Splunk Enterprise Security

How do I stop the "threat list download failed after multiple retries" messages on disabled threat inputs?

Contributor

It looks like the seven iblocklist feeds included in Splunk Enterprise Security (ES) 4.5.0 are now subscription based and ES can no longer pull them.

To try and stop the messages,
1. I disabled the feeds in Data inputs » Threat Intelligence Downloads
2. I modified the Interval to 610000 (once a week)
3. Under \local\inputs.conf[configuration_check://confcheck_failed_threat_download], added files to suppress (SOLNESS-10559 in known issues)

Every three hours, the messages show up.

What else do I need to do to stop these messages?

0 Karma
1 Solution

Splunk Employee
Splunk Employee

Great, so for this one. I filed:
SOLNESS-11180
[PUBLIC] [CUSTOMER] Threat Intelligence: emerging_threats_compromised_ip_blocklist is no longer available for download
It seems the vendor has quit publishing this list. (We are awaiting for confirmation if they have disabled for good we will remove from product)

So please disable the feed.

Because you are running 4.5.0 you are also hitting SOLNESS-10813, so even after you disable the download, we have an issue.
To fix this delete:
$SPLUNK_HOME/var/lib/splunk/modinputs/configuration_check/confcheck_failed_threat_download

And you should be all fixed up. SOLNESS-10813 was fixed in 4.5.1

Okie

View solution in original post

Splunk Employee
Splunk Employee

Great, so for this one. I filed:
SOLNESS-11180
[PUBLIC] [CUSTOMER] Threat Intelligence: emerging_threats_compromised_ip_blocklist is no longer available for download
It seems the vendor has quit publishing this list. (We are awaiting for confirmation if they have disabled for good we will remove from product)

So please disable the feed.

Because you are running 4.5.0 you are also hitting SOLNESS-10813, so even after you disable the download, we have an issue.
To fix this delete:
$SPLUNK_HOME/var/lib/splunk/modinputs/configuration_check/confcheck_failed_threat_download

And you should be all fixed up. SOLNESS-10813 was fixed in 4.5.1

Okie

View solution in original post

Contributor

I removed the file and so far I am no longer getting the messages.

Thank you for the help.

0 Karma

Explorer

I also deleted the file and can validate the messages have stopped. Also they seem to have the feed working again.

0 Karma

Splunk Employee
Splunk Employee

Great news all, sorry for the confusion!

0 Karma

Explorer

I'm having the same issue. I can't get these alerts to stop even after the threat feed is working again.

0 Karma

Splunk Employee
Splunk Employee

Show me your exact errors, and I will tell you how to fix them.

E.G. is it a TAXII feed Error or is it alexa/comprimisedip

And what version are you running.

Okie

0 Karma

Contributor

I am receiving the following message -

msg="A threat intelligence download has failed" stanza="emerging_threats_compromised_ip_blocklist" status="threat list download failed after multiple retries"

ES version is 4.5.0

0 Karma

Explorer

I'm seeing the exact same error and also running 4.5.0.

0 Karma