Known Issues for Splunk Enterprise Security
The following are issues and workarounds for this version of Splunk Enterprise Security.
|Date filed||Issue number||Description|
|2020-07-30||SOLNESS-23521||Identity Management: Only transforms from specific apps are being displayed on "New Asset" modal|
|2020-07-14||SOLNESS-23451||Notable Event Framework: Searches converted from XS to MLTK did not have their tokens updated|
Update the rule_description for the following searches.
[Network - Unusual Volume of Network Activity - Rule] action.notable.param.rule_description = An unusual volume of network activity was detected. $src_count$ unique sources have generated network traffic in the past 15 minutes and $total_count$ network events have been observed in the same time period.
[Network - Substantial Increase in Port Activity (By Destination) - Rule] action.notable.param.rule_description = A statistically significant increase in the volume of activity on port $dest_port$ was noted. Today's value is $dest_port_traffic_count$.
[Network - Substantial Increase in an Event - Rule] action.notable.param.rule_description = A statistically significant increase in the volume of $signature$ events was noted. Today's value is $ids_attacks$.
|2020-05-13||SOLNESS-22828||Notable event status or owner sometimes are wrong because of size of incident_review collection|
Set max_rows_per_query in limits.conf to a size greater than the size of the incident_review_lookup collection and restart Splunk.
To check this:
index=_introspection host+<ES SH> sourcetype=kvstore "data.ns"="SA-ThreatIntelligence.incident_review" | stats max(data.count) AS count
And if this count is bigger than the max_rows_per_query limit in limits.conf, increase it on the search head(s):
limits.conf: [kvstore] max_rows_per_query = <something bigger than the count above>
and restart Splunk afterwards.
|2020-05-11||SOLNESS-22809||CustomSearchBuilder: Retention component for kvstore backed search-driven-lookup not working|
|2020-04-02||SOLNESS-22269, SOLNESS-21618||CSB build request includes query string + lookup count exceed|
|2020-03-23||SOLNESS-22110||Threat Intelligence: Maxmind ASN database can no longer be consumed|
|2020-02-28||SOLNESS-21907, SOLNESS-21911||Threat Intelligence Manager: Incomplete/Orphaned stanzas will cause the manager to exit|
|2020-02-24||SOLNESS-21847||Threat Intelligence Framework: When download is anything other than TAXII we change file extension|
|2020-02-24||SOLNESS-21848||Threat Intelligence Framework: Files in pickup dirs when sinkhole not in use causing large SHC Snapshots|
|2020-02-23||SOLNESS-21845||Entities merge on previous foreign keys|
|2020-02-20||SOLNESS-21817, SOLNESS-21910||When you add more than 30 statuses in Notable Status Configuration and then try to change earlier ones, you get an error message "Notable status of label <number> does not exist."|
Manually clean up reviewstatuses.conf to reduce number of statuses down to 30 or less:
|2020-02-13||SOLNESS-21783||Incident Review does not load when read permissions on pertinent lookups are limited to select roles|
|2020-01-30||SOLNESS-21581||Entity merge not parsing MV fields in KV Store sources|
|2020-01-24||SOLNESS-21476||Notable Event Framework: Invalid severity values afflict urgency calculation|
|2020-01-16||SOLNESS-21220, SOLNESS-21618||Identity Management: Preview search request issued via query string (issue for IE)|
|2019-12-13||SOLNESS-21001||Identity Management: Inferred/Implicit "identity" key values can cause unintended identity record merges|
In ES 6.0 we merge Asset and Identity records which have overlapping secondary keys ("asset" and "identity" fields respectively). When this is combined with inferred/implicit key values based on email, email_short and/or convention based mapping, it's possible that unintended records are merged.
If you are *not* interested in the inferred/implicit identity values (i.e. email, email_short), simply disable on an input-by-input basis by using the "Asset and Identity Management" UI to uncheck or remove conventions as needed for each input.
|2019-12-10||SOLNESS-20951, SOLNESS-20994||Postinstall fails when upgrading due to error enabling modular inputs|
The enablement of modular inputs during post-install can lead to failures if the role performing the install is missing capabilities.
|2019-03-15||SOLNESS-18377, SPL-167855||Workbench: custom visualizations don't work in workbench|
|2018-10-03||SOLNESS-16682, SPL-170703||Internal Error: Missing a search command before *|
Fixed Issues for Splunk Enterprise Security
How to find answers and get help with Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 6.1.0