Splunk® Enterprise Security

Release Notes

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Known Issues

The following are issues and workarounds for this version of the Splunk App for Enterprise Security.

Hardware prerequisites

Publication date Defect number Description
Pre-3.2
A dashboard view reports: Error in 'DistributedSearchResultsCollectionManager'. Operating system thread limit reached; search could not be run.

This is expected behavior when the max user processes ulimit is too restrictive for the current load on the Splunk environment. See "Errors about ulimit in splunkd.log" in the Splunk Enterprise Troubleshooting Manual.

Incident Review

Publication date Defect number Description
3.2.1
Immediately after upgrading the Enterprise Security app, the Incident Review dashboard may not display notable events. The migration process from a .csv file to the KV Store feature implements a brief wait time to initialize the system. The first time ES comes up after the post-setup restart, there is a period where Incident Review will be unusable. The dashboard will become usable in a couple minutes after the migration completes.
Pre-3.2 SOLNESS-2508 The Incident Review dashboard feature does not work on the Solaris operating system.
Pre-3.2 SOLNESS-5072 The maximum number of notable events displayed for editing is 1000, regardless of the filter options or total number of notable events. This is the expected behavior set by default in the limits.conf setting max_events_per_bucket, and can be changed as required.
2014-11-19 SOLNESS-5676 The Create Notable Event workflow action may result in a truncated notable event with missing fields.
2015-01-15 SOLNESS-6054 The format of Incident Review audit data has been optimized. To review Incident Review audit events created prior to ES 3.2.1, update your audit search as needed and add the latest extractions. Example:

index=_audit sourcetype=incident_review | rex field=_raw "^(?<end_time>[^,]*),(?<rule_id>[^,]*),(?<owner>[^,]*),(?<urgency>[^,]*),(?<status>[^,]*),(?<comment>[^,]*),(?<user>[^,]*),(?<rule_name>[^,]*)"

2015-06-01 SOLNESS-6855 While viewing the Incident Review dashboard, a workstation’s browser session can experience excessive memory growth necessitating a browser shutdown and restart. Please contact Splunk Support for a patch and reference SOLNESS-6855.
2015-06-24 SOLNESS-6858 On the Incident Review dashboard, when attempting to select all Notable Events by using the check box on the header, all Notable Events are not selected.
2015-07-07 SOLNESS-6861 If an RT time frame is selected on the Incident Review dashboard while sorting Notable Event results, the UI will display the error "Negative offsets are not allowed when a postprocessing search is specified."
2015-05-26 SOLNESS-6878 When saving the changes to a selection of more than 1000 notable events, the update will fail with the error The update failed:ResultSet.iter – timed out while waiting on data; expected 100 events, only got 0; count=xxxx.
This is the expected behavior set by default in the limits.conf setting max_events_per_bucket, and can be changed as required.
2015-06-01 SOLNESS-6905 The Notable Event Suppressions page becomes inaccessible when an suppression entry contains trailing spaces.

Installation and Upgrade

Publication date Defect number Description
Pre-3.2 CIM-169 After installing the Enterprise Security app, the splunkd.log displays a warning message:
WARN LineBreakingProcessor - Truncating line because limit of 10000 bytes has been exceeded with a line length >= 13359 - data_source="/opt/splunk/var/log/splunk/remote_searches.log", data_host="nom_nom_nom", data_sourcetype="splunkd_remote_searches"

Workaround: Disable truncation on the indexers using the props.conf:

[splunkd_remote_searches]

TRUNCATE = 0

2016-01-21 SOLNESS-8243 App import settings are not correctly replicated across search heads in a search head cluster. When this happens, the app import settings will replicate without the import information, then update to include the correct information, then replicate again without the import information.

Workaround:

  1. Set up a staging server with the apps and add-ons that should be enabled and installed in your environment.
  2. Let app_imports_update.py run once on the staging server. Use the following search to determine when the script last ran.

    index=_internal source="*python_modular_input.log" file="app_imports_update.py*" "Meta-data updated" | stats latest(_time) by input | `uitime(latest(_time))`

  3. Disable the app_imports_update.py script. This generates a clean and correct list of apps.
  4. Copy the contents of the etc/apps directory on the staging server to the etc/shcluster/apps directory on the SHC deployer.
  5. Deploy the configurations.

