We are having an issue where a single threat intelligence download is failing (SANS blocklist) regularly. I can wget the file just fine from the search head where Splunk Enterprise Security is installed, so I'm not sure it's a network problem with reaching the site. Is there any place I can get a more specific error message as to why this is failing?
msg="A threat intelligence download has failed" stanza="sans" status="threat list download failed after multiple retries"
I logged a case on 4.7.0, I believe the issue will get fixed in 4.7.2
As a workaround, you can edit :
/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/configuration_checks/confcheck_failed_threat_download.py as below