to be something blocking the splunk server from reaching out to the threat intelligences, my next step is to just figure out what exactly that is. I will update this post with an answer when I figure it out, or some more questions if I get stuck again. Thanks!

0 Karma

smoir_splunk
Splunk Employee
Splunk Employee

Thanks for the update! I hope it's easy to fix after you find out what's causing the problem. Good luck!

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...