Started getting the following alert after installing ES in our environment.
A threat intelligence download has failed. stanza="iblocklist_rapidshare" host="jsspl9.domain.net" status="threat list download failed after multiple retries"
After some research and investigating the search that produces the alert (which is the following):
index=_internal sourcetype=threatintel:download file="threatlist.py:download_*" NOT (status="*starting" OR status="retrying download" OR status="threat list downloaded" OR status="Retrieved document from TAXII feed" OR status="Retrieved documents from TAXII feed") | stats latest(status) as status, latest(_time) as _time by stanza, host, url
The time frame for which the alert is set to is "All Time". Which means that if there was a failed download attempt of a threat feed X amount of time ago and then a successful download of the same threat feed happened between the time of the failed attempt and now, the failed attempt would still be alerted on based on how the above search is constructed. The alert will only stop being generated only when the event has been purged from "_internal". Does anybody know if this was the intent?
↧