Known issues
| Date filed | Issue number | Description |
|---|---|---|
| 2025-05-19 | SOLNESS-51392 | After upgrading to ES v8.0.40, getting following error "definition is invalid" while accessing the risk analysis dashboard Workaround: After upgrading the ES to v8.0.40 or v8.1, encounters an error message saying "Definition is invalid" when trying to access a dashboard that was modified before upgrade. Workaround: when encountering the error message, close the error modal and edit the dashboard through UI, make a small change and save. The definition should automatically be updated to use the new schema, and the error message should disappear. Revert the change and save if needed. When on the risk analysis page that has no edit button, save a copy of the local definition file for restoration purpose, remove the local definition file from the backend and restart. |
| Date filed | Issue number | Description |
|---|---|---|
| 2025-05-19 | BLUERIDGE-16715 | Finding's Side panel metafields reset after clicking Back to Queue button from investigation Workaround: Refreshing seems to work sometimes... |
| 2025-05-02 | BLUERIDGE-16301 | Urgency is incorrect on the side panel for findings created through detections with automation rule configured |
| 2025-04-29 | BLUERIDGE-16107 | ACS request fails in SHC for querying IP allow list |
| 2025-04-29 | BLUERIDGE-16077, BLUERIDGE-15433, BLUERIDGE-16189 | Reflect the MC note created_time/updated_time on findings' update_time |
| 2025-04-22 | BLUERIDGE-16006, BLUERIDGE-15855 | Wrong id sent while bulk update Assign to me for a finding |
| 2025-04-17 | BLUERIDGE-15954 | Searches on the Analyst Queue might not work with immutable data when the Splunk OR operator is used. |
| 2025-04-16 | BLUERIDGE-15899 | Large number of tokens generated during mc soar allowlist validation |
| 2025-03-06 | BLUERIDGE-15501 | Unable to create investigations and investigation types when using Splunk ES on-prem due to search head cluster re-direction issues. Workaround: Change all hostname references (non-FQDN) to FQDN in the server.conf configuration file. However, this might increase the load on the DNS.
Alternatively edit /etc/hosts and create the link between IPaddes and SH_fqdn_hostname into each search head cluster Alternatively, you can disable the search head cluster redirection framework. However, this can lead to data loss or data corruption. Eg: Duplicate HRIDs. You can mitigate this by using the KV captain only for all the UI flows. If you are using Splunk Enterprise Security (on-prem), run the following CURL command:
|
| 2025-03-03 | BLUERIDGE-15433, BLUERIDGE-16077 | Last updated field shows N/A after reloading |
| 2025-02-28 | BLUERIDGE-15425 | Next Steps in Finding Groups change when an edit is made to the Detection |
| 2025-02-27 | BLUERIDGE-15407 | Tags feature breaks for Finding Groups since Entity field in a findinggroup gets populated with "-" |
| 2024-11-18 | BLUERIDGE-13527 | Some workflow actions on the side-panel intermittently don't work after you have opened and investigation and go back to AQ without selecting another side-panel Workaround: Close and re-open the side-panel or select another finding. |
| 2024-10-22 | BLUERIDGE-13380, BLUERIDGE-13575 | The link text for a finding in the side panel of the Analyst Queue for a Detection is incorrect when there are multiple sources Workaround: Remove `source` before sending to detection. add
`| fields - source` to end of search |
| 2024-10-18 | BLUERIDGE-13101 | Users can create a finding with an empty name for a custom field |
| 2024-10-17 | BLUERIDGE-13081, BLUERIDGE-13121, BLUERIDGE-13122, BLUERIDGE-13124 | The "Edit filter groups" capability is confusing because the feature it controls is called "Saved Views" elsewhere |
| 2024-10-16 | BLUERIDGE-13006, BLUERIDGE-12968, BLUERIDGE-13425 | The "Edit Tags" modal does not communicate errors properly when it is unable to save the changes |
| 2024-10-15 | BLUERIDGE-12966 | Eventtypes based on the notable index will not match investigations since they aren't from the notable index |
| 2024-10-14 | BLUERIDGE-12939 | Bulk adding a finding (that was already in the investigation) along with other findings on the Analyst Queue shows a success message even though the finding that was already included wasn't added |
| 2024-10-09 | BLUERIDGE-12864 | Missing validation in UI while adding duplicate Finding fields in AQ settings page |
| 2024-09-27 | BLUERIDGE-12602, BLUERIDGE-11983 | Cleanup `local/*.conf` files for deprecated modinputs, savedsearches, alert_actions |
| 2024-09-13 | BLUERIDGE-12347 | Prompt modal shows reference ID and HRID combined instead of HRID for investigations |
| 2024-09-09 | BLUERIDGE-12190 | Automation tab may appear for users who cannot run playbooks |
| 2024-09-06 | BLUERIDGE-12176 | Resizing columns on the Analyst Queue can cause the column to be sorted or to show the column sort dialog |
| 2024-09-03 | BLUERIDGE-12100 | Included findings table in AQ side panel is not sortable |
| 2024-08-20 | BLUERIDGE-11791, BLUERIDGE-11790 | Missing input validation for file upload size |
| 2024-05-13 | BLUERIDGE-9351 | Status and owner both have a status called "unassigned" but also show a "unassigned" if no status is assigned which can be confusing |
| Date filed | Issue number | Description |
|---|---|---|
| 2022-03-25 | SINT-7432 | Cloning MITRE is blocked in the UI for several back releases. |
See also
For known issues in Splunk SOAR (Cloud), see Known issues for Splunk SOAR (Cloud).
| Fixed issues | Limitations |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.40
Download manual
Feedback submitted, thanks!