This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.
Known issues for Splunk Enterprise Security
Splunk Enterprise Security 7.0.1 was released on March 3, 2022. For more information on release dates for the major versions of Splunk Enterprise Security, see Software Support Policy page.
This release includes the following known issues:
| Date filed | Issue number | Description |
|---|---|---|
| 2023-05-15 | SOLNESS-35888 | Asset and identity data does not merge as expected. |
| 2023-02-06 | SOLNESS-34719 | Performance of Enterprise Security might be impacted if the modular_action_invocations takes too long to run. |
| 2023-01-03 | SOLNESS-34301 | Console JS Error when trying to open Risk Event Timeline for risk notable |
| 2022-12-19 | SOLNESS-34219 | Workflow action on ES does not populate the $field$ in Incident Review. |
| 2022-11-17 | SOLNESS-33744 | The eventtype website_watchlist does not exist or is disabled due to empty searches in the default eventtypes from DA-ESS-NetworkProtection.Workaround: *As a workaround, one can disable the eventtypes locally and set a pseudo value for the search: (altrhough only disabling the eventtypes should be necessary)*
[website_watchlist] search = noop DA-ESS-NetworkProtection/local/tags.conf [eventtype=website_watchlist] watchlist = disabled web_watchlist = disabled{noformat}
|
| 2022-11-08 | SOLNESS-33486 | Identity investigator dashboard not filtering_escaping mydomain/username |
| 2022-10-03 | SOLNESS-32886 | Use original time as the basis for the risk event timeline while using risk based alerting in Splunk Enterprise Security. |
| 2022-10-03 | SOLNESS-32889 | Creating a correlation search might result in the following error message: "Cannot read properties of undefined (reading 'trim')". |
| 2022-09-21 | SOLNESS-32798 | Special character handling issues for risk objects in Incident Review. Workaround: If a correlation search is handling special characters incorrectly, then the drill-down search within the notable under Adaptive Response Actions must be updated. Change the tokenized value that is wrapped in quotes by removing the quotes and adding the correct token filter, in this case '|s'. For example, within the correlation search: "Risk Threshold Exceeded For Object Over 24 Hour Period", update the risk object within the Adaptive Response Action Drill-down search for the notable. Change the risk object in the SPL from Template:Risk object="$risk object$" to {{risk_object=$risk_object|s$}}. |
| 2022-09-21 | SOLNESS-32782 | DA-ESS-AccessProtection searches "Change - Account Lockouts" and "Change - Number Of Account Lockouts" must use All_Changes.action instead of All_Changes.result. |
| 2022-09-14 | SOLNESS-32647 | Saved searches created in the Content Management page with private settings are not displayed. |
| 2022-09-14 | SOLNESS-32650 | Clicking on a risk factor in the Content Management always displays the first risk factor. |
| 2022-09-07 | SOLNESS-32604 | Incident Review doesn't send "search" workflow actions to Search page |
| 2022-08-17 | SOLNESS-32194 | Filter and search issues on the Notable Event Suppression page. |
| 2022-08-12 | SOLNESS-32134 | Correlation search for ES Threat Activity Detected is incorrect.
|
| 2022-08-11 | SOLNESS-32131 | Unable to edit lookup files in Splunk Enterprise Security using Content Management. |
| 2022-08-08 | SOLNESS-31995 | The custom filter on the Incident Review page truncates to the maximum screen resolution without providing a scroll bar and access to Manage filter. Workaround: Zoom out to access all filters and retrieve access to the *Manage filter* button located at the bottom of the dropdown. |
| 2022-07-08 | SOLNESS-31614 | Having a "delim regex" causes the "extract regex" to be ignored |
| 2022-07-08 | SOLNESS-31613, SOLNESS-31949 | Removing the "skip header lines" causes an exception. |
| 2022-07-07 | SOLNESS-31605, SOLNESS-32641 | Lookups must have maximum size limit specified in threatlist.py. |
| 2022-06-13 | SOLNESS-31295, SOLNESS-30377 | Extreme lag in displaying dropdown values for large amount of data eg:, Short ID |
| 2022-06-06 | SOLNESS-31223 | Slow performance for the Content Management and Incident Review dashboards Workaround: n/a |
| 2022-04-21 | SOLNESS-30831 | ES upgrade from 6.4.1 to 7.0.1 fails with status="500" Workaround: No |
| 2022-04-20 | SOLNESS-30798 | A correlation search with double quotes in its name breaks source filtering logic on the Incident Review page. |
| 2022-04-19 | SOLNESS-30750 | Some portion of UI renders white in ES dark mode |
| 2022-04-19 | SOLNESS-30749 | Excessively large threat intelligence sources are not ingested by the Splunk Enterprise Security Threat Intelligence framework. |
| 2022-03-01 | SOLNESS-30155 | Make Contributing Events Link always work in Risk Event Timeline |
| 2022-02-07 | SOLNESS-34215 | Recent risk modifiers drill down show no results after five minutes. |
| 2022-01-31 | SOLNESS-29825 | Short IDs created before upgrading to ES 7.0 do not show up in Incident Review even though the Short ID is in the notable_xref_lookup.Workaround: When you upgrade Splunk Enterprise Security to versions 7.0.0 or higher, the short IDs for notables that were created prior to the upgrade are not displayed on the Incident Review page. However, you can recreate all the short IDs that were available prior to the upgrade. |
| 2022-01-12 | SOLNESS-29657 | Clicking the Actions dropdown for notables on the Incident Review page results in a blank page. Workaround: Ensure that the following workflow actions: modaction_results and modaction_invocations are enabled. You can enable these two default workflow actions using the Splunk Enterprise Security UI as follows:
|
Last modified on 18 March, 2024
| Fixed issues for Splunk Enterprise Security | How to find answers and get help with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1
Download manual
Feedback submitted, thanks!