This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.
Download topic as PDF
Known Issues for Splunk Enterprise Security
The following are issues and workarounds for this version of Splunk Enterprise Security.
Highlighted issues
Date filed | Issue number | Description |
---|---|---|
2018-02-20 | SOLNESS-14637 | Splunk Web doesn't start after upgrading Splunk Enterprise Security Workaround: Remove Advanced XML module folder and contents from the installation. For instance: $SPLUNK_HOME/etc/apps/SA-Utils /appserver/modules/SOLNLookupEditor |
Uncategorized issues
Date filed | Issue number | Description |
---|---|---|
2020-01-07 | SOLNESS-21102, SOLNESS-21222 | Risk Framework: Lookup Gen search are not dedup mv fields which is skewing results on IR Page |
2019-09-30 | SOLNESS-20299 | Bug in libtaxii causing TLS handshake failure on TAXII feeds Workaround: Update libtaxii to version 1.1.114 in SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/contrib |
2019-08-23 | SOLNESS-19854, SOLNESS-20018 | Attempt to 'stop managing' produces an error : coud not be found |
2019-05-01 | SOLNESS-18806, SOLNESS-18659 | IP Intelligence Threat Retention Search is not working due to threat_key name of a lookup |
2019-04-26 | SOLNESS-18774, SOLNESS-18659 | IP Intelligence Threat Retention Search is not working due to threat_key name of a lookup |
2019-04-12 | SOLNESS-18662 | whois modular input does not permit realm specifications for api_user or proxy_user Workaround: Remove realm from credential. |
2019-04-12 | SOLNESS-18661 | Hardcoded http URI in whois_handlers.py |
2019-04-11 | SOLNESS-18656, SOLNESS-19159 | Identity correlation not favoring string lookup over CIDR when max_memtable_bytes exceeded |
2019-02-19 | SOLNESS-18079 | Port And Protocol Tracker Lookup Gen isn't tracking allowed ports |
2019-02-12 | SOLNESS-17965 | "Email Address Matches" generating search not domain matching properly Workaround: The following override can be applied locally or via the UI:
## DA-ESS-ThreatIntelligence/local/savedsearches.conf [Threat - Email Address Matches - Threat Gen] search = | `tstats` values(sourcetype),values(All_Certificates.src),values(All_Certificates.dest) from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email | eval email='All_Certificates.SSL.ssl_issuer_email' | eval threat_match_field="ssl_issuer_email" | `tstats` append=true values(sourcetype),values(All_Certificates.src),values(All_Certificates.dest) from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_subject_email | eval email=if(isnull(email),'All_Certificates.SSL.ssl_subject_email',email) | eval threat_match_field=if(isnull(threat_match_field),"ssl_subject_email",threat_match_field) | `sistats_values_rename(All_Certificates.src,src)` | `sistats_values_rename(All_Certificates.dest,dest)` | `tstats` append=true values(sourcetype),values(All_Email.src),values(All_Email.dest) from datamodel=Email.All_Email by All_Email.src_user | eval email=if(isnull(email),'All_Email.src_user',email) | eval threat_match_field=if(isnull(threat_match_field),"src_user",threat_match_field) | `tstats` append=true values(sourcetype),values(All_Email.src),values(All_Email.dest) from datamodel=Email.All_Email by All_Email.recipient | eval email=if(isnull(email),'All_Email.recipient',email) | eval threat_match_field=if(isnull(threat_match_field),"recipient",threat_match_field) | `sistats_values_rename(All_Email.src,src)` | `sistats_values_rename(All_Email.dest,dest)` | stats values(sourcetype) as sourcetype,values(src) as src,values(dest) as dest by email,threat_match_field | extract cim_email_domain | `truncate_domain_dedup(email_domain,truncated_email)` | lookup update=true threatintel_by_email email OUTPUT | lookup update=true threatintel_by_email_wildcard email OUTPUTNEW | lookup update=true threatintel_by_domain domain as email_domain OUTPUTNEW | lookup update=true threatintel_by_domain domain as truncated_email_domain OUTPUTNEW | search threat_collection_key=* | `mvtruncate(src)` | `mvtruncate(dest)` | `zipexpand_threat_matches` | table sourcetype,src,dest,email,threat*,weight |
2019-02-07 | SOLNESS-17946 | Security Domains CSV (security_domains.csv) overwritten during upgrade |
