Splunk Enterprise Security

Splunk Enterprise Security: Why am I getting this error message "msg="A threat intelligence download has failed" stanza="alexa_top_one_million_sites""?

emmanuelpeter
New Member

Splunk Enterprise Security: why am I getting this error message?

msg="A threat intelligence download has failed" stanza="alexa_top_one_million_sites" status="threat list download failed after multiple retries"
0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

We ended up working this issue from a support perspective, and this was related to specific configs within the customers ENV. If customer wishes to share our findings he can note that here.

Having said that under normal circumstances, using wget to validate connectivity from SH to source is a good first start to understand why the download is failing.

0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

You could also be hitting a bug.
What version of ES are you running?

0 Karma

emmanuelpeter
New Member

I'm currently running Splunk Version 6.4.1.2
what sort of bug could that be?

0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

What version of ES are you running

0 Karma

emmanuelpeter
New Member

currently is 4.2.0

0 Karma

jwelch_splunk
Splunk Employee
Splunk Employee

Hmm, this indicates you are a cloud customer. If that is the case email me your info jwelch @ splunk dot com.

I will take a look for you.

Otherwise, if I am missing something here, we log the success or failure of a download in the threatlist.log in /opt/splunk/var/log/splunk

index=_internal source =*threatlist.log alexa

This could be related to a previous failure and now it is successful, and you are hitting the bug I was talking about, which I did not think affected 4.2.0

Or it really is failing and I need to see why from the backend.

If you are not a cloud customer you could try this from your SH

wget https://s3.amazonaws.com/alexa-static/top-1m.csv.zip? to determine if you have success.

Let me know here or via email how I can help

0 Karma

emmanuelpeter
New Member

I've dropped you an email. please do let me know if you receive it.

0 Karma

mparks11
Path Finder

Can you access the URL: https://s3.amazonaws.com/alexa-static/top-1m.csv.zip? This is where the Alexa Top Million is hosted. Personally, I can, so I know they haven't shut down the Alext top million (like happened a few months back and presumably will happen again). It's possible that your Splunk ES Search Head can't access that URL itself, blocked by a content filter or web proxy in your network somewhere. If you don't use the Alexa Top Million, you could just disable the input.

emmanuelpeter
New Member

I can access the CSV.Zip, but how can I check to see if my search head can access it. Thanks

0 Karma

mparks11
Path Finder

Looks like jwelch beat me to the punch!

wget https://s3.amazonaws.com/alexa-static/top-1m.csv.zip
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...