Configuration

Publication date Defect number Description
2016-05-23 SOLNESS-9420
 Extreme search causing multiple core dump files
Workaround: Filter results where the size is zero. Edit the problematic context gen search in the configuration file or on the Content Management page to include |where size > 0. For example:
| tstats `summariesonly` dc(All_Traffic.src) as src_count from datamodel=Network_Traffic by _time span=30m | stats count, median(src_count) as median, stdev(src_count) as size | where size>0 | xsupdateddcontext name=src_count_30m container=network_traffic terms="minimal,low,medium,high,extreme" type=median_centered width=3 app=SA-NetworkProtection scope=app | stats count

2015-04-02 SPL-99059 Modifying a data model's acceleration settings from the Settings > Data models > Edit Acceleration UI will remove any advanced configuration settings on the selected data model, such as 

acceleration.manual_rebuilds 
 and 
acceleration.backfill_time.

Workaround: Change data model acceleration settings through direct editing of the datamodels.conf files.

2015-04-15 SOLNESS-6641 A search name containing German umlaut cannot be opened in the Edit Correlation Search view. The JS console reports: Failed to load resource: the server responded with a status 500 (Internal Server Error)..

Dashboards and Reports

Publication date Defect number Description
Pre-3.2
When using a drilldown from any dashboard panel, the drilldown displays results slower than the dashboard. This is expected behavior. A drilldown runs a historical search across all indexed events mapped to the data model, where the dashboard view uses only accelerated data model objects for a faster visual response.
Pre-3.2 SOLNESS-3536 In any Individual Reports window, selecting a real-time Time Range such as: 24 hour window, 30 minute window, etc. will cause a display error:

Error in 'tstats' command: This command is not supported in a real-time search.

Workaround: Use a relative "Time Range" such as: Last 24 hours or Last 15 minutes.

Pre-3.2 SOLNESS-4387 When adding a report to a custom dashboard in the Enterprise Security app, the report's drilldown search may not produce the desired behavior. This includes pre-defined reports included with the Enterprise Security app. The drilldown behavior is dependent on the structure of the search, and the search commands being used.
Workaround: Test all report drilldown behaviors on custom dashboards, and use Simple XML to define the drilldown search for each report as desired.
Pre-3.2 SOLNESS-4631 When using Advanced Threat dashboards, some dashboard views display a yellow warning sign triangle even if the view displays results. The warning reports:

Empty csv lookup file (contains only a header) for table 'ppf_http_category': /splunk/etc/apps/DA-ESS-NetworkProtection/lookups/ppf_http_user_agent.csv

Empty csv lookup file (contains only a header) for table 'ppf_url_length': /splunk/etc/apps/DA-ESS-NetworkProtection/lookups/ppf_new_domains.csv

This is expected behavior and is harmless. The lookup files referenced in the warning message manages the per-panel filtering feature in Enterprise Security. Per-panel filtering is used to filter or whitelist items out of dashboard views that are deemed unimportant or non-threatening.

Until the per-panel filter lookup is used, the file is empty and contains only a header. This status does not affect the functioning of the dashboard panel. For more information, see "Edit the Per-Panel Filter list" in the Enterprise Security User Manual.

2015-04-24 SOLNESS-6670 When the correlation search Potential Gap in Data is enabled, the search will report false positive matches.
Workaround: Update the contents of the search.
Browse to Configure > General > Custom Searches.
Search for "Potential Gap in Data" and select the search.
Select the link to "Edit search manually"
Update the contents of the "Search" field with:
| datamodel "Splunk_Audit" "Scheduler_Activity" search | where 'Scheduler_Activity.status'="success" AND ('Scheduler_Activity.app' LIKE "Splunk_%" OR 'Scheduler_Activity.app' LIKE "SA-%" OR 'Scheduler_Activity.app' LIKE "DA-%" OR 'Scheduler_Activity.app'="SplunkEnterpriseSecuritySuite" OR 'Scheduler_Activity.app'="SplunkPCIComplianceSuite") | stats count | where 'count'=0 | eval const_dedup_id="const_dedup_id"
3.3.0 SOLNESS-6687 On the Threat Activity dashboard, the Group and Category drop-down filters may display comma separated values. If the values are selected, the dashboard will display "No results found."
Workaround: Update the macros.conf file for DA-ESS-ThreatIntelligence app.
Browse to Settings > Advanced Search > Search Macros.
Update the contents of the stanzas:
[threat_groups]
Change the definition to: `threat_group_intel` | stats count by threat_group | fields threat_group | sort + threat_group
[threat_categories]
Change the definition to: `threat_group_intel` | stats count by threat_category | fields threat_category | sort + threat_category
2015-05-21 SOLNESS-6788 The correlation search Default Account at Rest Detected does not properly filter out disabled accounts on Windows.
2015-05-29 SOLNESS-6809 While using the "Guided Mode" correlation search builder, if an aggregate is not created in Step 3, the error "Please select a function" is displayed and the builder cannot proceed.
2015-05-28 SOLNESS-6893 The SA-Utils App search contentinfo cannot be used in a private saved search.
2015-06-18 SOLNESS-6908 A context generating search may trigger a display of "Errors occurred while the search was executing. Therefore, search results might be incomplete."
2015-07-01 SOLNESS-6952 The macro `inactive_account_usage` used in the correlation search Inactive Account Activity Detected may choose the wrong time when performing time calculations by user. This results in spurious Notable Events.
2015-06-11 SOLNESS-6968 On the Security Posture dashboard, the panel Notable Events by Urgency displays an incorrect count of Notable Events.
2015-06-18 SOLNESS-6993 The Threat Artifacts dashboard will not display an arrow or chevron indicator when an artifact has more columns than can be displayed in the browser.
2015-07-08 SOLNESS-7054 After adding a new swimlane in the Enterprise Security app using the UI, a restart will display a stdout error for savedsearches.conf:
Invalid key in stanza [Category - My New Swimlane - MySwimlane] in /etc/apps/DA-ESS-AccessProtection/local/savedsearches.conf, line 24: actions (value: swimlane)

Workaround: Edit the savedsearches.conf stanza noted in the error message, removing the line actions = swimlane.

2015-08-28 SOLNESS-7041 When selecting an event under New Attacks in the Security Domains > Network > Intrusion Center navigation, the drill down will not work if the selected event is not within the timerange of the New Attacks view.

Inputs

Publication date Defect number Description
Pre-3.2 SOLNESS-4254 While configuring or editing a modular input for a threat list, the "Interval" parameter cannot be specified through the UI.

Workaround: Configure all other input parameters through the UI, and change the interval setting by editing the inputs.conf directly.

Pre-3.2 SOLNESS-5401 A threat list download attempt from an HTTPS URL may fail to download if proxy authentication is in use. Checking the $SPLUNK_HOME/var/log/splunk/python_modular_input.log shows an authentication failure:

2014-01-01 01:01:01,001 ERROR pid=4000 tid=download_an_ip_blocklist file=protocols.py:run:246 | Caught URLError when querying https://a.blosklist.hosting.site/blocklist.php?download=blocklist: reason=Tunnel connection failed: 407 Proxy Authentication Required exc=<urlopen error Tunnel connection failed: 407 Proxy Authentication Required>

A patch to the Python libraries httplib and urlllib2 is required. Please contact Splunk Support and reference SOLNESS-5401.

After the files are obtained, follow the instructions below:
1. Stop the Splunk Enterprise services on the Enterprise Security search head.
2. Backup and replace the Python libraries httplib and urlllib2 in the $SPLUNK_HOME/lib/python2.7 directory with the copies provided.
3. Restart the Splunk Enterprise services.
3.3.0 SOLNESS-6605 Creating a new TAXII feed requires the field Fields be populated. However, it is not used for defining fields in a TAXII feed.
Workaround: the user needing to supply a dummy value for that field in order to successfully define a TAXII feed.
2015-04-23 SOLNESS-6625 A crash will occur on the whois_handler.py script when a Unicode domain name is received for a WHOIS query.
2015-04-29 SOLNESS-6695 An invalid threat list stanza will leave temporary files in the path $SPLUNK_HOME\var\run\splunk\lookup_tmp and throw errors in the python_modular_input.log
Sample: status="Unknown exception when reading input files" exc='NoneType' object has no attribute 'startswith'.
2015-05-11 SOLNESS-6766 A script to detect threat source download failures can indicate a false positive condition, causing failed downloads more than 24 hours old to raise a warning message in the SplunkWeb UI. The message
"A threat intelligence download has failed" stanza=“stanza_name" status="threat list download failed after multiple retries" appears in SplunkWeb. Searching the _internal index for the threat source stanza returns:
2015-05-11 01:01:01,111 ERROR pid=111 tid=MainThread file=lookup_modinput.py:collect_files:136 status="Checkpoint file error" err="unknown path or update time" name=threat_source_name category=threatlist.

Workaround: Contact Splunk Support and reference SOLNESS-6766 for script modification guidance.

2015-05-28 SOLNESS-6811 The threat list spyeye_ip_blocklist has been obsoleted. To disable the input, browse to Configure > Data Enrichment > Threat Intelligence Downloads, find the spyeye_ip_blocklist threat list, and select Disable.
2015-06-02 SOLNESS-6903 Disabling a previously active threat list does not prevent continued matches based upon the disabled threat list contents.
2015-06-15 SOLNESS-6910 A plain text threat list will be ignored unless the extension is changed to .csv.
2015-06-15 SOLNESS-6914 A threat list input path that contains a period will prohibit the modular input from recognizing a valid directory, and prevent the threat list from being loaded.
2015-06-21 SOLNESS-6918 A threat list input may be ignored due to a missing ignore_regex parameter in the inputs.conf threat list stanza.
2015-06-23 SOLNESS-6958 A threat list download attempt from an HTTPS URL may fail to download if proxy authentication is in use.
2015-06-26 SOLNESS-6989 An updated asset or identities list placed on disk by a scripted process may not trigger the input to read and merge the changes.
2015-07-07 SOLNESS-7073 A threat list download may display a error in the python_modular_input.log ending with
ValueError: fromutc: non-None utcoffset() result required.
2015-07-24 SOLNESS-7132 The identities list fields startDate and endDate do not handle the date format "%m/%d/%Y" properly.
2015-08-28 SOLNESS-7090 Commas in a local threatlist description prevent the file from being parsed.
2015-12-28 SOLNESS-7659 The libtaxii library used by Enterprise Security does not support authenticated proxies. As a workaround, use an unauthenticated proxy if possible.
2016-08-04 SOLNESS-10052
 lxml out-of-memory condition when parsing large TAXII feed documents
Workaround: Change the earliest time for the TAXII feed to pull documents with less information, or the maxsize parameter for the threat intelligence manager to allow for a larger byte size of documents in the DA-ESS-ThreatIntelligence/local/inputs.conf file. For example: 
[threatlist://hailataxii_torexit]
description = Hail a TAXII.com TOR LIST
disabled = false
interval = 86400
post_args = collection="blutmagie_de_torExits" earliest="-1y" taxii_username="guest" taxii_password="guest" earliest="-1w"
type = taxii
url = http://hailataxii.com/taxii-data

[threat_intelligence_manager://sa_threat_local]
directory = $SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/local/data/threat_intel
disabled  = true
maxsize   = 52428800
sinkhole  = false

Search Head Pooling

Publication date Defect number Description
Pre-3.2
Any stanza in inputs.conf that references an object in the shared pool mount must use an absolute path. In Enterprise Security, an audited lookup table requires an input. That input stanza must be updated when using search head pooling since /etc/apps/* resides on the pool, and is no longer tied to the relative path $SPLUNK_HOME.

Example: In SA-ThreatIntelligence/local/inputs.conf [monitor://$SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/lookups/incident_review.csv]

disabled = true

Lookup is on the search head pool shared storage. Changed path below: [monitor:///the/shared/storage/etc/apps/SA-ThreatIntelligence/lookups/incident_review.csv]

disabled = false
index = _audit
sourcetype = incident_review
Last modified on 06 August, 2016
Fixed Issues   Learn More and how to get help

This documentation applies to the following versions of Splunk® Enterprise Security: 3.3.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters