Splunk® Enterprise Security

Release Notes

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Known issues for Splunk Enterprise Security

Splunk Enterprise Security 7.0.0 was released on December 16, 2021. For more information on release dates for the major versions of Splunk Enterprise Security, see Software Support Policy page.

This release includes the following known issues:


Date filed Issue number Description
2023-03-28 SOLNESS-35291 Threat Intelligence Framework is not passing the weights of Indicators of Compromise (IOCs).
2022-12-19 SOLNESS-34219 Workflow action on ES does not populate the $field$ in Incident Review.
2022-08-12 SOLNESS-32134 Correlation search for ES Threat Activity Detected is incorrect.
2022-08-11 SOLNESS-32131 Unable to edit lookup files in Splunk Enterprise Security using Content Management.
2022-06-22 SOLNESS-31435 The nslookup doesn't work on Splunk Enterprise Security running on Windows.
2022-06-13 SOLNESS-31295, SOLNESS-30377 Extreme lag in displaying dropdown values for large amount of data eg:, Short ID
2022-06-06 SOLNESS-31223 Slow performance for the Content Management and Incident Review dashboards

Workaround:
n/a
2022-04-19 SOLNESS-30749 Excessively large threat intelligence sources are not ingested by the Splunk Enterprise Security Threat Intelligence framework.
2022-03-01 SOLNESS-30155 Make Contributing Events Link always work in Risk Event Timeline
2022-02-25 SOLNESS-30133 The src or dest fields of Threat Activity events displayed as Unknown even when threat_match_fields is src or dest.

Workaround:
Navigate to the threat intelligence management page and click on the threat matching tab

Click on, for example, "src" to edit that threat match configuration

Scroll down on the modal and click the pencil for the first data model dataset

Click on the "+ Add aggregate" and add "<datamodel>.src as src" to add the source field as an aggregate.

Click Save.

Repeat for other datasets as needed

Repeat all steps for other threatmatch configurations as needed

2022-02-11 SOLNESS-29960 Investigation summary does not display all the columns correctly when notable events contain long fields and nonbreaking values.
2022-01-31 SOLNESS-29833, SOLNESS-29851 Annotations do not display numerical values.
2022-01-31 SOLNESS-29825 Short IDs created before upgrading to ES 7.0 do not show up in Incident Review even though the Short ID is in the notable_xref_lookup.

Workaround:
When you upgrade Splunk Enterprise Security to versions 7.0.0 or higher, the short IDs for notables that were created prior to the upgrade are not displayed on the Incident Review page. However, you can recreate all the short IDs that were available prior to the upgrade.
2022-01-19 SOLNESS-29684 The "Add a Collaborator" and "Active Collaborator" buttons are grayed out in the Investigations page.
2022-01-17 SOLNESS-29675 Error message "Cannot read properties of undefined (reading 'entry')".

Workaround:
ZScaler is truncating api responses. if you are running ZScaler, try disabling ZScaler will eliminate this problem entirely. Contact ZScaler support to address the issue
2022-01-12 SOLNESS-29657 Clicking the Actions dropdown for notables on the Incident Review page results in a blank page.

Workaround:
Ensure that the following workflow actions: modaction_results and modaction_invocations are enabled. You can enable these two default workflow actions using the Splunk Enterprise Security UI as follows:
  1. Click *Settings > Fields >Workflow Actions.
  2. * Search for modaction_results and select *Enable*. Alternatively, you can upgrade Splunk Enterprise Security to version 7.0.x.

2021-12-09 SOLNESS-29317 The Risk Factor editor does not update the risk factors in the SPL preview when the risk factor is changed.
2021-12-08 SOLNESS-29306 Excessive long non-breaking string field values causes navigation issues in the Incident Review page.
2021-12-01 SOLNESS-29283 The stix parser in threat intelligence doesn't detect indicators or observables in "report" objects.
2021-11-19 SOLNESS-29106 Tooltip for timechart visualizations does not work as expected when the browser's timezone is not the same as the timezone of the Splunk instance.

Workaround:
#Click your username in the Splunk Navigation menu.
  1. Scroll to *Preferences*.
  1. For the timezone option, select the timezone which matches your browser's timezone.
  1. Click *Apply*.
2021-11-10 SOLNESS-28972 "Invalid key" warning when starting splunk or running btool for supported_theme key when running on Splunk Enterprise 8.1.* or 8.2.*

Workaround:
This is a benign warning that may appear on the CLI with starting, restarting, or using the "btool check" command on Splunk 8.1.7 or Splunk 8.2.3 and ES 7.0.0+.
2021-05-12 SOLNESS-26883 Annotations configured on correlation search editor do not display on the Incident Review page.
Last modified on 28 August, 2023
Fixed issues for Splunk Enterprise Security   How to find answers and get help with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters