Splunk® Enterprise Security

Release Notes

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Known issues for Splunk Enterprise Security

Splunk Enterprise Security version 6.6.2 was released on September, 2021. For more information on release dates for the major versions of Splunk Enterprise Security, see Software Support Policy page.


Date filed Issue number Description
2022-02-11 SOLNESS-29960 Investigation summary does not display all the columns correctly when notable events contain long fields and nonbreaking values.
2022-01-05 SOLNESS-29516 The inputintelligence custom search command that converts non-threat intelligence as CSV, fails to parse with a "dict contains fields not in fieldnames:" error.
2021-12-08 SOLNESS-29306 Excessive long non-breaking string field values causes navigation issues in the Incident Review page.
2021-12-07 SOLNESS-29300 Errors with managed roles when loading the Permissions Manager page.
2021-12-07 SOLNESS-29301 Error in search-driven lookups caused by endpoint gated by administrator privileges.

Workaround:
Write to a publically available endpoint, that does not require the user to have such a high-level capability
2021-12-01 SOLNESS-29277 After a page refresh, the users who were added to an investigation were not displaying as part of the investigation.
2021-12-01 SOLNESS-29283 Threat Intel - Stix parser doesn't detect indicators or observables in "report" objects
2021-11-29 SOLNESS-29139 Splunk Enterprise Security is unable to read the entire threat intelligence feed when using TAXII protocol due to pagination issues.
2021-11-04 SOLNESS-28926 Error using Risk Factor Editor with a custom role that has "edit_risk_factor" capability.

Workaround:
Edit etc/apps/SA-ThreatIntelligence/metadata/local.meta and add write permissions for your user under the risk_factors and datamodels/Risk stanzas:

{code:java} [risk_factors]

access = read : [ * ], write : [ admin, my_user ]

[datamodels/Risk] access = read : [ * ], write : [ admin, my_user ]{code}

2021-11-02 SOLNESS-28904 Incident Review: When the Event Table reloads while editing a notable, you can potentially edit different or all matching notables

Workaround:
Wait for the Event Table to fully load.

If the count does change while having the Edit modal open, close the modal, reselect the notables you want to edit and press Edit again, after the Event Table has fully loaded.

2021-10-15 SOLNESS-28622 Field value substitution does not work in workflow actions and does not extract or replace variables as expected. You might see the variable for "$source$" instead of the field value when you use a custom workflow action.

Workaround:
No workaround exists currently. However, installing 7.0.0 when it becomes available will resolve the issue.
2021-10-14 SOLNESS-28617 IR page - Save button remains disabled when adding a comment on NE
2021-10-06 SOLNESS-28565 Unable to add Additional Collaborator to Investigation with HTTP 400: "Investigation must use existings users as collaborators"

Workaround:
SplunkEnterpriseSecuritySuite/lib/InvestigationComponents.py

Changed to: getargs={'output_mode': 'json', 'count': 0},

2021-09-24 SOLNESS-28349 Incident Review is empty with javascript error TypeError: e.replace is not a function when displaying notables with a multivalue field.

Workaround:
Add the following two lines at the end of the saved search Incident Review - Main to ensure that all the fields have a single value.

| foreach * [| eval "<<FIELD>>"=mvjoin('<<FIELD>>'," ")] This breaks the separate context menu for multivalue fields in the details of a notable. Remove the local copy of this search after upgrading to a version where this issue is resolved.

OR

Remove the columns from the Incident Review table that might potentially have multivalue fields. For more information, see https://docs.splunk.com/Documentation/ES/6.6.2/Admin/CustomizeIR#Change_Incident_Review_columns.

2021-09-21 SOLNESS-28240 Incident Review: Freeform search with keyword only matching _raw of notable, but doesn't include the title of the correlation search (if different from the rule name)
2021-09-16 SOLNESS-28194 Incident Review: When using the "Date & Time Range" option for the timepicker, the selected time will change when pressing Apply if the user timezone doesn't match the server timezone
2021-09-14 SOLNESS-28180 Unable to load a newly created adhoc managed lookup from Content Management.

Workaround:
Edit the permissions of the lookup to export globally and read/write to the appropriate users.
2021-09-07 SOLNESS-28048 Incident Review: Workflow actions broken after upgrade for action type "search"
2021-09-07 SOLNESS-28046 If "Incident Review - Table Attributes" has been changed before upgrade to ES 6.6, Incident Review is missing new fields, like Disposition

Workaround:
You can check if "table_attributes" in /etc/apps/SA-ThreatIntelligence/local/log_review.conf exists, and remove it to revert to the defaults for. 6.6 (and customize again after if needed)

or manually add the fields below to the table as indicated in the following documentation: https://docs.splunk.com/Documentation/ES/6.6.2/Admin/CustomizeIR#Change_Incident_Review_columns.

Defaults for 6.6.0:

table_attributes = [\
                    {"field": "rule_title",            "label": "Title"},\
                    {"field": "risk_object",           "label": "Risk Object"},\
                    {"field": "risk_score",            "label": "Aggregated Risk Score"},\
                    {"field": "risk_event_count",      "label": "Risk Events"},\
                    {"field": "notable_type",          "label": "Type"},\
                    {"field": "_time",                 "label": "Time"},\
                    {"field": "disposition_label",     "label": "Disposition"},\
                    {"field": "security_domain",       "label": "Security Domain"},\
                    {"field": "urgency",               "label": "Urgency"},\
                    {"field": "status_label",          "label": "Status"},\
                    {"field": "owner_realname",        "label": "Owner"}\
                   ]
2021-09-01 SOLNESS-28019 "src" or "dest" fields of Threat Activity events showing as "unknown" even though "threat_match_fields" is "src" or "dest"

Workaround:
# Navigate to the threat intelligence management page and click on the threat matching tab
  1. Click on, for example, "src" to edit that threat match configuration
  2. Scroll down on the modal and click the pencil for the first data model dataset
  3. Click on the "+ Add aggregate" and add "<datamodel>.src as src" to add the source field as an aggregate.
  4. Click Save.
  5. Repeat for other datasets as needed
  6. Repeat all steps for other threatmatch configurations as needed
2021-08-31 SOLNESS-28002 . ES Traffic centre dashboard is still using the deprecated saved search.
2021-04-29 SOLNESS-26712 Incident review page loads slowly after an upgrade to Splunk Enterprise Security version 6.4 or higher.

Workaround:
Add a reasonable time period to the get_active_correlations macro. For example, earliest = -90d.
Otherwise, correlation searches that do not create a notable within that time frame cannot be selected as an option in the filters when the Incident Review page loads.

The macro should look something like this after editing:

tstats values(source) as source where {{get_notable_index}} earliest = -90d | mvexpand source | lookup correlationsearches_lookup _key as source OUTPUTNEW rule_name
Last modified on 25 March, 2022
PREVIOUS
Fixed issues for Splunk Enterprise Security
  NEXT
How to find answers and get help with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.6.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters