Splunk Enterprise Security

Splunk Enterprise Security: How to troubleshoot why Threat Intelligence download is failing?

Explorer

I can't see the Threat Intelligence Audit Events in Splunk Enterprise Security

I have internet access to my serverm and yes, I can even wget http://hailataxii.com/ site successfully.
I checked the configuration for indexes.conf and inputs.conf they look good for the SA-ThreatIntelligence//local and DA-ESS-ThreatIntelligence/local/ as well

Could anyone help me out to figure out the problem?

0 Karma

SplunkTrust
SplunkTrust

I'm assuming you are not using a proxy server in your environment?
Also which ES version? I'm having a similar issue in 4.5 which I have logged with Splunk support...

0 Karma

Explorer

Yes we are not using Proxy server in our environment ,version 4.1.1

and also im getting following errors from all indexers

Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/admin/inputstatus/ModularInputs%3Amodular%20input%20commands?count=0 from server=https://127.0.0.1:8089

0 Karma

Explorer

Even i'm getting the same error "Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/admin/inputstatus/ModularInputs%3Amodular%20input%20commands?count=0 from server=https://127.0.0.1:8089" can somebody help me here

0 Karma

SplunkTrust
SplunkTrust

As per ekosts's comment ahve you checked the file $SPLUNK_HOME/var/log/splunk/threat_intelligence_manager.log and $SPLUNK_HOME/var/log/splunk/threatlist.log ? Or used the splunk search for these to look for problems?

The above comment also mentions "indexers", the above refers to the search heads.

Since there is minimal information I'm completely guessing, but have you pushed the distributed configuration bundle to the indexers available on:
https://:8000/en-US/app/SplunkEnterpriseSecuritySuite/ess_distributed_conf_management?earliest=0&latest=
?

Splunk Employee
Splunk Employee

I took a look around for bugs, and found that error listed under the conditions "Subsearch errors when looking up the modular input status for each indexer in a index cluster." At this point, the error appears to be a unique issue, and should be treated independently of issues downloading threat intel sources. If you're completely stuck, and not seeing anything in the logs that clarifies what the downloading issue is, please file a support case.

0 Karma

Splunk Employee
Splunk Employee

I'd begin by taking a look a the _internal index for errors related to threat intel sources. Start with something like: index=_internal eventtype=threatintel_internal_logs error and see what events (if any) get returned. There are a couple common log sources that are written to for ThreatIntel processing: $SPLUNK_HOME/var/log/splunk/threatlist.log, and $SPLUNK_HOME/var/log/splunk/threat_intelligence_manager.log which are tagged with that eventtype.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!