Splunk® Enterprise Security

Release Notes

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Known Issues for Splunk Enterprise Security

The following are issues and workarounds for this version of Splunk Enterprise Security.

Highlighted issues

Date filed Issue number Description
2018-02-20 SOLNESS-14637 Splunk Web doesn't start after upgrading Splunk Enterprise Security

Workaround:
Remove Advanced XML module folder and contents from the installation.

For instance: 

 $SPLUNK_HOME/etc/apps/SA-Utils
/appserver/modules/SOLNLookupEditor

Uncategorized issues

Date filed Issue number Description
2020-02-24 SOLNESS-21848 Threat Intelligence Framework: Files in pickup dirs when sinkhole not in use causing large SHC Snapshots
2020-02-24 SOLNESS-21847 Threat Intelligence Framework: When download is anything other than TAXII we change file extension
2020-01-07 SOLNESS-21102, SOLNESS-21222 Risk Framework: Lookup Gen search are not dedup mv fields which is skewing results on IR Page
2019-10-14 SOLNESS-20459 dm_accel_settings manager page still exposes deprecated manual_rebuilds parameter
2019-10-02 SOLNESS-20348 Per Panel Filters: When applied prevent results from being shown

Workaround:
Do not use per-panel filtering on the Threat Activity page or disable it by nulling out the ppf token in DA-ESS-ThreatIntelligence/default/data/ui/views/threat_activity.xml 


 <set token="ppf"></set>
2019-09-30 SOLNESS-20299 Bug in libtaxii causing TLS handshake failure on TAXII feeds

Workaround:
Update libtaxii to version 1.1.114 in SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/contrib
2019-09-19 SOLNESS-20202 Certificate Manager doesn't permit .key

Workaround:
The app_certs_rest_handler permits an extensible file extension whitelist. For instance, if you want to be able to submit ".key" files. 


## SA-Utils/local/restmap.conf
[script:app_certs_rest_handler]
script.param = {"extensions": [".arm", ".ca-bundle", ".cer", ".crt", ".der", ".p7b", ".p7s", ".pem", ".pfx", ".key"], "max_size":   1000000}
2019-09-13 SOLNESS-20145 Expired User Activity picks up splunkd search logs via audittrail
2019-08-23 SOLNESS-19854, SOLNESS-20018 Attempt to 'stop managing' produces an error : coud not be found
2019-07-04 SOLNESS-19368 iplocation has a field called 'lon' in Splunk and 'long' in Enterprise Security
2019-06-13 SOLNESS-19167, SOLNESS-19186 Next Steps disappear when creating Short ID.
2019-05-14 SOLNESS-18917 PDF printout of Investigations timeline (.../ess_investigation?id=*&visual=timeline) does not match timeline (not in chronological order)
2019-05-03 SOLNESS-18821 Asset/Identity Investigators on first load progress balls on bottom of page and side of page need to be removed
2019-05-01 SOLNESS-18806, SOLNESS-18659 IP Intelligence Threat Retention Search is not working due to threat_key name of a lookup
2019-04-26 SOLNESS-18774, SOLNESS-18659 IP Intelligence Threat Retention Search is not working due to threat_key name of a lookup
2019-04-12 SOLNESS-18662 whois modular input does not permit realm specifications for api_user or proxy_user

Workaround:
Remove realm from credential.
2019-04-12 SOLNESS-18661 Hardcoded http URI in whois_handlers.py
2019-04-11 SOLNESS-18656, SOLNESS-19159 Identity correlation not favoring string lookup over CIDR when max_memtable_bytes exceeded
2019-04-08 SOLNESS-18603 Incident Review: eventCount does not match resultCount causing display issues (such as events being displayed twice)

Workaround:
Set phased_execution_mode to singlethreaded 


## limits.conf
[search]
phased_execution_mode = singlethreaded


2019-03-29 SOLNESS-18523, SOLNESS-18521, SOLNESS-18529 Adaptive Response's are being truncated in the correlation search editor page
2019-03-29 SOLNESS-18521, SOLNESS-18523 Adaptive Response's are being truncated in the correlation search editor page
2019-03-28 SOLNESS-18518, SOLNESS-18993 ES AR UI fully breaks on single "bad" AR HTML UI
2019-03-13 SOLNESS-18400 Correlation Search Editor does not properly read throttling window duration
2019-02-19 SOLNESS-18079 Port And Protocol Tracker Lookup Gen isn't tracking allowed ports
2019-02-12 SOLNESS-17965 "Email Address Matches" generating search not domain matching properly

