Splunk Enterprise Security
Highlighted

Splunk Enterprise Security: How to troubleshoot why Threat Intelligence download is failing?

Explorer

I can't see the Threat Intelligence Audit Events in Splunk Enterprise Security

I have internet access to my serverm and yes, I can even wget http://hailataxii.com/ site successfully.
I checked the configuration for indexes.conf and inputs.conf they look good for the SA-ThreatIntelligence//local and DA-ESS-ThreatIntelligence/local/ as well

Could anyone help me out to figure out the problem?

0 Karma
Highlighted

Re: Splunk Enterprise Security: How to troubleshoot why Threat Intelligence download is failing?

Splunk Employee
Splunk Employee

I'd begin by taking a look a the internal index for errors related to threat intel sources. Start with something like: `index=internal eventtype=threatintelinternallogs errorand see what events (if any) get returned. There are a couple common log sources that are written to for ThreatIntel processing:$SPLUNKHOME/var/log/splunk/threatlist.log, and$SPLUNKHOME/var/log/splunk/threatintelligencemanager.log` which are tagged with that eventtype.

0 Karma
Highlighted

Re: Splunk Enterprise Security: How to troubleshoot why Threat Intelligence download is failing?

SplunkTrust
SplunkTrust

I'm assuming you are not using a proxy server in your environment?
Also which ES version? I'm having a similar issue in 4.5 which I have logged with Splunk support...

0 Karma
Highlighted

Re: Splunk Enterprise Security: How to troubleshoot why Threat Intelligence download is failing?

Explorer

Yes we are not using Proxy server in our environment ,version 4.1.1

and also im getting following errors from all indexers

Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/admin/inputstatus/ModularInputs%3Amodular%20input%20commands?count=0 from server=https://127.0.0.1:8089

0 Karma
Highlighted

Re: Splunk Enterprise Security: How to troubleshoot why Threat Intelligence download is failing?

Explorer

Even i'm getting the same error "Failed to fetch REST endpoint uri=https://127.0.0.1:8089/services/admin/inputstatus/ModularInputs%3Amodular%20input%20commands?count=0 from server=https://127.0.0.1:8089" can somebody help me here

0 Karma
Highlighted

Re: Splunk Enterprise Security: How to troubleshoot why Threat Intelligence download is failing?

SplunkTrust
SplunkTrust

As per ekosts's comment ahve you checked the file $SPLUNKHOME/var/log/splunk/threatintelligencemanager.log and $SPLUNKHOME/var/log/splunk/threatlist.log ? Or used the splunk search for these to look for problems?

The above comment also mentions "indexers", the above refers to the search heads.

Since there is minimal information I'm completely guessing, but have you pushed the distributed configuration bundle to the indexers available on:
https://:8000/en-US/app/SplunkEnterpriseSecuritySuite/essdistributedconf_management?earliest=0&latest=
?

Highlighted

Re: Splunk Enterprise Security: How to troubleshoot why Threat Intelligence download is failing?

Splunk Employee
Splunk Employee

I took a look around for bugs, and found that error listed under the conditions "Subsearch errors when looking up the modular input status for each indexer in a index cluster." At this point, the error appears to be a unique issue, and should be treated independently of issues downloading threat intel sources. If you're completely stuck, and not seeing anything in the logs that clarifies what the downloading issue is, please file a support case.

0 Karma