Splunk Enterprise Security

A threat intelligence download has failed...status="threat list download failed after multiple retries". How can I resolve this?

jspigler2010
Explorer

Started getting the following alert after installing ES in our environment.

A threat intelligence download has failed. stanza="iblocklist_rapidshare" host="jsspl9.domain.net" status="threat list download failed after multiple retries"

After some research and investigating the search that produces the alert (which is the following):

index=internal sourcetype=threatintel:download file="threatlist.py:download*" NOT (status="*starting" OR status="retrying download" OR status="threat list downloaded" OR status="Retrieved document from TAXII feed" OR status="Retrieved documents from TAXII feed") | stats latest(status) as status, latest(_time) as _time by stanza, host, url

The time frame for which the alert is set to is "All Time". Which means that if there was a failed download attempt of a threat feed X amount of time ago and then a successful download of the same threat feed happened between the time of the failed attempt and now, the failed attempt would still be alerted on based on how the above search is constructed. The alert will only stop being generated only when the event has been purged from "_internal". Does anybody know if this was the intent?

0 Karma
1 Solution

risgupta
Path Finder

This is a known issue for the version 4.7.0 of ES app. The issue is now fixed in 4.7.2 and higher
As a workaround, you can edit :
/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/configuration_checks/confcheck_failed_threat_download.py as below

Change:

 job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest=earliest)

To:

 job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest_time=earliest)

The difference on that last line is the earliest_time= setting....once I did that the warnings went away.

Let me know how it goes.

View solution in original post

dharveynswccd
Path Finder

I just upgraded to ES 5.0.0 and right after I upgraded and restarted Splunk I started getting similar error: "Health Check: Intelligence download of "iblocklist_logmein" has failed on host......... threat list download failed after multiple retries". I am getting an alert for multiples things, not just iblocklist. I cleared the alerts but they keep coming back. How can I resolve being that I am using a newer version which has the known issue resolved?

0 Karma

risgupta
Path Finder

This is a known issue for the version 4.7.0 of ES app. The issue is now fixed in 4.7.2 and higher
As a workaround, you can edit :
/opt/splunk/etc/apps/DA-ESS-ThreatIntelligence/bin/configuration_checks/confcheck_failed_threat_download.py as below

Change:

 job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest=earliest)

To:

 job = splunk.search.dispatch(search_string, sessionKey=session_key, earliest_time=earliest)

The difference on that last line is the earliest_time= setting....once I did that the warnings went away.

Let me know how it goes.

jspigler2010
Explorer

That did it after a restart.

Thanks risgupta!

0 Karma

risgupta
Path Finder

Always welcome !!

0 Karma

1783797
Loves-to-Learn Lots

Error message pop-up each and every day with new event any solution for this.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...