Workaround:
The following override can be applied locally or via the UI: 


## DA-ESS-ThreatIntelligence/local/savedsearches.conf
[Threat - Email Address Matches - Threat Gen]
search                               = | `tstats` values(sourcetype),values(All_Certificates.src),values(All_Certificates.dest) from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email | eval email='All_Certificates.SSL.ssl_issuer_email' | eval threat_match_field="ssl_issuer_email" | `tstats` append=true values(sourcetype),values(All_Certificates.src),values(All_Certificates.dest) from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_subject_email | eval email=if(isnull(email),'All_Certificates.SSL.ssl_subject_email',email) | eval threat_match_field=if(isnull(threat_match_field),"ssl_subject_email",threat_match_field) | `sistats_values_rename(All_Certificates.src,src)` | `sistats_values_rename(All_Certificates.dest,dest)` | `tstats` append=true values(sourcetype),values(All_Email.src),values(All_Email.dest) from datamodel=Email.All_Email by All_Email.src_user | eval email=if(isnull(email),'All_Email.src_user',email) | eval threat_match_field=if(isnull(threat_match_field),"src_user",threat_match_field) | `tstats` append=true values(sourcetype),values(All_Email.src),values(All_Email.dest) from datamodel=Email.All_Email by All_Email.recipient | eval email=if(isnull(email),'All_Email.recipient',email) | eval threat_match_field=if(isnull(threat_match_field),"recipient",threat_match_field) | `sistats_values_rename(All_Email.src,src)` | `sistats_values_rename(All_Email.dest,dest)` | stats values(sourcetype) as sourcetype,values(src) as src,values(dest) as dest by email,threat_match_field | extract cim_email_domain | `truncate_domain_dedup(email_domain,truncated_email)` | lookup update=true threatintel_by_email email OUTPUT | lookup update=true threatintel_by_email_wildcard email OUTPUTNEW | lookup update=true threatintel_by_domain domain as email_domain OUTPUTNEW | lookup update=true threatintel_by_domain domain as truncated_email_domain OUTPUTNEW | search threat_collection_key=* | `mvtruncate(src)` | `mvtruncate(dest)` | `zipexpand_threat_matches` | table sourcetype,src,dest,email,threat*,weight
2019-02-11 SOLNESS-17956 Identity Correlation modification will not save on SHC
2019-02-07 SOLNESS-17946 Security Domains CSV (security_domains.csv) overwritten during upgrade
2019-01-22 SOLNESS-17734 Custom app won't show up in Content Management App dropdown unless there is at least one shared savedsearch in the app
2018-12-26 SOLNESS-17396 New Analytic Story page will show error when Splunk in configured with non-default Management Port
2018-12-20 SOLNESS-17368 Incident Review: Filter on "edit events" modal does not work / no focus
2018-12-17 SOLNESS-17291, RTO-337 expandtoken errors with "field larger than field limit"

Workaround:
# The default of the csv module is 128KB; upping to 10MB. See SPL-12117 for
  1. the background on issues surrounding field sizes.
  2. (this method is new in python 2.5)

csv.field_size_limit(10485760)

https://answers.splunk.com/answers/709747/error-field-larger-than-field-limit-131072.html#answer-709749

2018-12-16 SOLNESS-17285 Custom Role inheritance is not working in ES app after upgrade

Workaround:
Contact support for patch.
2018-12-11 SOLNESS-17293 Expected Host Not Reporting correlation does not persist host tags
2018-11-27 SOLNESS-17111 Incident Review - Unable to type names when assigning Enterprise Security notables
2018-11-21 SOLNESS-17081 Notable events are populated with info_max_time="+Infinity", info_min_time="0.000" with alert.digest_mode=0 in the savedsearch.conf
2018-10-10 SOLNESS-16774 Index Time Delta: Improper timeDiff computation causes false negatives
2018-10-04 SOLNESS-16696 Error in error logging in managed_nav_rest_handler.py
2018-10-03 SOLNESS-16682, SPL-170703 Internal Error: Missing a search command before *
2018-10-01 SOLNESS-16662, SOLNESS-15945 Content Management/Analytic Story Details: clicking on a saved search doesn't open the editor just the lister page
2018-09-05 SOLNESS-16498 Navigation Dividers Do Not Render When On Certain Views
Last modified on 13 August, 2022
Fixed Issues for Splunk Enterprise Security   How to find answers and get help with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters