Greetings and thanks for the looking at this question. I have a Splunk server in an air-gapped environment and I'm trying to get threat intelligence data from an external, Internet facing client to an internal URL server and then have Splunk Enterprise Security (ES) perform a URL download of the intelligence file. The external client downloads the feed and then pushes the feed to the URL server (I can push XML, JSON, CSV files).

I am able to get the intelligence file to the URL server from the external client and I set up a Threat Intelligence stanza within Data inputs » Threat Intelligence Downloads to download the file via URL. I am also able to verify that the intelligence file is successfully downloaded; here are the logs for the download:

Threat Intelligence Logs for URL download:

4/24/17
12:53:58.245 AM 
2017-04-23 23:53:58,245 INFO pid=40446 tid=MainThread file=threatlist.py:run:373 | status="continuing" msg="Processing stanza" name="threatlist://custom_ioc"

4/24/17
12:53:58.245 AM 
2017-04-23 23:53:58,245 INFO pid=40446 tid=MainThread file=threatlist.py:run:381 | status="retrieved_checkpoint_data" stanza="custom_ioc" last_run="1492973638.25"

4/24/17
12:53:58.245 AM 
2017-04-23 23:53:58,245 INFO pid=40446 tid=MainThread file=threatlist.py:download_csv:279 | status="CSV download starting" stanza="custom_ioc"

4/24/17
12:53:58.246 AM 
2017-04-23 23:53:58,246 INFO pid=40446 tid=MainThread file=protocols.py:buildOpener:127 | Proxy server will not be used (check your proxy_server, proxy_port, and proxy_user settings if this is incorrect).

4/24/17
12:53:58.958 AM 
2017-04-23 23:53:58,958 INFO pid=40446 tid=MainThread file=threatlist.py:download_csv:310 | stanza="custom_ioc" retries_remaining="3" status="threat list downloaded" file="/indexes/hot/modinputs/threatlist/custom_ioc_2Gwqd.txt" bytes="17882720" url="https://urlserver/ioc/misp.csv.all.ADMIN.csv"

Then after the file is downloaded, I am getting the following error:

4/24/17
12:54:41.689 AM 2017-04-23 23:54:41,689 ERROR pid=40824 tid=MainThread file=threat_intelligence_manager.py:process_files:513 | status="Exception when processing file." filename="custom_ioc.csv" 
Traceback (most recent call last): 
  File "/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/threat_intelligence_manager.py", line 511, in process_files self.process_file(fullpath, last_run) 
  File "/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/threat_intelligence_manager.py", line 252, in process_file self.process(filename, parser, typ, last_run) 
  File "/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/threat_intelligence_manager.py", line 386, in process for metadata, intel in parser.parse(self._kvstore_limits): 
  File "/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/parsers/csv_parser.py", line 402, in parse parser = CSVParserConfiguration(self.filename, self._stanza, self._collection_spec) 
  File "/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/parsers/csv_parser.py", line 95, in __init__ raise ValueError('Parser does not extract a field that can be mapped to a threat intelligence collection.') 
ValueError: Parser does not extract a field that can be mapped to a threat intelligence collection.

So it appears I have a parsing error, but I am not sure where to look next for that. I know I'm missing something, but am not sure what. Any assistance that can be given to point me in the right direction would be appreciated. Thank you.