https://s3.amazonaws.com/alexa-static/top-1m.csv.zip is hard coded into Splunk Enterprise Security SA-ThreatIntelligence/default/inputs.conf but is no longer working (as of this past weekend). Anyone found a work-around or a new source for this file?
Error in Enterprise Security (ES):
msg="A threat intelligence download has failed" stanza="alexa_top_one_million_sites" status="threat list download failed after multiple retries"
Error when manually accessing URL:
<Error> <Code>AccessDenied</Code> <Message>Access Denied</Message> <RequestId>A85FCE82234485BE</RequestId> <HostId> loGQHQvhiSqimFb9bmx5cXqvZTckwSkMkz6jmbOUIvVi844IbCefEwSyV9ZrAp7G7oB1xPE5oq0= </HostId> </Error>
@andygerber it looks like Alexa might have stopped distributing the top 1 million sites in a static way. That URI was valid in April (per https://web.archive.org/web/20160429064334/https://support.alexa.com/hc/en-us/articles/200461990-Can...) but https://support.alexa.com/hc/en-us/articles/200461990-Can-I-get-a-list-of-top-sites-from-an-API- no longer lists it.
I don't know of a workaround at this time. The web service to access data isn't free 😞
well Splunk needs to provide next steps here; it's a default download in ES right now, so everybody is erroring out.
Thanks @andygerber, I filed a jira and added it to the known issues. For now you can disable the download in the threat intelligence downloads. http://docs.splunk.com/Documentation/ES/4.5.0/User/Configureblocklists#Threat_Intelligence_Download_...
Good question, was searching for this issue. Glad to know it's safe to disable. Thanks!
After disabling it, I am still getting the warning in messages. Are there any alerts to disable aswell?
Thanks for the info. Of course, in a SHC the changes are a bit more complex than just editing via the GUI. Will push out a fix next time I do a cluster update.