Splunk® Enterprise Security

Release Notes

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Known Issues for Splunk Enterprise Security

The following are issues and workarounds for this version of Splunk Enterprise Security.

Highlighted issues

Date filed Issue number Description
2018-02-20 SOLNESS-14637 Splunk Web doesn't start after upgrading Splunk Enterprise Security

Workaround:
Remove Advanced XML module folder and contents from the installation.

For instance:

 $SPLUNK_HOME/etc/apps/SA-Utils
/appserver/modules/SOLNLookupEditor
 

Uncategorized issues

Date filed Issue number Description
2020-01-07 SOLNESS-21102, SOLNESS-21222 Risk Framework: Lookup Gen search are not dedup mv fields which is skewing results on IR Page
2019-09-30 SOLNESS-20299 Bug in libtaxii causing TLS handshake failure on TAXII feeds

Workaround:
Update libtaxii to version 1.1.114 in SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/contrib
2019-08-23 SOLNESS-19854, SOLNESS-20018 Attempt to 'stop managing' produces an error : coud not be found
2019-05-01 SOLNESS-18806, SOLNESS-18659 IP Intelligence Threat Retention Search is not working due to threat_key name of a lookup
2019-04-26 SOLNESS-18774, SOLNESS-18659 IP Intelligence Threat Retention Search is not working due to threat_key name of a lookup
2019-04-12 SOLNESS-18662 whois modular input does not permit realm specifications for api_user or proxy_user

Workaround:
Remove realm from credential.
2019-04-12 SOLNESS-18661 Hardcoded http URI in whois_handlers.py
2019-04-11 SOLNESS-18656, SOLNESS-19159 Identity correlation not favoring string lookup over CIDR when max_memtable_bytes exceeded
2019-02-19 SOLNESS-18079 Port And Protocol Tracker Lookup Gen isn't tracking allowed ports
2019-02-12 SOLNESS-17965 "Email Address Matches" generating search not domain matching properly

Workaround:
The following override can be applied locally or via the UI:


## DA-ESS-ThreatIntelligence/local/savedsearches.conf
[Threat - Email Address Matches - Threat Gen]
search                               = | `tstats` values(sourcetype),values(All_Certificates.src),values(All_Certificates.dest) from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email | eval email='All_Certificates.SSL.ssl_issuer_email' | eval threat_match_field="ssl_issuer_email" | `tstats` append=true values(sourcetype),values(All_Certificates.src),values(All_Certificates.dest) from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_subject_email | eval email=if(isnull(email),'All_Certificates.SSL.ssl_subject_email',email) | eval threat_match_field=if(isnull(threat_match_field),"ssl_subject_email",threat_match_field) | `sistats_values_rename(All_Certificates.src,src)` | `sistats_values_rename(All_Certificates.dest,dest)` | `tstats` append=true values(sourcetype),values(All_Email.src),values(All_Email.dest) from datamodel=Email.All_Email by All_Email.src_user | eval email=if(isnull(email),'All_Email.src_user',email) | eval threat_match_field=if(isnull(threat_match_field),"src_user",threat_match_field) | `tstats` append=true values(sourcetype),values(All_Email.src),values(All_Email.dest) from datamodel=Email.All_Email by All_Email.recipient | eval email=if(isnull(email),'All_Email.recipient',email) | eval threat_match_field=if(isnull(threat_match_field),"recipient",threat_match_field) | `sistats_values_rename(All_Email.src,src)` | `sistats_values_rename(All_Email.dest,dest)` | stats values(sourcetype) as sourcetype,values(src) as src,values(dest) as dest by email,threat_match_field | extract cim_email_domain | `truncate_domain_dedup(email_domain,truncated_email)` | lookup update=true threatintel_by_email email OUTPUT | lookup update=true threatintel_by_email_wildcard email OUTPUTNEW | lookup update=true threatintel_by_domain domain as email_domain OUTPUTNEW | lookup update=true threatintel_by_domain domain as truncated_email_domain OUTPUTNEW | search threat_collection_key=* | `mvtruncate(src)` | `mvtruncate(dest)` | `zipexpand_threat_matches` | table sourcetype,src,dest,email,threat*,weight
2019-02-07 SOLNESS-17946 Security Domains CSV (security_domains.csv) overwritten during upgrade
2018-12-17 SOLNESS-17291, RTO-337 expandtoken errors with "field larger than field limit"

