This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.
Download topic as PDF
Known Issues for Splunk Enterprise Security
The following are issues and workarounds for this version of Splunk Enterprise Security.
Highlighted issues
Date filed | Issue number | Description |
---|---|---|
2018-02-20 | SOLNESS-14637 | Splunk Web doesn't start after upgrading Splunk Enterprise Security Workaround: Remove Advanced XML module folder and contents from the installation. For instance: $SPLUNK_HOME/etc/apps/SA-Utils /appserver/modules/SOLNLookupEditor |
Uncategorized issues
Date filed | Issue number | Description |
---|---|---|
2019-09-30 | SOLNESS-20299 | Bug in libtaxii causing TLS handshake failure on TAXII feeds Workaround: Update libtaxii to version 1.1.114 in SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/contrib |
2019-08-23 | SOLNESS-19854, SOLNESS-20018 | Attempt to 'stop managing' produces an error : coud not be found |
2019-06-19 | SOLNESS-19257 | UBA Asset/Identity Investigator Swimlanes never return results Workaround: Apply action.swimlane.constraint_fields override to SA-UEBA/local/savedsearches.conf.
[UEBA - UEBA Threats By Asset - Swimlane] action.swimlane.constraint_fields = All_UEBA_Events.dvc,dvc [UEBA - UEBA Threats By Identity - Swimlane] action.swimlane.constraint_fields = All_UEBA_Events.user,user [UBA - UBA Anomalies By Asset - Swimlane] action.swimlane.constraint_fields = All_UEBA_Events.dvc,dvc [UBA - UBA Anomalies By Identity - Swimlane] action.swimlane.constraint_fields = All_UEBA_Events.user,user |
2019-04-30 | SOLNESS-18800, SOLNESS-18789 | SA-EndpointProtection/default/savedsearches.conf has schedule_window key twice |
2019-04-30 | SOLNESS-18801, SOLNESS-18790 | SA-ThreatIntelligence/default/savedsearches.conf has action.keyindicator.drilldown_uri key twice |
2019-04-26 | SOLNESS-18776, SOLNESS-18621 | *threat intelligence* definition names containing special characters are being ignored Workaround: Avoid using threat intelligence names having a "." or an "&" character in it. |
2019-04-12 | SOLNESS-18661 | Hardcoded http URI in whois_handlers.py |
2019-04-12 | SOLNESS-18662 | whois modular input does not permit realm specifications for api_user or proxy_user Workaround: Remove realm from credential. |
2019-02-19 | SOLNESS-18079 | Port And Protocol Tracker Lookup Gen isn't tracking allowed ports |
2019-02-12 | SOLNESS-17965 | "Email Address Matches" generating search not domain matching properly Workaround: The following override can be applied locally or via the UI:
## DA-ESS-ThreatIntelligence/local/savedsearches.conf [Threat - Email Address Matches - Threat Gen] search = | `tstats` values(sourcetype),values(All_Certificates.src),values(All_Certificates.dest) from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email | eval email='All_Certificates.SSL.ssl_issuer_email' | eval threat_match_field="ssl_issuer_email" | `tstats` append=true values(sourcetype),values(All_Certificates.src),values(All_Certificates.dest) from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_subject_email | eval email=if(isnull(email),'All_Certificates.SSL.ssl_subject_email',email) | eval threat_match_field=if(isnull(threat_match_field),"ssl_subject_email",threat_match_field) | `sistats_values_rename(All_Certificates.src,src)` | `sistats_values_rename(All_Certificates.dest,dest)` | `tstats` append=true values(sourcetype),values(All_Email.src),values(All_Email.dest) from datamodel=Email.All_Email by All_Email.src_user | eval email=if(isnull(email),'All_Email.src_user',email) | eval threat_match_field=if(isnull(threat_match_field),"src_user",threat_match_field) | `tstats` append=true values(sourcetype),values(All_Email.src),values(All_Email.dest) from datamodel=Email.All_Email by All_Email.recipient | eval email=if(isnull(email),'All_Email.recipient',email) | eval threat_match_field=if(isnull(threat_match_field),"recipient",threat_match_field) | `sistats_values_rename(All_Email.src,src)` | `sistats_values_rename(All_Email.dest,dest)` | stats values(sourcetype) as sourcetype,values(src) as src,values(dest) as dest by email,threat_match_field | extract cim_email_domain | `truncate_domain_dedup(email_domain,truncated_email)` | lookup update=true threatintel_by_email email OUTPUT | lookup update=true threatintel_by_email_wildcard email OUTPUTNEW | lookup update=true threatintel_by_domain domain as email_domain OUTPUTNEW | lookup update=true threatintel_by_domain domain as truncated_email_domain OUTPUTNEW | search threat_collection_key=* | `mvtruncate(src)` | `mvtruncate(dest)` | `zipexpand_threat_matches` | table sourcetype,src,dest,email,threat*,weight |
2018-12-17 | SOLNESS-17291, RTO-337 | expandtoken errors with "field larger than field limit" Workaround: # The default of the csv module is 128KB; upping to 10MB. See SPL-12117 for
csv.field_size_limit(10485760) |
2018-12-16 | SOLNESS-17285 | Custom Role inheritance is not working in ES app after upgrade Workaround: Contact support for patch. |
2018-11-21 | SOLNESS-17081 | Notable events are populated with info_max_time="+Infinity", info_min_time="0.000" with alert.digest_mode=0 in the savedsearch.conf |
2018-10-10 | SOLNESS-16774 | Index Time Delta: Improper timeDiff computation causes false negatives |
2018-10-04 | SOLNESS-16696 | Error in error logging in managed_nav_rest_handler.py |
2018-09-19 | SOLNESS-16577 | ES Investigation Dashboard sorts Created and Last Modified columns incorrectly |
2018-09-18 | SOLNESS-16563 | globedistance macro units syntax does not match usage in summary gen search Workaround: The following syntax for Access - Geographically Improbable Access - Summary Gen: eval key=mvsort(mvappend(src."->".dest, NULL, dest."->".src)) | dedup key, user | `globedistance(src_lat,src_long,dest_lat,dest_long,"m")`
eval key=mvsort(mvappend(src."->".dest, NULL, dest."->".src)),units="m" | dedup key, user | `globedistance(src_lat,src_long,dest_lat,dest_long,units)` |
2018-09-05 | SOLNESS-16498 | Navigation Dividers Do Not Render When On Certain Views |
Last modified on 11 November, 2019
PREVIOUS Fixed Issues for Splunk Enterprise Security |
NEXT How to find answers and get help with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 5.1.1
Feedback submitted, thanks!