Splunk Enterprise Security

Splunk Enterprise Security: How to troubleshoot why a Threat Intelligence download is failing for a single download source?


We are having an issue where a single threat intelligence download is failing (SANS blocklist) regularly. I can wget the file just fine from the search head where Splunk Enterprise Security is installed, so I'm not sure it's a network problem with reaching the site. Is there any place I can get a more specific error message as to why this is failing?

msg="A threat intelligence download has failed" stanza="sans" status="threat list download failed after multiple retries"


I logged a case on 4.7.0, I believe the issue will get fixed in 4.7.2
As a workaround, you can edit :
/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/configuration_checks/confcheck_failed_threat_download.py as below


    job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest=earliest)


    job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest_time=earliest)

The difference on that last line is the earliest_time= setting....once I did that the warnings went away.

Path Finder

Was there ever a resolution to this? I have this problem after upgrading to ES 4.7.1

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...