Workaround:
# The default of the csv module is 128KB; upping to 10MB. See SPL-12117 for
  1. the background on issues surrounding field sizes.
  2. (this method is new in python 2.5)

csv.field_size_limit(10485760)

https://answers.splunk.com/answers/709747/error-field-larger-than-field-limit-131072.html#answer-709749

2018-12-11 SOLNESS-17293 Expected Host Not Reporting correlation does not persist host tags
2018-11-27 SOLNESS-17111 Incident Review - Unable to type names when assigning Enterprise Security notables
2018-10-10 SOLNESS-16774 Index Time Delta: Improper timeDiff computation causes false negatives
2018-10-04 SOLNESS-16696 Error in error logging in managed_nav_rest_handler.py
2018-10-02 SOLNESS-16673 ES Installer -- FIPS never gets enabled
2018-09-27 SOLNESS-16650 Correlation search "High Number of Hosts Not Updating Malware Signatures" can cause performance issues

Workaround:
Remove 'values(dest) as dest' from OOTB SPL.  Replace with a simple count of affected hosts.  Analysts can leverage the drilldown search to dig into details of which hosts were affected.
2018-09-26 SOLNESS-16641 Investigation migration stack trace
2018-09-19 SOLNESS-16573 Add a collaborator search box missing
2018-09-18 SOLNESS-16563 globedistance macro units syntax does not match usage in summary gen search

Workaround:
The following syntax for Access - Geographically Improbable Access - Summary Gen:

eval key=mvsort(mvappend(src."->".dest, NULL, dest."->".src)) | dedup key, user | `globedistance(src_lat,src_long,dest_lat,dest_long,"m")`
 

Should be:
eval key=mvsort(mvappend(src."->".dest, NULL, dest."->".src)),units="m" | dedup key, user | `globedistance(src_lat,src_long,dest_lat,dest_long,units)`
 
2018-09-15 SOLNESS-16550 Workbench Inventory Panel treating user token as an asset
2018-09-05 SOLNESS-16498 Navigation Dividers Do Not Render When On Certain Views
2018-09-04 SOLNESS-16446 Extreme Search commands fail randomly when using Scheduled Searches
2018-08-30 SOLNESS-16418 Identity Correlation: Handler doesn't bubble up certain timeouts
2018-08-15 SOLNESS-16219 Identity Management: inputs.conf ootb disablement does not align with macros.conf
2018-08-14 SOLNESS-16189 Error message populated when editing notable events in IR dashboard "The update failed:ResultSet.__iter__ -- timed out while waiting on data; expected 16 events, only got 15; count=16"
2018-07-30 SOLNESS-15963 Incident Review - History does not work properly when no comment added
2018-07-24 SOLNESS-15929 Incident Review: Comment field is cached when you cancel notable event edit
2018-07-19 SOLNESS-15901 adhoc risk does not store current user (creator)
2018-06-22 SOLNESS-15800 Multi-select drag on Asset Investigator does not display details on the screen with error message "Uncaught TypeError: Cannot read property 'sign_board' of undefined." on Chrome Java Console.

Workaround:
No
2018-06-15 SOLNESS-15669, SOLNESS-15462 Select icon returns "Error reading icon collection..."
2018-05-31 SOLNESS-15559, SOLNESS-15872 Glass Table drill down doesn't open a new tab
2018-05-25 SOLNESS-15528 Threat Intel parsing error when documents without stanzas are parsed.
2018-05-25 SOLNESS-15524 The orig_rid field for notable events has overlapping (instead of unique) values for realtime correlation searches

Workaround:
Please update to Splunk Enterprise 7.1.2 or above.
2018-05-18 SOLNESS-15456, SOLNESS-15402 Incident Review: non-admin users cannot tag notable events

Workaround:
Update ACLs for SA-ThreatIntelligence to permit non-admins write access to "tags". For instance,


[tags]
access = read : [ * ], write : [ admin, ess_analyst ]
2018-05-17 SOLNESS-15440, SOLNESS-15419, SOLNESS-15441 Guided mode correlation search editor text fields not enabled
2018-04-17 SOLNESS-15232 IE11: Adds extra url fragment at the end of the original url which breaks Asset/Identity Investigator
2018-04-16 SOLNESS-15206 Timeline: Action button for notes is in the middle of the screen
2018-03-22 SOLNESS-14990, SPL-152489 Content Management: Create New Content -> Saved Search does not work as expected
Last modified on 08 February, 2020
PREVIOUS
Fixed Issues for Splunk Enterprise Security
  NEXT
How to find answers and get help with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.1.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters