Splunk® Enterprise Security

Release Notes

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Known Issues

The following are issues and workarounds for this version of the Splunk App for Enterprise Security.

Highlighted issues

Publication date Defect number Description
Pre-3.2 SOLNESS-5786 Splunk Enterprise users added from LDAP/AD and later disabled from the directory service do not appear to be removed from Splunk Enterprise. Attempting to remove the user displays the error:

Error occurred attempting to remove my_ldap_user: In handler 'users': Attempted to delete a user that does not exist: my_ldap_user

Workaround: From the command line, run splunk reload auth.

Pre-3.2 CIM-169 After installing the Enterprise Security app, the splunkd.log displays a warning message:
WARN LineBreakingProcessor - Truncating line because limit of 10000 bytes has been exceeded with a line length >= 13359 - data_source="/opt/splunk/var/log/splunk/remote_searches.log", data_host="nom_nom_nom", data_sourcetype="splunkd_remote_searches"

Workaround: Disable truncation on the indexers using the props.conf:

[splunkd_remote_searches]

TRUNCATE = 0

Configuration

Publication date Defect number Description
2014-12-4 SOLNESS-5902 During bundle replication, a large .context file may cause search timeouts.

Workaround: Update the distsearch.conf on the search head, adding the .context file to the replication blacklist.

[replicationBlacklist]
## Prevent network_traffic.context from being replicated via distsearch
nonetworktrafficcontext = apps/SA-NetworkProtection/contexts/network_traffic.context

Hardware prerequisites

Publication date Defect number Description
Pre-3.2 SOLNESS-4256 Running Splunk Enterprise on Windows with under-provisioned virtualized hardware may cause Enterprise Security setup to fail. If the instance meets the "virtualized hardware" specifications, retry the setup if it fails the first time.
Pre-3.2
A dashboard view reports: Error in 'DistributedSearchResultsCollectionManager'. Operating system thread limit reached; search could not be run.

This is expected behavior when the max user processes ulimit is too restrictive for the current load on the Splunk environment. See "Errors about ulimit in splunkd.log" in the Splunk Enterprise Troubleshooting Manual.

Incident Review

Publication date Defect number Description
Pre-3.2 SOLNESS-1784 Contributing events from any notable event in the Incident Review dashboard will default to "All Time" and may take a long time to return results. To workaround this issue, cancel the search and rerun with the desired time window.
Pre-3.2 SOLNESS-2508 The Incident Review dashboard feature does not work on the Solaris operating system.
Pre-3.2 SOLNESS-5072 The maximum number of notable events displayed for editing is 1000, regardless of the filter options or total number of notable events. This is the expected behavior set by default in the limits.conf setting max_events_per_bucket, and can be changed as required.
2015-05-26 SOLNESS-6878 When saving the changes to a selection of more than 1000 notable events, the update will fail with the error The update failed:ResultSet.iter – timed out while waiting on data; expected 100 events, only got 0; count=xxxx.
This is the expected behavior set by default in the limits.conf setting max_events_per_bucket, and can be changed as required.

Dashboards

Publication date Defect number Description
Pre-3.2 SOLNESS-4387 When working with individual Reports (Search > Reports), some drill down functionality may not produce desired behavior. This is dependent on the structure of the search, and the search commands being used. This should not affect shipped dashboards. If adding a report to ones own dashboard, for best results use Simple XML to define explicit drill down.
Pre-3.2 SOLNESS-5752 When using the Account Management dashboard to view Account Lockouts, a drilldown to investigate events runs slowly. This is expected behavior. A drilldown will run a historical search across all events in a data model, where the dashboard view uses only accelerated data for faster visual response.
Pre-3.2 SOLNESS-4631 When using Advanced Threat dashboards, some dashboard views display a yellow warning sign triangle even if the view displays results. The warning reports:

Empty csv lookup file (contains only a header) for table 'ppf_http_category': /splunk/etc/apps/DA-ESS-NetworkProtection/lookups/ppf_http_user_agent.csv

Empty csv lookup file (contains only a header) for table 'ppf_url_length': /splunk/etc/apps/DA-ESS-NetworkProtection/lookups/ppf_new_domains.csv

This is expected behavior and is harmless. The lookup files referenced in the warning message manages the per-panel filtering feature in Enterprise Security. Per-panel filtering is used to filter or whitelist items out of dashboard views that are deemed unimportant or non-threatening.

Until the per-panel filter lookup is used, the file is empty and contains only a header. This status does not affect the functioning of the dashboard panel. See "Per-Panel Filter Audit" in the Enterprise Security Installation and Configuration Manual for more information.

2014-11-07 SOLNESS-5676 The Create Notable Event workflow action may result in a truncated notable event with missing fields.
2014-11-13 SOLNESS-5807 The Asset Investigator swimlanes for protocol data do not display common events in the event view when a object is selected.
2014-12-04 SOLNESS-5921 Using the lookup editor under Configure > Data Enrichment > Lists and Lookups will visually truncate the number of rows in a lookup to 60 or less, rendering any unseen rows unable to be edited. The issue does not limit the functionality of the lookup, or truncate the contents.
2014-12-05 SOLNESS-5925 A link to Add a new indicator appears when adding a Key Security Indicator to an unpopulated dashboard. If the link is used to add indicators, upon saving the changes, the indicators added will fail to appear.

Reports

Publication date Defect number Description
Pre-3.2 SOLNESS-3536 In any Individual Reports window, selecting a real-time Time Range such as: 24 hour window, 30 minute window, etc. will cause a display error:

Error in 'tstats' command: This command is not supported in a real-time search.

