This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.
Known Issues for Splunk Enterprise Security
The following are issues and workarounds for this version of Splunk Enterprise Security.
| Date filed | Issue number | Description |
|---|---|---|
| 2020-07-19 | SOLNESS-23467 | "404 not found" when editing saved search name with "/" via content management |
| 2020-04-09 | SOLNESS-22356 | Suppressing notable event gives a javascript error when the title contains special characters such as Workaround: Update the Correlation Search to remove a list of special characters that have special meaning in regex, so the title of the Notable Event will not have these characters: [\^$.|?*+()
|
| 2020-03-23 | SOLNESS-22110 | Threat Intelligence: Maxmind ASN database can no longer be consumed |
| 2020-02-28 | SOLNESS-21907, SOLNESS-21911 | Threat Intelligence Manager: Incomplete/Orphaned stanzas will cause the manager to exit |
| 2020-02-20 | SOLNESS-21817, SOLNESS-21910 | When you add more than 30 statuses in Notable Status Configuration and then try to change earlier ones, you get an error message "Notable status of label <number> does not exist." Workaround: Manually clean up reviewstatuses.conf to reduce number of statuses down to 30 or less: ./etc/apps/SA-ThreatIntelligence/local/reviewstatuses.conf ./etc/apps/SplunkEnterpriseSecuritySuite/local/reviewstatuses.conf |
| 2020-02-13 | SOLNESS-21783 | Incident Review does not load when read permissions on pertinent lookups are limited to select roles |
| 2020-01-05 | SOLNESS-21093 | "Endpoint Changes" dashboard panels missing "datamodel=" resulting in missing results from "Endpoint.Filesystem" datamodel Workaround: The panels for "Endpoint Changes By Action", "Endpoint Changes By Type" and "Endpoint Changes By System" all have the first | tstats missing a "datamodel="
| `tstats` count from Endpoint.Filesystem where Filesystem.tag="change" by _time,Filesystem.action span=10m ...
| `tstats` count from datamodel=Endpoint.Filesystem where Filesystem.tag="change" by _time,Filesystem.action span=10m ... |
| 2019-12-10 | SOLNESS-20951, SOLNESS-20994 | Postinstall fails when upgrading due to error enabling modular inputs Workaround: The enablement of modular inputs during post-install can lead to failures if the role performing the install is missing capabilities.
|
| 2019-10-14 | SOLNESS-20459 | dm_accel_settings manager page still exposes deprecated manual_rebuilds parameter |
| 2019-10-02 | SOLNESS-20348 | Per Panel Filters: When applied prevent results from being shown Workaround: Do not use per-panel filtering on the Threat Activity page or disable it by nulling out the ppf token in DA-ESS-ThreatIntelligence/default/data/ui/views/threat_activity.xml
<set token="ppf"></set> |
| 2019-09-30 | SOLNESS-20299 | Bug in libtaxii causing TLS handshake failure on TAXII feeds Workaround: Update libtaxii to version 1.1.114 in SPLUNK_HOME/etc/apps/SA-ThreatIntelligence/contrib |
| 2019-09-19 | SOLNESS-20202 | Certificate Manager doesn't permit .key Workaround: The app_certs_rest_handler permits an extensible file extension whitelist. For instance, if you want to be able to submit ".key" files.
