Splunk Enterprise Security

Splunk Enterprise Security: How to troubleshoot why Threat Intelligence download is failing?

splunkrajkrk
Explorer

I can't see the Threat Intelligence Audit Events in Splunk Enterprise Security

I have internet access to my serverm and yes, I can even wget http://hailataxii.com/ site successfully.
I checked the configuration for indexes.conf and inputs.conf they look good for the SA-ThreatIntelligence//local and DA-ESS-ThreatIntelligence/local/ as well

Could anyone help me out to figure out the problem?

0 Karma

gjanders
SplunkTrust
SplunkTrust

I'm assuming you are not using a proxy server in your environment?
Also which ES version? I'm having a similar issue in 4.5 which I have logged with Splunk support...

0 Karma

splunkrajkrk
Explorer

Yes we are not using Proxy server in our environment ,version 4.1.1

and also im getting following errors from all indexers

Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/admin/inputstatus/ModularInputs%3Amodular%20input%20commands?count=0 from server=https://127.0.0.1:8089

0 Karma

shellsam
Explorer

Even i'm getting the same error "Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/admin/inputstatus/ModularInputs%3Amodular%20input%20commands?count=0 from server=https://127.0.0.1:8089" can somebody help me here

0 Karma

gjanders
SplunkTrust
SplunkTrust

As per ekosts's comment ahve you checked the file $SPLUNK_HOME/var/log/splunk/threat_intelligence_manager.log and $SPLUNK_HOME/var/log/splunk/threatlist.log ? Or used the splunk search for these to look for problems?

The above comment also mentions "indexers", the above refers to the search heads.

Since there is minimal information I'm completely guessing, but have you pushed the distributed configuration bundle to the indexers available on:
https://:8000/en-US/app/SplunkEnterpriseSecuritySuite/ess_distributed_conf_management?earliest=0&latest=
?

ekost
Splunk Employee
Splunk Employee

I took a look around for bugs, and found that error listed under the conditions "Subsearch errors when looking up the modular input status for each indexer in a index cluster." At this point, the error appears to be a unique issue, and should be treated independently of issues downloading threat intel sources. If you're completely stuck, and not seeing anything in the logs that clarifies what the downloading issue is, please file a support case.

0 Karma

ekost
Splunk Employee
Splunk Employee

I'd begin by taking a look a the _internal index for errors related to threat intel sources. Start with something like: index=_internal eventtype=threatintel_internal_logs error and see what events (if any) get returned. There are a couple common log sources that are written to for ThreatIntel processing: $SPLUNK_HOME/var/log/splunk/threatlist.log, and $SPLUNK_HOME/var/log/splunk/threat_intelligence_manager.log which are tagged with that eventtype.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...