Splunk Enterprise Security

Error when polling TAXII feeds with Enterprise Security


I am unable to make the Threat Intelligence input for hailataxii work using on-prem Splunk Enterprise. Splunk Enterprise version 8.2.4 and Enterprise Security version 7.0.0.


The Threat Intelligence Audit dashboard shows "TAXII feed polling starting"

The Intelligence Audit events below show an error message  

2022-01-10 20:11:51,120+0000 ERROR pid=3116 tid=MainThread file=threatlist.py:download_taxii:476 | <urlopen error [Errno 111] Connection refused>
Traceback (most recent call last):
File "/opt/splunk/lib/python3.7/urllib/request.py", line 1350, in do_open
File "/opt/splunk/lib/python3.7/http/client.py", line 1281, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/opt/splunk/lib/python3.7/http/client.py", line 1327, in _send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/opt/splunk/lib/python3.7/http/client.py", line 1276, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/opt/splunk/lib/python3.7/http/client.py", line 1036, in _send_output
File "/opt/splunk/lib/python3.7/http/client.py", line 976, in send
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 478, in connect
(self.host, self.port), self.timeout, self.source_address)
File "/opt/splunk/lib/python3.7/socket.py", line 728, in create_connection
raise err
File "/opt/splunk/lib/python3.7/socket.py", line 716, in create_connection
ConnectionRefusedError: [Errno 111] Connection refused
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist.py", line 439, in download_taxii
taxii_message = handler.run(args, handler_args)
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/taxii_client/__init__.py", line 173, in run
return self._poll_taxii_11(parsed_args)
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/bin/taxii_client/__init__.py", line 81, in _poll_taxii_11
http_resp = client.call_taxii_service2(args.get('url'), args.get('service'), tm11.VID_TAXII_XML_11, poll_xml, port=args.get('port'), timeout=args['timeout'])
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 344, in call_taxii_service2
response = urllib.request.urlopen(req, timeout=timeout)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 222, in urlopen
return opener.open(url, data, timeout)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 525, in open
response = self._open(req, data)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 543, in _open
'_open', req)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 503, in _call_chain
result = func(*args)
File "/opt/splunk/etc/apps/SA-ThreatIntelligence/contrib/libtaxii/clients.py", line 374, in https_open
return self.do_open(self.get_connection, req)
File "/opt/splunk/lib/python3.7/urllib/request.py", line 1352, in do_open
raise URLError(err)
urllib.error.URLError: <urlopen error [Errno 111] Connection refused>


Any ideas??? 

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...