Workaround: Use a relative "Time Range" such as: Last 24 hours or Last 15 minutes.

Pre-3.2 SOLNESS-4387 When adding a report to a custom dashboard in the Enterprise Security app, the report's drilldown search may not produce the desired behavior. This includes pre-defined reports included with the Enterprise Security app.

Workaround: Test all report drilldown behaviors on custom dashboards, and use Simple XML to define the drilldown search for each report as desired.

2014-12-16 SOLNESS-5969 When adding a custom swim lane to the Enterprise Security app where the base search uses a constraint_method = string in place of an asset lookup, the swim lane fails to populate. Examining the search log shows the error: Invalid constraint field requested.
2015-01-15 SOLNESS-6054 The format of Incident Review audit data has been optimized. To review Incident Review audit events created prior to ES 3.2, update your audit search as needed and add the latest extractions. Example:

index=_audit sourcetype=incident_review | rex field=_raw "^(?<end_time>[^,]*),(?<rule_id>[^,]*),(?<owner>[^,]*),(?<urgency>[^,]*),(?<status>[^,]*),(?<comment>[^,]*),(?<user>[^,]*),(?<rule_name>[^,]*)"

2015-04-24 SOLNESS-6670 When the correlation search Potential Gap in Data is enabled, the search will report false positive matches.
Workaround: Update the contents of the search.
Browse to Configure > General > Custom Searches.
Search for "Potential Gap in Data" and select the search.
Select the link to "Edit search manually"
Update the contents of the "Search" field with:
| datamodel "Splunk_Audit" "Scheduler_Activity" search | where 'Scheduler_Activity.status'="success" AND ('Scheduler_Activity.app' LIKE "Splunk_%" OR 'Scheduler_Activity.app' LIKE "SA-%" OR 'Scheduler_Activity.app' LIKE "DA-%" OR 'Scheduler_Activity.app'="SplunkEnterpriseSecuritySuite" OR 'Scheduler_Activity.app'="SplunkPCIComplianceSuite") | stats count | where 'count'=0 | eval const_dedup_id="const_dedup_id"
2016-05-23 SOLNESS-9420
Extreme search causing multiple core dump files
Workaround: Filter results where the size is zero. Edit the problematic context gen search in the configuration file or on the Content Management page to include |where size > 0. For example:
| tstats `summariesonly` dc(All_Traffic.src) as src_count from datamodel=Network_Traffic by _time span=30m | stats count, median(src_count) as median, stdev(src_count) as size | where size>0 | xsupdateddcontext name=src_count_30m container=network_traffic terms="minimal,low,medium,high,extreme" type=median_centered width=3 app=SA-NetworkProtection scope=app | stats count

Inputs

Publication date Defect number Description
Pre-3.2 SOLNESS-4785 The threat list emerging_threats_malvertisers_blocklist has been obsoleted]. The input has been removed from the available threat lists. For more details see the notice at the threat list site (http://rules.emergingthreats.net/blockrules/emerging-rbn-malvertisers-BLOCK.rules).
Pre-3.2 SOLNESS-4254 While configuring or editing a modular input for a threat list, the "Interval" parameter cannot be specified through the UI.

Workaround: Configure all other input parameters through the UI, and change the run "Interval" from the command line.

Pre-3.2 SOLNESS-5401 A threat list download attempt from an HTTPS URL may fail to download if proxy authentication is in use. Checking the $SPLUNK_HOME/var/log/splunk/python_modular_input.log shows an authentication failure:

2014-01-01 01:01:01,001 ERROR pid=4000 tid=download_an_ip_blocklist file=protocols.py:run:246 | Caught URLError when querying https://a.blosklist.hosting.site/blocklist.php?download=blocklist: reason=Tunnel connection failed: 407 Proxy Authentication Required exc=<urlopen error Tunnel connection failed: 407 Proxy Authentication Required>

A patch to the Python libraries httplib and urlllib2 is required. Please contact Splunk Support and reference SOLNESS-5401.

Once the files are obtained, follow the instructions below:
1. Stop the Splunk Enterprise services on the Enterprise Security search head.
2. Backup and replace the Python libraries httplib and urlllib2 in the $SPLUNK_HOME/lib/python2.7 directory with the copies provided.
3. Restart the Splunk Enterprise services.
2014-11-25 SOLNESS-5873 When installing the Enterprise Security App on Microsoft Windows, the inputs.conf settings for enforcing the Email data model acceleration are missing.

Workaround: If the Email data model acceleration is disabled, it must be enabled again manually.

Search Head Pooling

Publication date Defect number Description
Pre-3.2
Any stanza in inputs.conf that references an object in the shared pool mount must use an absolute path. In Enterprise Security, an audited lookup table requires an input. That input stanza must be updated when using search head pooling since /etc/apps/* resides on the pool, and is no longer tied to the relative path $SPLUNK_HOME.

Example: In SA-ThreatIntelligence/local/inputs.conf [monitor://$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/lookups/incident_review.csv]

disabled = true

Lookup is on the search head pool shared storage. Changed path below: [monitor:///the/shared/storage/etc/apps/SA-ThreatIntelligence/lookups/incident_review.csv]

disabled = false
index = _audit
sourcetype = incident_review
Last modified on 06 August, 2016
Fixed Issues   Learn More and how to get help

This documentation applies to the following versions of Splunk® Enterprise Security: 3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters