Splunk Enterprise Security: How to troubleshoot wh...

brwilson · ‎04-13-2016

We are having an issue where a single threat intelligence download is failing (SANS blocklist) regularly. I can wget the file just fine from the search head where Splunk Enterprise Security is installed, so I'm not sure it's a network problem with reaching the site. Is there any place I can get a more specific error message as to why this is failing?

msg="A threat intelligence download has failed" stanza="sans" status="threat list download failed after multiple retries"

gjanders · ‎06-02-2017

I logged a case on 4.7.0, I believe the issue will get fixed in 4.7.2
As a workaround, you can edit :
/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/configuration_checks/confcheck_failed_threat_download.py as below

Change:

    job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest=earliest)

To:

    job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest_time=earliest)

The difference on that last line is the earliest_time= setting....once I did that the warnings went away.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

salbro · ‎06-02-2017

Was there ever a resolution to this? I have this problem after upgrading to ES 4.7.1

Splunk Enterprise Security: How to troubleshoot why a Threat Intelligence download is failing for a single download source?

Stay Connected: Your Guide to February Tech Talks, Office Hours, and Webinars!

Preparing your Splunk Environment for OpenSSL3

Incident Response: Reduce Incident Recurrence with Automated Ticket Creation