Splunk Enterprise Security

Splunk App for Enterprise Security: Why am I getting error messages "msg="A threat intelligence download has failed"...status="threat list could not be written to disk""?

Afef
Communicator

Hello,

I installed the Splunk App for Enterprise Security (simple deployment). I get many error messages :

msg="A threat intelligence download has failed" stanza="alexa_top_one_million_sites" status="threat list could not be written to disk"

msg="A threat intelligence download has failed" stanza="mozilla_public_suffix_list" status="threat list could not be written to disk"

Could someone help me please ?

Regards

0 Karma

jamesbrock
Path Finder

This has been happening to me for about 2 weeks. I've tried or checked everything I could find on Splunk answers but still get the error. The file permissions are correct and the file is actually downloaded but we still get the error. I've disabled the download but still get the error. I've checked the python script and it already has the updated line.

A threat intelligence download has failed. stanza="malware_domains" host="servername" status="threat list download failed after multiple retries"

we currently run Splunk on a windows 2012 r2 server, Splunk 6.6.0 and ES App Version 4.7.1 App Build 17

0 Karma

serwin
Explorer

I just fixed the same error. My ES Windows deployment, the folder
C:\Program Files\Splunk\etc\apps\SA-ThreatIntelligence\local\data\threat_intel
was set to ready-only. Quick change of the settings and everything is running smoother.

Good luck!

0 Karma

neelamssantosh
Contributor

Still No luck , after changing the Permissions.

0 Karma

nizami
Observer

@neelamssantosh :

Hello, 
where you able to find a solution for this? 

0 Karma

saurabhsumangat
New Member

@serwin : how did you change the permission. can you please show that

0 Karma

japala
Path Finder

Where do i find this file in the linux system? i tried the /Splunk_home/etc/apps but couldn't find this "SA-ThreatIntelligence" app..

0 Karma

tryan65
Explorer

Well I did find the proper location under $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data but the permissions seem fine. Any other thoughts?

mdessus_splunk
Splunk Employee
Splunk Employee

Hi, does the host has internet access ? Through a proxy ?
Does the download script runs manualy ?

Afef
Communicator

Hi, no the host didn't have internet access.
Which script ?

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

Afef, the Threat list are downloaded from internet !
If you do not have internet access, just disable the threat lists, or copy them locally and modify them.

0 Karma

Afef
Communicator

The search head and the indexer had access to internet but I Still get thé same message errors.

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

Only the SH needs Internet access.
And check if the following script is running :
/opt/splunk/bin/splunk cmd python ./threatlist.py
(you may add a -v after python if needed).

0 Karma

mdessus_splunk
Splunk Employee
Splunk Employee

If the search head does not have internet access, even through a proxy, ES will be unable to download the threat lists. You don't need to look further !

0 Karma

Afef
Communicator

Now, the search head has internet access. But i still have the same errors !

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

I believe this is a known bug.

All you should have to do is find this script - confcheck_failed_threat_download.py and change this line:
job = splunk.search.dispatch(srch, sessionKey=session_key,
earliest=earliest)

to this line:
job = splunk.search.dispatch(srch, sessionKey=session_key,
earliestTime=earliest)

@bosburn_splunk, correct me if I'm wrong.

season88481
Contributor

Hi our ES is 4.5.1. So I checked the confcheck_failed_threat_download.py. Looks like the line been updated already. Possible the bug been fixed? However, I still getting some error. Most of the stanza been downloaded successfully. Only emerging_threats_ip_blocklist AND iblocklist_tor download failed.

0 Karma

bosburn_splunk
Splunk Employee
Splunk Employee

That fix was for a different error:
"A threat intelligence download has failed" stanza=“stanza_name" status="threat list download failed after multiple retries"

This one sounds like a permissions issue. Are you running Windows? Have you checked the permissions on the destination file that it's trying to overwrite?

0 Karma

mrgibbon
Contributor

Is it:
earliest_time=earliest
OR
earliestTime=earliest
For this fix? There is a different post with that variation.
Thanks

0 Karma

Afef
Communicator

How could find the destination file ? there was no information about it !

0 Karma

serwin
Explorer

Afef,

If you're running 6.2.3, here is the location of the threatlists. I just found mine and the folder was indeed read only.

C:\Program Files\Splunk\etc\apps\SA-ThreatIntelligence\local\data\threat_intel
0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...