## SA-Utils/local/restmap.conf
[script:app_certs_rest_handler]
script.param = {"extensions": [".arm", ".ca-bundle", ".cer", ".crt", ".der", ".p7b", ".p7s", ".pem", ".pfx", ".key"], "max_size": 1000000}
|
| 2019-09-13 | SOLNESS-20145 | Expired User Activity picks up splunkd search logs via audittrail |
| 2019-08-23 | SOLNESS-19854, SOLNESS-20018 | Attempt to 'stop managing' produces an error : coud not be found |
| 2019-07-04 | SOLNESS-19368 | iplocation has a field called 'lon' in Splunk and 'long' in Enterprise Security |
| 2019-06-28 | SOLNESS-19321 | Dropdown menus on ES Configuration Health & HTTP Category Analysis look odd when an investigation has been selected |
| 2019-06-20 | SOLNESS-19277 | Manual Notable Event Creation: orig_time does not persist proper _time from event |
| 2019-06-13 | SOLNESS-19167, SOLNESS-19186 | Next Steps disappear when creating Short ID. |
| 2019-05-29 | SOLNESS-19047 | Drilldowns from XML pages with special characters opens empty search page Workaround: Upgrade to Splunk 7.1.8, 7.2.8, 7.3.2 |
| 2019-05-15 | SOLNESS-18935 | Analytic Story Details View - Empty References Bullet |
| 2019-05-03 | SOLNESS-18821 | Asset/Identity Investigators on first load progress balls on bottom of page and side of page need to be removed |
| 2019-04-12 | SOLNESS-18662 | whois modular input does not permit realm specifications for api_user or proxy_user Workaround: Remove realm from credential. |
| 2019-04-12 | SOLNESS-18661 | Hardcoded http URI in whois_handlers.py |
| 2019-03-29 | SOLNESS-18521, SOLNESS-18523 | Adaptive Response's are being truncated in the correlation search editor page |
| 2019-03-28 | SOLNESS-18518, SOLNESS-18993 | ES AR UI fully breaks on single "bad" AR HTML UI |
| 2019-02-12 | SOLNESS-17965 | "Email Address Matches" generating search not domain matching properly Workaround: The following override can be applied locally or via the UI:
## DA-ESS-ThreatIntelligence/local/savedsearches.conf [Threat - Email Address Matches - Threat Gen] search = | `tstats` values(sourcetype),values(All_Certificates.src),values(All_Certificates.dest) from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_issuer_email | eval email='All_Certificates.SSL.ssl_issuer_email' | eval threat_match_field="ssl_issuer_email" | `tstats` append=true values(sourcetype),values(All_Certificates.src),values(All_Certificates.dest) from datamodel=Certificates.All_Certificates by All_Certificates.SSL.ssl_subject_email | eval email=if(isnull(email),'All_Certificates.SSL.ssl_subject_email',email) | eval threat_match_field=if(isnull(threat_match_field),"ssl_subject_email",threat_match_field) | `sistats_values_rename(All_Certificates.src,src)` | `sistats_values_rename(All_Certificates.dest,dest)` | `tstats` append=true values(sourcetype),values(All_Email.src),values(All_Email.dest) from datamodel=Email.All_Email by All_Email.src_user | eval email=if(isnull(email),'All_Email.src_user',email) | eval threat_match_field=if(isnull(threat_match_field),"src_user",threat_match_field) | `tstats` append=true values(sourcetype),values(All_Email.src),values(All_Email.dest) from datamodel=Email.All_Email by All_Email.recipient | eval email=if(isnull(email),'All_Email.recipient',email) | eval threat_match_field=if(isnull(threat_match_field),"recipient",threat_match_field) | `sistats_values_rename(All_Email.src,src)` | `sistats_values_rename(All_Email.dest,dest)` | stats values(sourcetype) as sourcetype,values(src) as src,values(dest) as dest by email,threat_match_field | extract cim_email_domain | `truncate_domain_dedup(email_domain,truncated_email)` | lookup update=true threatintel_by_email email OUTPUT | lookup update=true threatintel_by_email_wildcard email OUTPUTNEW | lookup update=true threatintel_by_domain domain as email_domain OUTPUTNEW | lookup update=true threatintel_by_domain domain as truncated_email_domain OUTPUTNEW | search threat_collection_key=* | `mvtruncate(src)` | `mvtruncate(dest)` | `zipexpand_threat_matches` | table sourcetype,src,dest,email,threat*,weight |
| 2018-10-03 | SOLNESS-16682, SPL-170703 | Internal Error: Missing a search command before * |
Last modified on 04 December, 2020
| Fixed Issues for Splunk Enterprise Security | How to find answers and get help with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 5.3.1
Download manual
Feedback submitted, thanks!