Splunk® Enterprise Security

Release Notes

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Known Issues

The following are known issues and workarounds for this version of the Splunk App for Enterprise Security.

Highlighted issues

  • On Splunk Enterprise version 6.1 and later, a Windows server can experience a crash when using INDEXED_EXTRACTIONS on introspection logs. (SPL-83975) (SOLNESS-5245)
Workaround:
Modify the content in $SPLUNK_HOME/etc/apps/introspection_generator_addon/local/props.conf and override the value for INDEXED_EXTRACTIONS on all Windows search head and indexer instances.
[splunk_disk_objects]
INDEXED_EXTRACTIONS =
[splunk_resource_usage]
INDEXED_EXTRACTIONS =
Restart Splunk Enterprise.
  • The performance of CIDR-based lookups degrades when evaluating hundreds of subnets. (SOLNESS-4669)
Workaround:
Limit the asset and threat lists to using /24 or smaller subnets.
  • Building a search that references the Risk data model an a distributed environment displays an error regarding a missing lookup file. (SOLNESS-5263)
Workaround:
  1. On the search head, browse to $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/default/distsearch.conf
  2. Comment out the line nocorrelationsearches = apps/SA-ThreatIntelligence/lookups/correlationsearches.csv
  3. Save the changes and restart services.
  • Users who install or upgrade TA-Bro will find that the add-on does not work by default. The command line will display warnings when you start Splunk Enterprise (ADDON-1104.)
See the Splunk Add-on for Bro IDS Release Notes.

Hardware prerequisites

  • The Splunk App for Enterprise Security may not run on virtualized machines with insufficient hardware. (SOLNESS-1118)
  • Running Splunk Enterprise on Windows on under-provisioned virtualized hardware may cause Enterprise Security setup to fail. If the instance meets the virtualized hardware specifications, retry the setup if it fails the first time. (SOLNESS-4256)
  • A dashboard view reports: Error in 'DistributedSearchResultsCollectionManager'. Operating system thread limit reached; search could not be run. This is expected behavior when the max user processes ulimit is too restrictive for the current load on the Splunk environment. See Errors about ulimit in splunkd.log in the Troubleshooting manual.

Upgrades

  • During an upgrade of the Enterprise Security app, the installer will fail to create a backup of the existing Enterprise Security installation if the backup file size exceeds 2GB. The installer displays the error ERROR - step:upgrade|Filesize would require ZIP64 extensions. (SOLNESS-5490)
Workaround:
Find the large CSV lookup files and move them aside before running the Enterprise Security upgrade. Once the upgrade has completed, move the CSV lookup files back.

Incident Review

  • Contributing events from any notable event in the Incident Review dashboard will default to "All Time" and may take a long time to return results. To workaround this issue, cancel the search and rerun with the desired time window. (SOLNESS-1784)
  • The Incident Review dashboard feature does not work on the Solaris operating system. (SOLNESS-2508)
  • The maximum number of notable events displayed for editing is 1000, regardless of the filter options or total number of notable events. This is expected behavior set by a default in the limits.conf setting max_events_per_bucket, and can be changed as required. (SOLNESS-5072)

Configuration

  • Clicking on a configuration item in the App Settings page takes the user to the Search Macros Manager page. The Cancel button does not work. The Save button takes the user to the list of macros in the Search Macros Manager page instead of back to the App Settings Configuration page. (SOLNPCI-375)

Dashboards

  • When working with individual Reports (Search > Reports), some drill down functionality may not produce desired behavior. This is dependent on the structure of the search, and the search commands being used. This should not affect shipped dashboards. If adding a report to ones own dashboard, for best results use Simple XML to define explicit drill down. (SOLNESS-4387)
  • When using Advanced Threat dashboards, some dashboard views show a yellow warning sign triangle even if the view displays results. The warning reports:
Empty csv lookup file (contains only a header) for table 'ppf_http_category': /splunk/etc/apps/DA-ESS-NetworkProtection/lookups/ppf_http_user_agent.csv

