Known Issues for Splunk Enterprise Security
The following are issues and workarounds for this version of Splunk Enterprise Security.
Date filed | Issue number | Description |
---|---|---|
2020-07-30 | SOLNESS-23521 | Identity Management: Only transforms from specific apps are being displayed on "New Asset" modal |
2020-07-14 | SOLNESS-23451 | Notable Event Framework: Searches converted from XS to MLTK did not have their tokens updated Workaround: Update the rule_description for the following searches.
[Network - Unusual Volume of Network Activity - Rule] action.notable.param.rule_description = An unusual volume of network activity was detected. $src_count$ unique sources have generated network traffic in the past 15 minutes and $total_count$ network events have been observed in the same time period.
[Network - Substantial Increase in Port Activity (By Destination) - Rule] action.notable.param.rule_description = A statistically significant increase in the volume of activity on port $dest_port$ was noted. Today's value is $dest_port_traffic_count$.
[Network - Substantial Increase in an Event - Rule] action.notable.param.rule_description = A statistically significant increase in the volume of $signature$ events was noted. Today's value is $ids_attacks$. |
2020-05-13 | SOLNESS-22828 | Notable event status or owner sometimes are wrong because of size of incident_review collection Workaround: Set max_rows_per_query in limits.conf to a size greater than the size of the incident_review_lookup collection and restart Splunk. To check this: index=_introspection host+<ES SH> sourcetype=kvstore "data.ns"="SA-ThreatIntelligence.incident_review" | stats max(data.count) AS count And if this count is bigger than the max_rows_per_query limit in limits.conf, increase it on the search head(s): limits.conf: [kvstore] max_rows_per_query = <something bigger than the count above> and restart Splunk afterwards. |
2020-05-11 | SOLNESS-22809 | CustomSearchBuilder: Retention component for kvstore backed search-driven-lookup not working |
2020-04-02 | SOLNESS-22269, SOLNESS-21618 | CSB build request includes query string + lookup count exceed |
2020-03-23 | SOLNESS-22110 | Threat Intelligence: Maxmind ASN database can no longer be consumed |
2020-02-28 | SOLNESS-21907, SOLNESS-21911 | Threat Intelligence Manager: Incomplete/Orphaned stanzas will cause the manager to exit |
2020-02-24 | SOLNESS-21847 | Threat Intelligence Framework: When download is anything other than TAXII we change file extension |
2020-02-24 | SOLNESS-21848 | Threat Intelligence Framework: Files in pickup dirs when sinkhole not in use causing large SHC Snapshots |
2020-02-23 | SOLNESS-21845 | Entities merge on previous foreign keys |
2020-02-20 | SOLNESS-21817, SOLNESS-21910 | When you add more than 30 statuses in Notable Status Configuration and then try to change earlier ones, you get an error message "Notable status of label <number> does not exist." Workaround: Manually clean up reviewstatuses.conf to reduce number of statuses down to 30 or less: ./etc/apps/SA-ThreatIntelligence/local/reviewstatuses.conf ./etc/apps/SplunkEnterpriseSecuritySuite/local/reviewstatuses.conf |
2020-02-13 | SOLNESS-21783 | Incident Review does not load when read permissions on pertinent lookups are limited to select roles |
2020-01-30 | SOLNESS-21581 | Entity merge not parsing MV fields in KV Store sources |
2020-01-24 | SOLNESS-21476 | Notable Event Framework: Invalid severity values afflict urgency calculation |
2020-01-16 | SOLNESS-21220, SOLNESS-21618 | Identity Management: Preview search request issued via query string (issue for IE) |
2019-12-13 | SOLNESS-21001 | Identity Management: Inferred/Implicit "identity" key values can cause unintended identity record merges Workaround: In ES 6.0 we merge Asset and Identity records which have overlapping secondary keys ("asset" and "identity" fields respectively). When this is combined with inferred/implicit key values based on email, email_short and/or convention based mapping, it's possible that unintended records are merged. If you are *not* interested in the inferred/implicit identity values (i.e. email, email_short), simply disable on an input-by-input basis by using the "Asset and Identity Management" UI to uncheck or remove conventions as needed for each input.
|
2019-12-10 | SOLNESS-20951, SOLNESS-20994 | Postinstall fails when upgrading due to error enabling modular inputs Workaround: The enablement of modular inputs during post-install can lead to failures if the role performing the install is missing capabilities.
|
2019-03-15 | SOLNESS-18377, SPL-167855 | Workbench: custom visualizations don't work in workbench |
2018-10-03 | SOLNESS-16682, SPL-170703 | Internal Error: Missing a search command before * |
Fixed Issues for Splunk Enterprise Security | How to find answers and get help with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 6.1.0
Feedback submitted, thanks!