Splunk Enterprise Security
Highlighted

Splunk Enterprise Security: How to troubleshoot why a Threat Intelligence download is failing for a single download source?

Explorer

We are having an issue where a single threat intelligence download is failing (SANS blocklist) regularly. I can wget the file just fine from the search head where Splunk Enterprise Security is installed, so I'm not sure it's a network problem with reaching the site. Is there any place I can get a more specific error message as to why this is failing?

msg="A threat intelligence download has failed" stanza="sans" status="threat list download failed after multiple retries"
Highlighted

Re: Splunk Enterprise Security: How to troubleshoot why a Threat Intelligence download is failing for a single download source?

Path Finder

Was there ever a resolution to this? I have this problem after upgrading to ES 4.7.1

0 Karma
Highlighted

Re: Splunk Enterprise Security: How to troubleshoot why a Threat Intelligence download is failing for a single download source?

SplunkTrust
SplunkTrust

I logged a case on 4.7.0, I believe the issue will get fixed in 4.7.2
As a workaround, you can edit :
/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/configurationchecks/confcheckfailedthreatdownload.py as below

Change:

    job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest=earliest)

To:

    job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest_time=earliest)

The difference on that last line is the earliest_time= setting....once I did that the warnings went away.