2018-12-17 | SOLNESS-17291, RTO-337 | expandtoken errors with "field larger than field limit" Workaround: # The default of the csv module is 128KB; upping to 10MB. See SPL-12117 for
csv.field_size_limit(10485760) |
2018-12-11 | SOLNESS-17293 | Expected Host Not Reporting correlation does not persist host tags |
2018-11-27 | SOLNESS-17111 | Incident Review - Unable to type names when assigning Enterprise Security notables |
2018-10-10 | SOLNESS-16774 | Index Time Delta: Improper timeDiff computation causes false negatives |
2018-10-04 | SOLNESS-16696 | Error in error logging in managed_nav_rest_handler.py |
2018-10-02 | SOLNESS-16673 | ES Installer -- FIPS never gets enabled |
2018-09-27 | SOLNESS-16650 | Correlation search "High Number of Hosts Not Updating Malware Signatures" can cause performance issues Workaround: Remove 'values(dest) as dest' from OOTB SPL. Replace with a simple count of affected hosts. Analysts can leverage the drilldown search to dig into details of which hosts were affected. |
2018-09-26 | SOLNESS-16641 | Investigation migration stack trace |
2018-09-19 | SOLNESS-16573 | Add a collaborator search box missing |
2018-09-18 | SOLNESS-16563 | globedistance macro units syntax does not match usage in summary gen search Workaround: The following syntax for Access - Geographically Improbable Access - Summary Gen: eval key=mvsort(mvappend(src."->".dest, NULL, dest."->".src)) | dedup key, user | `globedistance(src_lat,src_long,dest_lat,dest_long,"m")`
eval key=mvsort(mvappend(src."->".dest, NULL, dest."->".src)),units="m" | dedup key, user | `globedistance(src_lat,src_long,dest_lat,dest_long,units)` |
2018-09-15 | SOLNESS-16550 | Workbench Inventory Panel treating user token as an asset |
2018-09-05 | SOLNESS-16498 | Navigation Dividers Do Not Render When On Certain Views |
2018-09-04 | SOLNESS-16446 | Extreme Search commands fail randomly when using Scheduled Searches |
2018-08-30 | SOLNESS-16418 | Identity Correlation: Handler doesn't bubble up certain timeouts |
2018-08-15 | SOLNESS-16219 | Identity Management: inputs.conf ootb disablement does not align with macros.conf |
2018-08-14 | SOLNESS-16189 | Error message populated when editing notable events in IR dashboard "The update failed:ResultSet.__iter__ -- timed out while waiting on data; expected 16 events, only got 15; count=16" |
2018-07-30 | SOLNESS-15963 | Incident Review - History does not work properly when no comment added |
2018-07-24 | SOLNESS-15929 | Incident Review: Comment field is cached when you cancel notable event edit |
2018-07-19 | SOLNESS-15901 | adhoc risk does not store current user (creator) |
2018-06-22 | SOLNESS-15800 | Multi-select drag on Asset Investigator does not display details on the screen with error message "Uncaught TypeError: Cannot read property 'sign_board' of undefined." on Chrome Java Console. Workaround: No |
2018-06-15 | SOLNESS-15669, SOLNESS-15462 | Select icon returns "Error reading icon collection..." |
2018-05-31 | SOLNESS-15559, SOLNESS-15872 | Glass Table drill down doesn't open a new tab |
2018-05-25 | SOLNESS-15528 | Threat Intel parsing error when documents without stanzas are parsed. |
2018-05-25 | SOLNESS-15524 | The orig_rid field for notable events has overlapping (instead of unique) values for realtime correlation searches Workaround: Please update to Splunk Enterprise 7.1.2 or above. |
2018-05-18 | SOLNESS-15456, SOLNESS-15402 | Incident Review: non-admin users cannot tag notable events Workaround: Update ACLs for SA-ThreatIntelligence to permit non-admins write access to "tags". For instance,
[tags] access = read : [ * ], write : [ admin, ess_analyst ] |
2018-05-17 | SOLNESS-15440, SOLNESS-15419, SOLNESS-15441 | Guided mode correlation search editor text fields not enabled |
2018-04-17 | SOLNESS-15232 | IE11: Adds extra url fragment at the end of the original url which breaks Asset/Identity Investigator |
2018-04-16 | SOLNESS-15206 | Timeline: Action button for notes is in the middle of the screen |
2018-03-22 | SOLNESS-14990, SPL-152489 | Content Management: Create New Content -> Saved Search does not work as expected |
Last modified on 08 February, 2020
PREVIOUS Fixed Issues for Splunk Enterprise Security |
NEXT How to find answers and get help with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 5.1.0
Feedback submitted, thanks!