Splunk® Enterprise Security

Release Notes

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Known issues for Splunk Enterprise Security

Splunk Enterprise Security 6.6.0 was released on June 30, 2021. For more information on release dates for the major versions of Splunk Enterprise Security, see Software Support Policy page.

Following is a list of the known issues in this release.


Date filed Issue number Description
2021-09-14 SOLNESS-28180 Unable to load a newly created adhoc managed lookup from Content Management.

Workaround:
Edit the permissions of the lookup to export globally and read/write to the appropriate users.
2021-09-07 SOLNESS-28046 If "Incident Review - Table Attributes" has been changed before upgrade to ES 6.6, Incident Review is missing new fields, like Disposition

Workaround:
You can check if "table_attributes" in /etc/apps/SA-ThreatIntelligence/local/log_review.conf exists, and remove it to revert to the defaults for. 6.6 (and customize again after if needed)

or manually add the fields below to the table as per https://docs.splunk.com/Documentation/ES/latest/Admin/CustomizeIR#Change_Incident_Review_columns

defaults for 6.6.0:

table_attributes = [\
                    {"field": "rule_title",            "label": "Title"},\
                    {"field": "risk_object",           "label": "Risk Object"},\
                    {"field": "risk_score",            "label": "Aggregated Risk Score"},\
                    {"field": "risk_event_count",      "label": "Risk Events"},\
                    {"field": "notable_type",          "label": "Type"},\
                    {"field": "_time",                 "label": "Time"},\
                    {"field": "disposition_label",     "label": "Disposition"},\
                    {"field": "security_domain",       "label": "Security Domain"},\
                    {"field": "urgency",               "label": "Urgency"},\
                    {"field": "status_label",          "label": "Status"},\
                    {"field": "owner_realname",        "label": "Owner"}\
                   ]
2021-09-01 SOLNESS-28019 Using the same value for the aggregate and the field in the "by" clause of a stats command in a multi-search returns an empty value.

Workaround:
Use the UI to remove *DNS.dest as dest* aggregate from the *Network_Resolution *dataset using the Threat Match editor.
  1. Navigate to the *Threat Intelligence Management* page and click *Threat Matching*.
  2. Click on *dest* to edit the threat match configuration.
  3. Scroll down the Threat Match editor and click the pencil icon next to the Network_Resolution data model. Three fields are displayed for *Aggregate*.
  4. Click *X* next to* DNS.dest as dest* to delete the aggregate.
  5. Click *Save*.

The underlying search no longer contains "values("DNS.dest)" in the tstatssearch for *Network_Resolution*. If you re-run the search manually. the *dest* field is no longer displayed and its value is represented under the *threat_match_value* field.


2021-08-27 SOLNESS-27985 Incident Review sorting reverts to chronological ordering when switching between pages (as opposed to default, reverse-chronological order)
2021-08-08 SOLNESS-27747 Notable event suppressions do not work after an upgrade to ES 6.6.0 and Splunk 8.2.1. Notable events suppression worked in ES 6.2.0 and 8.0.4.1.

Workaround:
Move the suppression filter | `suppression_extract` | search NOT suppression=* of the Incident Review SPL to the end of the search string.
The Incident Review SPL is located in the following configuration files at:

/apps/SA-ThreatIntelligence/default/savedsearches.conf and /apps/SA-ThreatIntelligence/local/savedsearches.conf
The Incident Review SPL will display as follows:
[Incident Review - Main]
search = $time_filter$ (`get_notable_index` OR `get_sequenced_index`) $source_filter$ | `suppression_extract` | search NOT suppression=* | eval `get_event_id_meval`,rule_id=event_id | search $event_id_filter$ | dedup rule_id | fields - host_* | tags outputfield=tag | `mvappend_field(tag,orig_tag)` | `notable_xref_lookup` | `get_correlations` | search $security_domain_filter$ | `get_current_status` | search $status_filter$ | `get_owner` | search $owner_filter$ | `get_urgency` | search $urgency_filter$ | typer | tags outputfield=tag | `mvappend_field(tag,orig_tag)` | search $tag_filter$ | `risk_correlation` | `get_notable_type` | search $type_filter$
is_visible = false

You can change this to:
[Incident Review - Main]
search = $time_filter$ (`get_notable_index` OR `get_sequenced_index`) $source_filter$ | eval `get_event_id_meval`,rule_id=event_id | search $event_id_filter$ | dedup rule_id | fields - host_* | tags outputfield=tag | `mvappend_field(tag,orig_tag)` | `notable_xref_lookup` | `get_correlations` | search $security_domain_filter$ | `get_current_status` | search $status_filter$ | `get_owner` | search $owner_filter$ | `get_urgency` | search $urgency_filter$ | typer | tags outputfield=tag | `mvappend_field(tag,orig_tag)` | search $tag_filter$ | `risk_correlation` | `get_notable_type` | search $type_filter$ | `suppression_extract` | search NOT suppression=*
is_visible = false

2021-07-26 SOLNESS-27648 "Save Filter" on the Incident Review page hangs when you save the filters using the "ess_analyst" role.

Workaround:
Giving specific roles (ess_analyst) write permissions to the filter_sets collections will fix the issue.
Last modified on 15 September, 2021
PREVIOUS
Fixed issues for Splunk Enterprise Security
  NEXT
How to find answers and get help with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.6.0


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters