This documentation does not apply to the most recent version of Splunk® Enterprise Security.
For documentation on the most recent version, go to the latest release.
Known issues for Splunk Enterprise Security
Splunk Enterprise Security version 6.6.2 was released on September, 2021. For more information on release dates for the major versions of Splunk Enterprise Security, see Software Support Policy page.
| Date filed | Issue number | Description |
|---|---|---|
| 2023-03-28 | SOLNESS-35291 | Threat Intelligence Framework is not passing the weights of Indicators of Compromise (IOCs). |
| 2022-08-12 | SOLNESS-32134 | Correlation search for ES Threat Activity Detected is incorrect.
|
| 2022-03-09 | SOLNESS-30261 | Improved page load performance in Splunk Enterprise Security Content Management page. Workaround: N/A I have created a TO based on https://splunk.atlassian.net/browse/TO-146839 and https://splunk.atlassian.net/browse/CCAB-2792 |
| 2022-02-11 | SOLNESS-29960 | Investigation summary does not display all the columns correctly when notable events contain long fields and nonbreaking values. |
| 2022-01-12 | SOLNESS-29657 | Clicking the Actions dropdown for notables on the Incident Review page results in a blank page. Workaround: Ensure that the following workflow actions: modaction_results and modaction_invocations are enabled. You can enable these two default workflow actions using the Splunk Enterprise Security UI as follows:
|
| 2022-01-05 | SOLNESS-29516 | The inputintelligence custom search command that converts non-threat intelligence as CSV fails to parse with the error message: "dict contains fields not in fieldnames".
|
| 2021-12-08 | SOLNESS-29306 | Excessive long non-breaking string field values causes navigation issues in the Incident Review page. |
| 2021-12-07 | SOLNESS-29301 | Error in saving search-driven lookups is caused by an endpoint, which is gated by administrator privileges. Workaround: Write to a publically available endpoint, that does not require the user to have such a high-level capability |
| 2021-12-07 | SOLNESS-29300 | Errors with managed roles when loading the Permissions Manager page. |
| 2021-12-01 | SOLNESS-29283 | The stix parser in threat intelligence doesn't detect indicators or observables in "report" objects. |
| 2021-12-01 | SOLNESS-29277 | After a page refresh, the users who were added to an investigation did not display as part of the investigation. |
| 2021-11-29 | SOLNESS-29139 | Splunk Enterprise Security is unable to read the entire threat intelligence feed when using TAXII protocol due to pagination issues. |
| 2021-11-04 | SOLNESS-28926 | Using the Risk Factor Editor with a custom role that has "edit_risk_factor" capability displays an error. Workaround: Edit etc/apps/SA-ThreatIntelligence/metadata/local.meta and add write permissions for your user under the risk_factors and datamodels/Risk stanzas: {code:java} [risk_factors] access = read : [ * ], write : [ admin, my_user ] [datamodels/Risk]
access = read : [ * ], write : [ admin, my_user ]{code} |
| 2021-11-02 | SOLNESS-28904 | Incident Review: When the Event Table reloads while editing a notable, you can potentially edit different or all matching notables Workaround: Wait for the Event Table to fully load. If the count does change while having the Edit modal open, close the modal, reselect the notables you want to edit and press Edit again, after the Event Table has fully loaded. |
| 2021-10-15 | SOLNESS-28622 | Field value substitution does not work in workflow actions and does not extract or replace variables as expected. You might see the variable for "$source$" instead of the field value when you use a custom workflow action. Workaround: No workaround exists currently. However, installing 7.0.0 when it becomes available will resolve the issue. |
| 2021-10-14 | SOLNESS-28617 | IR page - Save button remains disabled when adding a comment on NE |
| 2021-10-06 | SOLNESS-28565 | Unable to add Additional Collaborator to Investigation with HTTP 400: "Investigation must use existings users as collaborators" Workaround: SplunkEnterpriseSecuritySuite/lib/InvestigationComponents.py Changed to: getargs={'output_mode': 'json', 'count': 0}, |
| 2021-09-24 | SOLNESS-28349 | Incident Review is empty with javascript error TypeError: e.replace is not a function when displaying notables with a multivalue field.Workaround: Add the following two lines at the end of the saved search Incident Review - Main to ensure that all the fields have a single value.
OR Remove the columns from the Incident Review table that might potentially have multivalue fields. For more information, see
https://docs.splunk.com/Documentation/ES/6.6.2/Admin/CustomizeIR#Change_Incident_Review_columns. |
| 2021-09-21 | SOLNESS-28240 | Incident Review: Freeform search with keyword only matching _raw of notable, but doesn't include the title of the correlation search (if different from the rule name) |
| 2021-09-16 | SOLNESS-28194 | Incident Review: When using the "Date & Time Range" option for the timepicker, the selected time will change when pressing Apply if the user timezone doesn't match the server timezone |
| 2021-09-14 | SOLNESS-28180 | Unable to load a newly created adhoc managed lookup from Content Management. Workaround: Edit the permissions of the lookup to export globally and read/write to the appropriate users. |
| 2021-09-07 | SOLNESS-28048 | Incident Review: Workflow actions broken after upgrade for action type "search" |
| 2021-09-07 | SOLNESS-28046 | If "Incident Review - Table Attributes" has been changed before upgrade to ES 6.6, Incident Review is missing new fields, like Disposition Workaround: You can check if "table_attributes" in /etc/apps/SA-ThreatIntelligence/local/log_review.conf exists, and remove it to revert to the defaults for. 6.6 (and customize again after if needed) or manually add the fields below to the table as indicated in the following documentation: https://docs.splunk.com/Documentation/ES/6.6.2/Admin/CustomizeIR#Change_Incident_Review_columns. Defaults for 6.6.0: table_attributes = [\
{"field": "rule_title", "label": "Title"},\
{"field": "risk_object", "label": "Risk Object"},\
{"field": "risk_score", "label": "Aggregated Risk Score"},\
{"field": "risk_event_count", "label": "Risk Events"},\
{"field": "notable_type", "label": "Type"},\
{"field": "_time", "label": "Time"},\
{"field": "disposition_label", "label": "Disposition"},\
{"field": "security_domain", "label": "Security Domain"},\
{"field": "urgency", "label": "Urgency"},\
{"field": "status_label", "label": "Status"},\
{"field": "owner_realname", "label": "Owner"}\
]
|
| 2021-09-01 | SOLNESS-28019 | "src" or "dest" fields of Threat Activity events showing as "unknown" even though "threat_match_fields" is "src" or "dest" Workaround: # Navigate to the threat intelligence management page and click on the threat matching tab
|
| 2021-08-31 | SOLNESS-28002 | . ES Traffic centre dashboard is still using the deprecated saved search. |
| 2021-05-12 | SOLNESS-26883 | Annotations configured on correlation search editor do not display on the Incident Review page. |
| 2021-04-29 | SOLNESS-26712 | Incident review page loads slowly after an upgrade to Splunk Enterprise Security version 6.4 or higher. Workaround: Add a reasonable time period to the get_active_correlations macro. For example, earliest = -90d.Otherwise, correlation searches that do not create a notable within that time frame cannot be selected as an option in the filters when the Incident Review page loads. The macro should look something like this after editing: tstats values(source) as source where {{get_notable_index}} earliest = -90d | mvexpand source | lookup correlationsearches_lookup _key as source OUTPUTNEW rule_name
|
Last modified on 28 August, 2023
| Fixed issues for Splunk Enterprise Security | How to find answers and get help with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 6.6.2
Download manual
Feedback submitted, thanks!