Splunk App for Enterprise Security: Why am I getti...

Afef · ‎06-24-2015

Hello,

I installed the Splunk App for Enterprise Security (simple deployment). I get many error messages :

msg="A threat intelligence download has failed" stanza="alexa_top_one_million_sites" status="threat list could not be written to disk"

msg="A threat intelligence download has failed" stanza="mozilla_public_suffix_list" status="threat list could not be written to disk"

Could someone help me please ?

Regards

jamesbrock · ‎09-18-2017

This has been happening to me for about 2 weeks. I've tried or checked everything I could find on Splunk answers but still get the error. The file permissions are correct and the file is actually downloaded but we still get the error. I've disabled the download but still get the error. I've checked the python script and it already has the updated line.

A threat intelligence download has failed. stanza="malware_domains" host="servername" status="threat list download failed after multiple retries"

we currently run Splunk on a windows 2012 r2 server, Splunk 6.6.0 and ES App Version 4.7.1 App Build 17

serwin · ‎07-10-2015

I just fixed the same error. My ES Windows deployment, the folder
C:\Program Files\Splunk\etc\apps\SA-ThreatIntelligence\local\data\threat_intel
was set to ready-only. Quick change of the settings and everything is running smoother.

Good luck!

neelamssantosh · ‎09-13-2015

Still No luck , after changing the Permissions.

nizami · ‎07-02-2020

@neelamssantosh :

Hello,
where you able to find a solution for this?

saurabhsumangat · ‎05-14-2019

@serwin : how did you change the permission. can you please show that

japala · ‎09-16-2016

Where do i find this file in the linux system? i tried the /Splunk_home/etc/apps but couldn't find this "SA-ThreatIntelligence" app..

tryan65 · ‎10-31-2016

Well I did find the proper location under $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data but the permissions seem fine. Any other thoughts?

mdessus_splunk · ‎06-26-2015

Hi, does the host has internet access ? Through a proxy ?
Does the download script runs manualy ?

Afef · ‎06-26-2015

Hi, no the host didn't have internet access.
Which script ?

mdessus_splunk · ‎06-30-2015

Afef, the Threat list are downloaded from internet !
If you do not have internet access, just disable the threat lists, or copy them locally and modify them.

Afef · ‎06-30-2015

The search head and the indexer had access to internet but I Still get thé same message errors.

mdessus_splunk · ‎06-30-2015

Only the SH needs Internet access.
And check if the following script is running :
/opt/splunk/bin/splunk cmd python ./threatlist.py
(you may add a -v after python if needed).

mdessus_splunk · ‎06-26-2015

If the search head does not have internet access, even through a proxy, ES will be unable to download the threat lists. You don't need to look further !

Afef · ‎06-30-2015

Now, the search head has internet access. But i still have the same errors !

alacercogitatus · ‎06-24-2015

I believe this is a known bug.

All you should have to do is find this script - confcheck_failed_threat_download.py and change this line:
job = splunk.search.dispatch(srch, sessionKey=session_key, earliest=earliest)
to this line:
job = splunk.search.dispatch(srch, sessionKey=session_key, earliestTime=earliest)

@bosburn_splunk, correct me if I'm wrong.

season88481 · ‎02-28-2017

Hi our ES is 4.5.1. So I checked the confcheck_failed_threat_download.py. Looks like the line been updated already. Possible the bug been fixed? However, I still getting some error. Most of the stanza been downloaded successfully. Only emerging_threats_ip_blocklist AND iblocklist_tor download failed.

bosburn_splunk · ‎06-24-2015

That fix was for a different error:
"A threat intelligence download has failed" stanza=“stanza_name" status="threat list download failed after multiple retries"

This one sounds like a permissions issue. Are you running Windows? Have you checked the permissions on the destination file that it's trying to overwrite?

mrgibbon · ‎06-29-2017

Is it:
earliest_time=earliest
OR
earliestTime=earliest
For this fix? There is a different post with that variation.
Thanks

Afef · ‎06-25-2015

How could find the destination file ? there was no information about it !

serwin · ‎07-08-2015

Afef,

If you're running 6.2.3, here is the location of the threatlists. I just found mine and the folder was indeed read only.

C:\Program Files\Splunk\etc\apps\SA-ThreatIntelligence\local\data\threat_intel

Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""?

Announcing the Expansion of the Splunk Academic Alliance Program

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Buttercup Games: Further Dashboarding Techniques (Part 7)