Empty csv lookup file (contains only a header) for table 'ppf_url_length': /splunk/etc/apps/DA-ESS-NetworkProtection/lookups/ppf_new_domains.csv

This is expected behavior and is harmless. The lookup files referenced in the warning message manages the per-panel filtering feature in Enterprise Security. Per-panel filtering is used to filter or whitelist items out of dashboard views that are deemed unimportant or non-threatening.
Until the per-panel filter lookup is used, the file is empty and contains only a header. This status does not affect the functioning of the dashboard panel.
See Per-Panel Filter Audit in the Enterprise Security Installation and Configuration Manual for more information. (SOLNESS-4631)
  • Changing the title of an existing entity investigator or swimlane search will break all swimlane searches used on the same dashboard. Changing the title of the search back to the default will fix the display issue. (SOLNESS-5194)

Reports

  • In any Individual Reports window, selecting a real-time Time Range such as: 24 hour window, 30 minute window, etc. will cause a display error: (SOLNESS-3536)
Error in 'tstats' command: This command is not supported in a real-time search.
Workaround:
Use a relative "Time Range" such as: Last 24 hours or Last 15 minutes.
  • When adding a report to a custom dashboard in the Enterprise Security app, the report's drilldown search may not produce the desired behavior. This includes pre-defined reports included with the Enterprise Security app. (SOLNESS-4387)
Workaround:
Test all report drilldown behaviors on custom dashboards, and use Simple XML to define the drilldown search for each report as desired.

Inputs

  • The timing of a modular input execution at startup can result in the error in the splunkd.log as a result of a missing file path (SOLNESS-5217).

ERROR ExecProcessor - message from "python /splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist_manager.py" File "/splunk/etc/apps/SA-Utils/lib/SolnCommon/lookups.py", line 254, in get_temporary_file

ERROR ExecProcessor - message from "python /splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist_manager.py"     os.mkdir(basedir)

ERROR ExecProcessor - message from "python /splunk/etc/apps/SA-ThreatIntelligence/bin/threatlist_manager.py" OSError: [Errno 17] File exists: '/splunk/var/run/splunk/lookup_tmp'

  • The threat list emerging_threats_malvertisers_blocklist has been obsoleted. The input has been removed from the available threat lists. (SOLNESS-4785)
  • A threat list that is downloaded from an HTTPS URL may fail to download if proxy authentication is in use. Checking the $SPLUNK_HOME/var/log/splunk/python_modular_input.log shows an authentication failure:

2014-01-01 01:01:01,001 ERROR pid=4000 tid=download_an_ip_blocklist file=protocols.py:run:246 | Caught URLError when querying https://a.blosklist.hosting.site/blocklist.php?download=blocklist: reason=Tunnel connection failed: 407 Proxy Authentication Required exc=<urlopen error Tunnel connection failed: 407 Proxy Authentication Required>

A patch to the Python libraries httplib and urlllib2 is required. Please contact Splunk Support and reference SOLNESS-5401. (SOLNESS-5401)
Once the files are obtained, follow the instructions below:
1. Stop the Splunk Enterprise services on the Enterprise Security search head.
2. Backup and replace the Python libraries httplib and urlllib2 in the $SPLUNK_HOME/lib/python2.7 directory with the copies provided.
3. Restart the Splunk Enterprise services.

Search Head Pooling

  • Any stanza in inputs.conf that references an object in the shared pool mount must use an absolute path. In Enterprise Security, an audited lookup table requires an input. That input stanza must be updated when using search head pooling since /etc/apps resides on the pool and is no longer tied to the relative path $SPLUNK_HOME.

Example:

 SA-ThreatIntelligence/local/inputs.conf
   [monitor://$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/lookups/incident_review.csv]
    disabled = true
    ## Lookup is on the search head pool shared storage. Changed path below:
   [monitor:///the/shared/storage/etc/apps/SA-ThreatIntelligence/lookups/incident_review.csv]
    disabled = false
    index = _audit
    sourcetype = incident_review 
Last modified on 26 November, 2014
Fixed Issues   Learn More and how to get help

This documentation applies to the following versions of Splunk® Enterprise Security: 3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters