Splunk® Enterprise Security

Release Notes

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Known issues for Splunk Enterprise Security

Splunk Enterprise Security version 6.6.2 was released on September, 2021. For more information on release dates for the major versions of Splunk Enterprise Security, see Software Support Policy page.


Date filed Issue number Description
2023-03-28 SOLNESS-35291 Threat Intelligence Framework is not passing the weights of Indicators of Compromise (IOCs).
2022-08-12 SOLNESS-32134 Correlation search for ES Threat Activity Detected is incorrect.
2022-03-09 SOLNESS-30261 Improved page load performance in Splunk Enterprise Security Content Management page.

Workaround:
N/A I have created a TO based on https://splunk.atlassian.net/browse/TO-146839 and https://splunk.atlassian.net/browse/CCAB-2792

Repro https://splunk.zoom.us/rec/share/wa11e9jZK9WMOBUzQfXGoBrUVGJOSQjc_b-3EpgGgHJR1xJ_z4Zhi5EC9bK9Ga4L.Kt5BenxYMrJRNMN7

2022-02-11 SOLNESS-29960 Investigation summary does not display all the columns correctly when notable events contain long fields and nonbreaking values.
2022-01-12 SOLNESS-29657 Clicking the Actions dropdown for notables on the Incident Review page results in a blank page.

Workaround:
Ensure that the following workflow actions: modaction_results and modaction_invocations are enabled. You can enable these two default workflow actions using the Splunk Enterprise Security UI as follows:
  1. Click *Settings > Fields >Workflow Actions.
  2. * Search for modaction_results and select *Enable*. Alternatively, you can upgrade Splunk Enterprise Security to version 7.0.x.

2022-01-05 SOLNESS-29516 The inputintelligence custom search command that converts non-threat intelligence as CSV fails to parse with the error message: "dict contains fields not in fieldnames".
2021-12-08 SOLNESS-29306 Excessive long non-breaking string field values causes navigation issues in the Incident Review page.
2021-12-07 SOLNESS-29301 Error in saving search-driven lookups is caused by an endpoint, which is gated by administrator privileges.

Workaround:
Write to a publically available endpoint, that does not require the user to have such a high-level capability
2021-12-07 SOLNESS-29300 Errors with managed roles when loading the Permissions Manager page.
2021-12-01 SOLNESS-29283 The stix parser in threat intelligence doesn't detect indicators or observables in "report" objects.
2021-12-01 SOLNESS-29277 After a page refresh, the users who were added to an investigation did not display as part of the investigation.
2021-11-29 SOLNESS-29139 Splunk Enterprise Security is unable to read the entire threat intelligence feed when using TAXII protocol due to pagination issues.
2021-11-04 SOLNESS-28926 Using the Risk Factor Editor with a custom role that has "edit_risk_factor" capability displays an error.

Workaround:
Edit etc/apps/SA-ThreatIntelligence/metadata/local.meta and add write permissions for your user under the risk_factors and datamodels/Risk stanzas:

{code:java} [risk_factors]

access = read : [ * ], write : [ admin, my_user ]

[datamodels/Risk] access = read : [ * ], write : [ admin, my_user ]{code}

2021-11-02 SOLNESS-28904 Incident Review: When the Event Table reloads while editing a notable, you can potentially edit different or all matching notables

Workaround:
Wait for the Event Table to fully load.

If the count does change while having the Edit modal open, close the modal, reselect the notables you want to edit and press Edit again, after the Event Table has fully loaded.

2021-10-15 SOLNESS-28622 Field value substitution does not work in workflow actions and does not extract or replace variables as expected. You might see the variable for "$source$" instead of the field value when you use a custom workflow action.

Workaround:
No workaround exists currently. However, installing 7.0.0 when it becomes available will resolve the issue.
2021-10-14 SOLNESS-28617 IR page - Save button remains disabled when adding a comment on NE
2021-10-06 SOLNESS-28565 Unable to add Additional Collaborator to Investigation with HTTP 400: "Investigation must use existings users as collaborators"

Workaround:
SplunkEnterpriseSecuritySuite/lib/InvestigationComponents.py

Changed to: getargs={'output_mode': 'json', 'count': 0},

2021-09-24 SOLNESS-28349 Incident Review is empty with javascript error TypeError: e.replace is not a function when displaying notables with a multivalue field.

Workaround:
Add the following two lines at the end of the saved search Incident Review - Main to ensure that all the fields have a single value.

| foreach * [| eval "<<FIELD>>"=mvjoin('<<FIELD>>'," ")] This breaks the separate context menu for multivalue fields in the details of a notable. Remove the local copy of this search after upgrading to a version where this issue is resolved.

OR

Remove the columns from the Incident Review table that might potentially have multivalue fields. For more information, see https://docs.splunk.com/Documentation/ES/6.6.2/Admin/CustomizeIR#Change_Incident_Review_columns.

2021-09-21 SOLNESS-28240 Incident Review: Freeform search with keyword only matching _raw of notable, but doesn't include the title of the correlation search (if different from the rule name)
2021-09-16 SOLNESS-28194 Incident Review: When using the "Date & Time Range" option for the timepicker, the selected time will change when pressing Apply if the user timezone doesn't match the server timezone
2021-09-14 SOLNESS-28180 Unable to load a newly created adhoc managed lookup from Content Management.

Workaround:
Edit the permissions of the lookup to export globally and read/write to the appropriate users.
2021-09-07 SOLNESS-28048 Incident Review: Workflow actions broken after upgrade for action type "search"
2021-09-07 SOLNESS-28046 If "Incident Review - Table Attributes" has been changed before upgrade to ES 6.6, Incident Review is missing new fields, like Disposition

Workaround:
You can check if "table_attributes" in /etc/apps/SA-ThreatIntelligence/local/log_review.conf exists, and remove it to revert to the defaults for. 6.6 (and customize again after if needed)

or manually add the fields below to the table as indicated in the following documentation: https://docs.splunk.com/Documentation/ES/6.6.2/Admin/CustomizeIR#Change_Incident_Review_columns.

Defaults for 6.6.0:

table_attributes = [\
                    {"field": "rule_title",            "label": "Title"},\
                    {"field": "risk_object",           "label": "Risk Object"},\
                    {"field": "risk_score",            "label": "Aggregated Risk Score"},\
                    {"field": "risk_event_count",      "label": "Risk Events"},\
                    {"field": "notable_type",          "label": "Type"},\
                    {"field": "_time",                 "label": "Time"},\
                    {"field": "disposition_label",     "label": "Disposition"},\
                    {"field": "security_domain",       "label": "Security Domain"},\
                    {"field": "urgency",               "label": "Urgency"},\
                    {"field": "status_label",          "label": "Status"},\
                    {"field": "owner_realname",        "label": "Owner"}\
                   ]
2021-09-01 SOLNESS-28019 "src" or "dest" fields of Threat Activity events showing as "unknown" even though "threat_match_fields" is "src" or "dest"

Workaround:
# Navigate to the threat intelligence management page and click on the threat matching tab
  1. Click on, for example, "src" to edit that threat match configuration
  2. Scroll down on the modal and click the pencil for the first data model dataset
  3. Click on the "+ Add aggregate" and add "<datamodel>.src as src" to add the source field as an aggregate.
  4. Click Save.
  5. Repeat for other datasets as needed
  6. Repeat all steps for other threatmatch configurations as needed
2021-08-31 SOLNESS-28002 . ES Traffic centre dashboard is still using the deprecated saved search.
2021-05-12 SOLNESS-26883 Annotations configured on correlation search editor do not display on the Incident Review page.
2021-04-29 SOLNESS-26712 Incident review page loads slowly after an upgrade to Splunk Enterprise Security version 6.4 or higher.

Workaround:
Add a reasonable time period to the get_active_correlations macro. For example, earliest = -90d.
Otherwise, correlation searches that do not create a notable within that time frame cannot be selected as an option in the filters when the Incident Review page loads.

The macro should look something like this after editing:

tstats values(source) as source where {{get_notable_index}} earliest = -90d | mvexpand source | lookup correlationsearches_lookup _key as source OUTPUTNEW rule_name
Last modified on 28 August, 2023
Fixed issues for Splunk Enterprise Security   How to find answers and get help with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters