Splunk® Enterprise Security

Release Notes

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Known issues for Splunk Enterprise Security

Splunk Enterprise Security 6.6.0 was released on June 30, 2021. For more information on release dates for the major versions of Splunk Enterprise Security, see Software Support Policy page.

Following is a list of the known issues in this release.


Date filed Issue number Description
2022-08-12 SOLNESS-32134 Correlation search for ES Threat Activity Detected is incorrect.
2022-06-13 SOLNESS-31295, SOLNESS-30377 Extreme lag in displaying dropdown values for large amount of data eg:, Short ID
2022-04-19 SOLNESS-30749 Excessively large threat intelligence sources are not ingested by the Splunk Enterprise Security Threat Intelligence framework.
2021-12-02 SOLNESS-29293 MITRE annotations do not populate for non-English locales.

Workaround:
Only new correlation searches will have properly have mitre annotation descriptions so pre-existing searches that have mitre annotations will need to be remade. This is only for correlations searches made from a non-english locale
2021-11-02 SOLNESS-28904 Incident Review: When the Event Table reloads while editing a notable, you can potentially edit different or all matching notables

Workaround:
Wait for the Event Table to fully load.

If the count does change while having the Edit modal open, close the modal, reselect the notables you want to edit and press Edit again, after the Event Table has fully loaded.

2021-10-15 SOLNESS-28622 Field value substitution does not work in workflow actions and does not extract or replace variables as expected. You might see the variable for "$source$" instead of the field value when you use a custom workflow action.

Workaround:
No workaround exists currently. However, installing 7.0.0 when it becomes available will resolve the issue.
2021-10-14 SOLNESS-28617 IR page - Save button remains disabled when adding a comment on NE
2021-09-24 SOLNESS-28349 Incident Review is empty with javascript error TypeError: e.replace is not a function when displaying notables with a multivalue field.

Workaround:
Add the following two lines at the end of the saved search Incident Review - Main to ensure that all the fields have a single value.

| foreach * [| eval "<<FIELD>>"=mvjoin('<<FIELD>>'," ")] This breaks the separate context menu for multivalue fields in the details of a notable. Remove the local copy of this search after upgrading to a version where this issue is resolved.

OR

Remove the columns from the Incident Review table that might potentially have multivalue fields. For more information, see https://docs.splunk.com/Documentation/ES/6.6.2/Admin/CustomizeIR#Change_Incident_Review_columns.

2021-09-16 SOLNESS-28194 Incident Review: When using the "Date & Time Range" option for the timepicker, the selected time will change when pressing Apply if the user timezone doesn't match the server timezone
2021-09-14 SOLNESS-28180 Unable to load a newly created adhoc managed lookup from Content Management.

Workaround:
Edit the permissions of the lookup to export globally and read/write to the appropriate users.
2021-09-08 SOLNESS-28141 Incident Review - Event Attributes, add new field does not contain a "Save" or "Add" option, just edit.

Workaround:
It seems the Edit button adds the new field to the top of the list.
2021-09-07 SOLNESS-28048 Incident Review: Workflow actions broken after upgrade for action type "search"
2021-09-07 SOLNESS-28046 If "Incident Review - Table Attributes" has been changed before upgrade to ES 6.6, Incident Review is missing new fields, like Disposition

Workaround:
You can check if "table_attributes" in /etc/apps/SA-ThreatIntelligence/local/log_review.conf exists, and remove it to revert to the defaults for. 6.6 (and customize again after if needed)

or manually add the fields below to the table as indicated in the following documentation: https://docs.splunk.com/Documentation/ES/6.6.2/Admin/CustomizeIR#Change_Incident_Review_columns.

Defaults for 6.6.0:

table_attributes = [\
                    {"field": "rule_title",            "label": "Title"},\
                    {"field": "risk_object",           "label": "Risk Object"},\
                    {"field": "risk_score",            "label": "Aggregated Risk Score"},\
                    {"field": "risk_event_count",      "label": "Risk Events"},\
                    {"field": "notable_type",          "label": "Type"},\
                    {"field": "_time",                 "label": "Time"},\
                    {"field": "disposition_label",     "label": "Disposition"},\
                    {"field": "security_domain",       "label": "Security Domain"},\
                    {"field": "urgency",               "label": "Urgency"},\
                    {"field": "status_label",          "label": "Status"},\
                    {"field": "owner_realname",        "label": "Owner"}\
                   ]
2021-09-01 SOLNESS-28019 "src" or "dest" fields of Threat Activity events showing as "unknown" even though "threat_match_fields" is "src" or "dest"

Workaround:
# Navigate to the threat intelligence management page and click on the threat matching tab
  1. Click on, for example, "src" to edit that threat match configuration
  2. Scroll down on the modal and click the pencil for the first data model dataset
  3. Click on the "+ Add aggregate" and add "<datamodel>.src as src" to add the source field as an aggregate.
  4. Click Save.
  5. Repeat for other datasets as needed
  6. Repeat all steps for other threatmatch configurations as needed
2021-08-31 SOLNESS-28002 . ES Traffic centre dashboard is still using the deprecated saved search.
2021-08-30 SOLNESS-27991 Multi-valued urgency value causes the Incident Review page to crash

Workaround:
Add the following line to the end of the saved search Incident Review - Main to ensure that urgency has a single value.

| eval urgency=mvindex(urgency,0)

You can remove the local copy of this search after upgrading to a version where this issue is resolved.

2021-08-27 SOLNESS-27985 Incident Review sorting reverts to chronological ordering when switching between pages (as opposed to default, reverse-chronological order)
2021-08-08 SOLNESS-27747 Notable event suppressions do not work after an upgrade to ES 6.6.0 and Splunk 8.2.1. Notable events suppression worked in ES 6.2.0 and 8.0.4.1.

Workaround:
Move the suppression filter | `suppression_extract` | search NOT suppression=* of the Incident Review SPL to the end of the search string.
The Incident Review SPL is located in the following configuration files at:

/apps/SA-ThreatIntelligence/default/savedsearches.conf and /apps/SA-ThreatIntelligence/local/savedsearches.conf
The Incident Review SPL will display as follows:
[Incident Review - Main]
search = $time_filter$ (`get_notable_index` OR `get_sequenced_index`) $source_filter$ | `suppression_extract` | search NOT suppression=* | eval `get_event_id_meval`,rule_id=event_id | search $event_id_filter$ | dedup rule_id | fields - host_* | tags outputfield=tag | `mvappend_field(tag,orig_tag)` | `notable_xref_lookup` | `get_correlations` | search $security_domain_filter$ | `get_current_status` | search $status_filter$ | `get_owner` | search $owner_filter$ | `get_urgency` | search $urgency_filter$ | typer | tags outputfield=tag | `mvappend_field(tag,orig_tag)` | search $tag_filter$ | `risk_correlation` | `get_notable_type` | search $type_filter$
is_visible = false

You can change this to:
[Incident Review - Main]
search = $time_filter$ (`get_notable_index` OR `get_sequenced_index`) $source_filter$ | eval `get_event_id_meval`,rule_id=event_id | search $event_id_filter$ | dedup rule_id | fields - host_* | tags outputfield=tag | `mvappend_field(tag,orig_tag)` | `notable_xref_lookup` | `get_correlations` | search $security_domain_filter$ | `get_current_status` | search $status_filter$ | `get_owner` | search $owner_filter$ | `get_urgency` | search $urgency_filter$ | typer | tags outputfield=tag | `mvappend_field(tag,orig_tag)` | search $tag_filter$ | `risk_correlation` | `get_notable_type` | search $type_filter$ | `suppression_extract` | search NOT suppression=*
is_visible = false

2021-07-26 SOLNESS-27648 "Save Filter" on the Incident Review page hangs when you save the filters using the "ess_analyst" role.

Workaround:
Giving specific roles (ess_analyst) write permissions to the filter_sets collections will fix the issue.
2021-07-21 SOLNESS-27588 URL of the Splunk Platform instance is added to the URL of the Incident Review workflow action link resulting in a 404 error.
2021-06-22 SOLNESS-27288 The Submit button on the Incident Review page is grayed out when filters are cleared.
2021-05-12 SOLNESS-26883 Annotations configured on correlation search editor do not display on the Incident Review page.
2021-04-29 SOLNESS-26712 Incident review page loads slowly after an upgrade to Splunk Enterprise Security version 6.4 or higher.

Workaround:
Add a reasonable time period to the get_active_correlations macro. For example, earliest = -90d.
Otherwise, correlation searches that do not create a notable within that time frame cannot be selected as an option in the filters when the Incident Review page loads.

The macro should look something like this after editing:

tstats values(source) as source where {{get_notable_index}} earliest = -90d | mvexpand source | lookup correlationsearches_lookup _key as source OUTPUTNEW rule_name
Last modified on 08 March, 2023
Fixed issues for Splunk Enterprise Security   How to find answers and get help with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.6.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters