Troubleshoot threat intelligence in Splunk Enterprise Security

The following troubleshooting steps are for resolving issues you might face with the threat intelligence systems in Splunk Enterprise Security.

Error message: Intelligence modular input is disabled

In Splunk Enterprise Security, there are two modular inputs used to get intelligence from the threat intelligence management (cloud) system. The two modular inputs, Mission Control - Retrieve IM Indicators and Mission Control - Parse IM indicators, are active by default.

If you see an error message in Splunk Enterprise Security about deactivated modular inputs, complete the following steps to check for and activate the necessary modular inputs.

1. Select the Settings tab in Splunk Web.
2. In the Data section, select Data inputs.
3. Select Mission Control - Retrieve IM Indicators for the local input.
4. Select Enable in the Status field.
5. Return to the Data inputs page and select Mission Control - Parse IM indicators files.
6. Select Enable in the Status field.

After you activate the modular inputs for Splunk Enterprise Security, you can access threat intelligence data in the Intelligence tab of your investigation.

SA-ThreatIntelligence `notable` macro is inactive

With the `notable` macro from SA-ThreatIntelligence, the Threat Intelligence Supporting Add-on (SA), you can create a finding in Splunk Enterprise Security. In a Splunk Enterprise Security search head environment, the `notable` macro from SA-ThreatIntelligence is active by default, but users can activate or deactivate the macro through the Splunk Web menu.

The `notable` macro from SA-ThreatIntelligence is not the same as the `notable` macro from DA-ESS-ContentUpdate, the Splunk Enterprise Security Domain Add-on.

If the `notable` macro from SA-ThreatIntelligence is inactive, you can reactivate it by following these steps:

1. In the Splunk Web menu, select Settings and then Advanced search.
2. Select Search macros.
3. Using the drop-down list, select SA-ThreatIntelligence for the App.
4. Locate the notable search macro in the table. You can filter the table results using the search bar.
5. For the notable search macro, select Enable.

Parsing errors for intelligence sources

Review the following log files to troubleshoot errors that can occur when parsing intelligence sources in Splunk Enterprise Security.

FSISAC threat source errors

If you are having trouble with your FSISAC threat source, it appears to be stuck, and you're seeing the following in your traceback log:

2020-06-03 18:36:12,461+0000 INFO pid=6580 tid=MainThread file=threatlist.py:download_taxii:361 | status="TAXII feed polling starting" stanza="FS_TEST"
2020-06-03 18:36:12,516+0000 INFO pid=6580 tid=MainThread file=__init__.py:_poll_taxii_11:49 | Certificate information incomplete - falling back to AUTH_BASIC.
2020-06-03 18:36:12,516+0000 INFO pid=6580 tid=MainThread file=__init__.py:_poll_taxii_11:68 | Auth Type: AUTH_BASIC

It could be due to a bug in libtaxii that requires version 1.1.113 or higher to support the vendor's requirement of including the Server Name Indication System (SNI). Libtaxii 1.1.113.x is only available in versions of Enterprise Security 6.x and higher.