Splunk® Enterprise Security

Release Notes

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Known issues for Splunk Enterprise Security

Following are the known issues for this version of Splunk Enterprise Security:

Date filed Issue number Description
2022-08-12 SOLNESS-32134 Correlation search for ES Threat Activity Detected is incorrect.
2022-04-19 SOLNESS-30749 Excessively large threat intelligence sources are not ingested by the Splunk Enterprise Security Threat Intelligence framework.
2022-04-14 SOLNESS-30719 Token Variables not being initialised in NE
2021-09-01 SOLNESS-28019 "src" or "dest" fields of Threat Activity events showing as "unknown" even though "threat_match_fields" is "src" or "dest"

Workaround:
# Navigate to the threat intelligence management page and click on the threat matching tab
  1. Click on, for example, "src" to edit that threat match configuration
  2. Scroll down on the modal and click the pencil for the first data model dataset
  3. Click on the "+ Add aggregate" and add "<datamodel>.src as src" to add the source field as an aggregate.
  4. Click Save.
  5. Repeat for other datasets as needed
  6. Repeat all steps for other threatmatch configurations as needed
2021-08-31 SOLNESS-28002 . ES Traffic centre dashboard is still using the deprecated saved search.
2021-04-29 SOLNESS-26712 Incident review page loads slowly after an upgrade to Splunk Enterprise Security version 6.4 or higher.

Workaround:
Add a reasonable time period to the get_active_correlations macro. For example, earliest = -90d.
Otherwise, correlation searches that do not create a notable within that time frame cannot be selected as an option in the filters when the Incident Review page loads.

The macro should look something like this after editing:

tstats values(source) as source where {{get_notable_index}} earliest = -90d | mvexpand source | lookup correlationsearches_lookup _key as source OUTPUTNEW rule_name
2021-04-08 SOLNESS-26448 Missing payload attribute for SendEmail Adaptive response action in Correlation Search Editor

Workaround:
Send the search results as file attachment.
2021-03-24 SOLNESS-26297 Poor error handling on invalid identity_manager stanzas

Workaround:
This error means that one of your identity_manager stanzas in inputs.conf is missing a url setting. You'll need to determine which stanza is missing the required setting and either add the url in or remove it altogether.
2021-03-03 SOLNESS-25956 Next Steps for adaptive response actions do not parse correctly in the Incident Review dashboard.

Workaround:
Enter each of the adaptive response actions on separate lines in the Next Steps field of the Correlation Search editor.


2019-03-15 SOLNESS-18377, SPL-167855 Workbench: custom visualizations don't work in workbench
Last modified on 04 October, 2022
Fixed issues for Splunk Enterprise Security   How to find answers and get help with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters