Known Issues for Splunk Enterprise Security
The following are issues and workarounds for this version of Splunk Enterprise Security.
Highlighted issues
Date filed | Issue number | Description |
---|---|---|
2018-02-20 | SOLNESS-14637 | Splunk Web doesn't start after upgrading Splunk Enterprise Security Workaround: Remove Advanced XML module folder and contents from the installation. For instance: $SPLUNK_HOME/etc/apps/SA-Utils /appserver/modules/SOLNLookupEditor |
Uncategorized issues
Date filed | Issue number | Description |
---|---|---|
2019-10-14 | SOLNESS-20459 | dm_accel_settings manager page still exposes deprecated manual_rebuilds parameter |
2019-10-02 | SOLNESS-20348 | Per Panel Filters: When applied prevent results from being shown Workaround: Do not use per-panel filtering on the Threat Activity page or disable it by nulling out the ppf token in DA-ESS-ThreatIntelligence/default/data/ui/views/threat_activity.xml
<set token="ppf"></set> |
2019-09-30 | SOLNESS-20299 | Bug in libtaxii causing TLS handshake failure on TAXII feeds Workaround: Update libtaxii to version 1.1.114 in SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/contrib |
2019-09-19 | SOLNESS-20202 | Certificate Manager doesn't permit .key Workaround: The app_certs_rest_handler permits an extensible file extension whitelist. For instance, if you want to be able to submit ".key" files.
## SA-Utils/local/restmap.conf [script:app_certs_rest_handler] script.param = {"extensions": [".arm", ".ca-bundle", ".cer", ".crt", ".der", ".p7b", ".p7s", ".pem", ".pfx", ".key"], "max_size": 1000000} |
2019-09-13 | SOLNESS-20145 | Expired User Activity picks up splunkd search logs via audittrail |
2019-08-23 | SOLNESS-19854, SOLNESS-20018 | Attempt to 'stop managing' produces an error : coud not be found |
2019-07-04 | SOLNESS-19368 | iplocation has a field called 'lon' in Splunk and 'long' in Enterprise Security |
2019-06-13 | SOLNESS-19167, SOLNESS-19186 | Next Steps disappear when creating Short ID. |
2019-05-14 | SOLNESS-18917 | PDF printout of Investigations timeline (.../ess_investigation?id=*&visual=timeline) does not match timeline (not in chronological order) |
2019-05-03 | SOLNESS-18821 | Asset/Identity Investigators on first load progress balls on bottom of page and side of page need to be removed |
2019-04-26 | SOLNESS-18776, SOLNESS-18621 | *threat intelligence* definition names containing special characters are being ignored Workaround: Avoid using threat intelligence names having a "." or an "&" character in it. |
2019-04-12 | SOLNESS-18662 | whois modular input does not permit realm specifications for api_user or proxy_user Workaround: Remove realm from credential. |
2019-04-12 | SOLNESS-18661 | Hardcoded http URI in whois_handlers.py |
2019-04-08 | SOLNESS-18603 | Incident Review: eventCount does not match resultCount causing display issues (such as events being displayed twice) Workaround: Set phased_execution_mode to singlethreaded
## limits.conf [search] phased_execution_mode = singlethreaded
|
2019-03-29 | SOLNESS-18523, SOLNESS-18521, SOLNESS-18529 | Adaptive Response's are being truncated in the correlation search editor page |
2019-03-29 | SOLNESS-18521, SOLNESS-18523 | Adaptive Response's are being truncated in the correlation search editor page |
2019-03-28 | SOLNESS-18518, SOLNESS-18993 | ES AR UI fully breaks on single "bad" AR HTML UI |
2019-03-13 | SOLNESS-18400 | Correlation Search Editor does not properly read throttling window duration |
2019-02-19 | SOLNESS-18079 | Port And Protocol Tracker Lookup Gen isn't tracking allowed ports |
2019-02-12 | SOLNESS-17965 | "Email Address Matches" generating search not domain matching properly Workaround: The following override can be applied locally or via the UI:
## DA-ESS-ThreatIntelligence/local/savedsearches.conf [Threat - Email Address Matches - Threat Gen] search = | `tstats` values(sourcetype),values(All_Certificates.src),values(All_Certificates.dest) from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email | eval email='All_Certificates.SSL.ssl_issuer_email' | eval threat_match_field="ssl_issuer_email" | `tstats` append=true values(sourcetype),values(All_Certificates.src),values(All_Certificates.dest) from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_subject_email | eval email=if(isnull(email),'All_Certificates.SSL.ssl_subject_email',email) | eval threat_match_field=if(isnull(threat_match_field),"ssl_subject_email",threat_match_field) | `sistats_values_rename(All_Certificates.src,src)` | `sistats_values_rename(All_Certificates.dest,dest)` | `tstats` append=true values(sourcetype),values(All_Email.src),values(All_Email.dest) from datamodel=Email.All_Email by All_Email.src_user | eval email=if(isnull(email),'All_Email.src_user',email) | eval threat_match_field=if(isnull(threat_match_field),"src_user",threat_match_field) | `tstats` append=true values(sourcetype),values(All_Email.src),values(All_Email.dest) from datamodel=Email.All_Email by All_Email.recipient | eval email=if(isnull(email),'All_Email.recipient',email) | eval threat_match_field=if(isnull(threat_match_field),"recipient",threat_match_field) | `sistats_values_rename(All_Email.src,src)` | `sistats_values_rename(All_Email.dest,dest)` | stats values(sourcetype) as sourcetype,values(src) as src,values(dest) as dest by email,threat_match_field | extract cim_email_domain | `truncate_domain_dedup(email_domain,truncated_email)` | lookup update=true threatintel_by_email email OUTPUT | lookup update=true threatintel_by_email_wildcard email OUTPUTNEW | lookup update=true threatintel_by_domain domain as email_domain OUTPUTNEW | lookup update=true threatintel_by_domain domain as truncated_email_domain OUTPUTNEW | search threat_collection_key=* | `mvtruncate(src)` | `mvtruncate(dest)` | `zipexpand_threat_matches` | table sourcetype,src,dest,email,threat*,weight |
2019-02-07 | SOLNESS-17946 | Security Domains CSV (security_domains.csv) overwritten during upgrade |
2019-01-22 | SOLNESS-17734 | Custom app won't show up in Content Management App dropdown unless there is at least one shared savedsearch in the app |
2019-01-07 | SOLNESS-17419 | When upgrading ES from 4.7.2 to 5.2.1, system hang on "Disable add-ons". Workaround: Issue occurs on windows. Setting splunkdConnectionTimeout = 600 in $SPLUNK_HOME/SplunkEnterpriseSecuritySuite/local/web.conf will often fix the issue. If ES upgrade still fails then manually disable each app before updating (see link below).
https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Managingappobjects#Update_an_app_or_add-on_in_the_CLI |
2018-12-26 | SOLNESS-17396 | New Analytic Story page will show error when Splunk in configured with non-default Management Port |
2018-12-20 | SOLNESS-17368 | Incident Review: Filter on "edit events" modal does not work / no focus |
2018-12-17 | SOLNESS-17291, RTO-337 | expandtoken errors with "field larger than field limit" Workaround: # The default of the csv module is 128KB; upping to 10MB. See SPL-12117 for
csv.field_size_limit(10485760) |
2018-11-21 | SOLNESS-17081 | Notable events are populated with info_max_time="+Infinity", info_min_time="0.000" with alert.digest_mode=0 in the savedsearch.conf |
2018-10-04 | SOLNESS-16696 | Error in error logging in managed_nav_rest_handler.py |
2018-10-03 | SOLNESS-16682, SPL-170703 | Internal Error: Missing a search command before * |
Fixed Issues for Splunk Enterprise Security | How to find answers and get help with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.1
Feedback submitted, thanks!