Troubleshoot threat intelligence in Splunk Enterprise Security
The following troubleshooting steps are for resolving issues you might face with the threat intelligence systems in Splunk Enterprise Security.
Error message: Intelligence modular input is disabled
In Splunk Enterprise Security, there are two modular inputs used to get intelligence from the threat intelligence management (cloud) system. The two modular inputs, Mission Control - Retrieve IM Indicators and Mission Control - Parse IM indicators, are active by default.
If you see an error message in Splunk Enterprise Security about deactivated modular inputs, complete the following steps to check for and activate the necessary modular inputs.
- Select the Settings tab in Splunk Web.
- In the Data section, select Data inputs.
- Select Mission Control - Retrieve IM Indicators for the local input.
- Select Enable in the Status field.
- Return to the Data inputs page and select Mission Control - Parse IM indicators files.
- Select Enable in the Status field.
After you activate the modular inputs for Splunk Enterprise Security, you can access threat intelligence data in the Intelligence tab of your investigation.
SA-ThreatIntelligence `notable` macro is inactive
With the `notable` macro from SA-ThreatIntelligence
, the Threat Intelligence Supporting Add-on (SA), you can create a finding in Splunk Enterprise Security. In a Splunk Enterprise Security search head environment, the `notable` macro from SA-ThreatIntelligence
is active by default, but users can activate or deactivate the macro through the Splunk Web menu.
The `notable` macro from SA-ThreatIntelligence is not the same as the `notable` macro from DA-ESS-ContentUpdate, the Splunk Enterprise Security Domain Add-on.
If the `notable` macro from SA-ThreatIntelligence
is inactive, you can reactivate it by following these steps:
- In the Splunk Web menu, select Settings and then Advanced search.
- Select Search macros.
- Using the drop-down list, select SA-ThreatIntelligence for the App.
- Locate the notable search macro in the table. You can filter the table results using the search bar.
- For the notable search macro, select Enable.
Parsing errors for intelligence sources
Review the following log files to troubleshoot errors that can occur when parsing intelligence sources in Splunk Enterprise Security.
Problem | Suggestion |
---|---|
Issues related to downloading intelligence sources. | Look at the Intelligence audit events panel on the Threat intelligence audit dashboard. Look for events from the threatlist.log file with the threatintel:download sourcetype.
|
Issues related to parsing or processing. | Look at the Intelligence audit events panel on the Threat intelligence audit dashboard. Look for events from the threat_intelligence_manager.log file with the threatintel:manager sourcetype.
|
Errors result from uploading a file. | Review the threat_intel_file_upload_rest_handler.log file.
|
Other parsing errors. | Verify that the modular inputs are running as expected. See python_modular_input.log for errors associated with modular input failures.
|
FSISAC threat source errors
If you are having trouble with your FSISAC threat source, it appears to be stuck, and you're seeing the following in your traceback log:
2020-06-03 18:36:12,461+0000 INFO pid=6580 tid=MainThread file=threatlist.py:download_taxii:361 | status="TAXII feed polling starting" stanza="FS_TEST" 2020-06-03 18:36:12,516+0000 INFO pid=6580 tid=MainThread file=__init__.py:_poll_taxii_11:49 | Certificate information incomplete - falling back to AUTH_BASIC. 2020-06-03 18:36:12,516+0000 INFO pid=6580 tid=MainThread file=__init__.py:_poll_taxii_11:68 | Auth Type: AUTH_BASIC
It could be due to a bug in libtaxii that requires version 1.1.113 or higher to support the vendor's requirement of including the Server Name Indication System (SNI). Libtaxii 1.1.113.x is only available in versions of Enterprise Security 6.x and higher.
Troubleshoot failed intelligence downloads in Splunk Enterprise Security | Troubleshoot dashboards that are not populating in Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!