Fixed Issues

The following issues have been resolved for this release of the Splunk App for Enterprise Security.

• Asset expansion for /24 and smaller subnets is failing. (SOLNESS-5251)

• While the data model acceleration backfill process is running, the search head and indexers will experience very high load and the Enterprise Security dashboards may not populate. (SOLNESS-4644) (SPL-73529)

• While the data model acceleration backfill process is running, a Splunk Enterprise service restart may leave orphaned processes. An orphaned processes can occur on either the indexers or search heads. (SOLNESS-4644) (SPL-73529)

• If the data models included in Enterprise Security are modified to include additional fields, a backfill job will begin. While the backfill process is running, the search head and indexers will experience very high load and the Enterprise Security dashboards may not populate. (SPL-81167)

• Enterprise Security changes the default behavior real-time searching by enforcing indexed real-time. The setting is global and applied to all other apps on the same search head. (SPL-76910) (SOLNESS-4435)

• Large lookups fail in a distributed environment. With default settings, any lookup > 10MB will create an index (.tsidx) alongside the lookup file. (SPL-74438)

• Attempts to move external lookup files into the Asset and Identities Management system will generate an error in splunkd.log and in python_modular_input.log. (SOLNESS-4830)

• A notable event created from a search shows object details in the Original Event field in raw events. (SOLNESS-4470)

• TA-mcafee uses python scripts to collect McAfee EPO data. The script mcafee_epo.py has a dependency to the python bundled with Splunk Enterprise that prevents it from running on other python installations. (ADDON-894)

• The implementation of the WHOIS modular input used on the New Domain Analysis dashboard is inefficient for large deployments. The methodology used to identify and parse top level domains from URLs can place excessive requests for information from the WHOIS provider. (SOLNESS-4554)

• The WHOIS modular input IP address queries will not automatically be resolved to hostnames, as the act of resolving can create a security risk by alerting the attacker of an investigation. (SOLNESS-4972)

• The Splunk_TA_nix events of sourcetype=fs_notification do not have the file path extracted properly for the Change_Analysis::Filesystem_Changes data model.

• The Splunk_TA_windows events of sourcetype=fs_notification do not have the file path extracted properly for the Change_Analysis::Filesystem_Changes data model.

• The TA_splunk events of sourcetype=audittrail do not have the file path extracted properly for the Change_Analysis::Filesystem_Changes data model.

• The Identity Manager modular input may not re-execute if the previous run failed. This condition can occur during the scripted setup, or during a rapid sequence of manual restarts of the splunkd service. (SOLNESS-4555)

• When the Splunk App for Enterprise Security is running on Splunk Enterprise 6.x with FIPS compatibility enabled, using the Correlation Search Configuration view will cause Splunk Enterprise to crash. (SOLNESS-4616)

• A modular input script on Windows may report "A script exited abnormally" input="path\to\file\Splunk\bin\splunk-perfmon.exe" stanza="default" status="exited with code -1". (SOLNESS-4629)