Solved: How do I stop the "threat list download failed aft...

scottrunyon · ‎12-14-2016

It looks like the seven iblocklist feeds included in Splunk Enterprise Security (ES) 4.5.0 are now subscription based and ES can no longer pull them.

To try and stop the messages,
1. I disabled the feeds in Data inputs » Threat Intelligence Downloads
2. I modified the Interval to 610000 (once a week)
3. Under \local\inputs.conf[configuration_check://confcheck_failed_threat_download], added files to suppress (SOLNESS-10559 in known issues)

Every three hours, the messages show up.

What else do I need to do to stop these messages?

jwelch_splunk · ‎12-22-2016

Great, so for this one. I filed:
SOLNESS-11180
[PUBLIC] [CUSTOMER] Threat Intelligence: emerging_threats_compromised_ip_blocklist is no longer available for download
It seems the vendor has quit publishing this list. (We are awaiting for confirmation if they have disabled for good we will remove from product)

So please disable the feed.

Because you are running 4.5.0 you are also hitting SOLNESS-10813, so even after you disable the download, we have an issue.
To fix this delete:
$SPLUNK_HOME/var/lib/splunk/modinputs/configuration_check/confcheck_failed_threat_download

And you should be all fixed up. SOLNESS-10813 was fixed in 4.5.1

Okie

View solution in original post

jwelch_splunk · ‎12-22-2016

Great, so for this one. I filed:
SOLNESS-11180
[PUBLIC] [CUSTOMER] Threat Intelligence: emerging_threats_compromised_ip_blocklist is no longer available for download
It seems the vendor has quit publishing this list. (We are awaiting for confirmation if they have disabled for good we will remove from product)

So please disable the feed.

Because you are running 4.5.0 you are also hitting SOLNESS-10813, so even after you disable the download, we have an issue.
To fix this delete:
$SPLUNK_HOME/var/lib/splunk/modinputs/configuration_check/confcheck_failed_threat_download

And you should be all fixed up. SOLNESS-10813 was fixed in 4.5.1

Okie

scottrunyon · ‎12-22-2016

I removed the file and so far I am no longer getting the messages.

Thank you for the help.

splunker288 · ‎12-22-2016

I also deleted the file and can validate the messages have stopped. Also they seem to have the feed working again.

jwelch_splunk · ‎12-22-2016

Great news all, sorry for the confusion!

splunker288 · ‎12-22-2016

I'm having the same issue. I can't get these alerts to stop even after the threat feed is working again.

jwelch_splunk · ‎12-22-2016

Show me your exact errors, and I will tell you how to fix them.

E.G. is it a TAXII feed Error or is it alexa/comprimisedip

And what version are you running.

Okie

scottrunyon · ‎12-22-2016

I am receiving the following message -

msg="A threat intelligence download has failed" stanza="emerging_threats_compromised_ip_blocklist" status="threat list download failed after multiple retries"

ES version is 4.5.0

splunker288 · ‎12-22-2016

I'm seeing the exact same error and also running 4.5.0.

How do I stop the "threat list download failed after multiple retries" messages on disabled threat inputs?

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector