Known issues for Splunk Enterprise Security

Splunk Enterprise Security 7.0.2 was released on October 5, 2022. For more information on release dates for the major versions of Splunk Enterprise Security, see Software Support Policy page.

This release includes the following known issues.

Date filed	Issue number	Description
2023-02-22	SOLNESS-34979	Threatlists might be re-downloaded every 30-60 seconds.
2023-01-27	SOLNESS-34582	Update the language for field and field description in Correlation Search Editor.
2022-12-28	SOLNESS-34278	Failed to clone search - ES 7.0.2
2022-12-19	SOLNESS-34219	Workflow action on ES does not populate the $field$ in Incident Review.
2022-12-16	SOLNESS-34200	Workflow actions do not work as expected.
2022-12-15	SOLNESS-34193	Content Management does not show "Search and Reporting" app in ES 7.0.2 and 7.1. Workaround: None
2022-12-06	SOLNESS-33999	Classic Content Management page stuck at "Loading"
2022-11-17	SOLNESS-33744	The eventtype `website_watchlist` does not exist or is disabled due to empty searches in the default eventtypes from DA-ESS-NetworkProtection. Workaround: As a workaround, one can disable the eventtypes locally and set a pseudo value for the search: (altrhough only disabling the eventtypes should be necessary) {noformat}DA-ESS-NetworkProtection/local/eventtypes.conf [website_watchlist] search = noop DA-ESS-NetworkProtection/local/tags.conf [eventtype=website_watchlist] watchlist = disabled web_watchlist = disabled{noformat}
2022-10-31	SOLNESS-33301	The collectrisk.py generates risk events that duplicate the origin event.
2022-10-03	SOLNESS-32865	Upgrade "All Investigations" list in Investigation bar uses React instead of the "swc bootstrap" dropdown.
2022-09-23	SOLNESS-32806, SOLNESS-32822	Visual differences seen in the UI while performing Splunk 9.0.2208.2 sanity testing.
2022-09-21	SOLNESS-32798	Special character handling issues for risk objects in Incident Review. Workaround: If a correlation search is handling special characters incorrectly, then the drill-down search within the notable under Adaptive Response Actions must be updated. Change the tokenized value that is wrapped in quotes by removing the quotes and adding the correct token filter, in this case '\|s'. For example, within the correlation search: "Risk Threshold Exceeded For Object Over 24 Hour Period", update the risk object within the Adaptive Response Action Drill-down search for the notable. Change the risk object in the SPL from Template:Risk object="$risk object$" to {{risk_object=$risk_object\|s$}}.
2022-09-14	SOLNESS-32647	Saved searches created in Content Management with private settings are not displayed on the Content Management page in Splunk Enterprise Security.
2022-09-14	SOLNESS-32650	Clicking on a risk factor in the Content Management always displays the first risk factor.
2022-09-14	SOLNESS-32646	Saved searches in Content Management can be enabled or disabled with a bulk update but not using the Actions column.
2022-08-11	SOLNESS-32131	Unable to edit lookup files in Splunk Enterprise Security using Content Management.
2022-06-24	SOLNESS-31447	Workflow actions for Incident Review open in a new window for an open search in the current window where the setting for type is "search in event_menu".
2022-03-01	SOLNESS-30155	Make Contributing Events Link always work in Risk Event Timeline
2022-01-31	SOLNESS-29825	Short IDs created before upgrading to ES 7.0 do not show up in Incident Review even though the Short ID is in the `notable_xref_lookup`. Workaround: When you upgrade Splunk Enterprise Security to versions 7.0.0 or higher, the short IDs for notables that were created prior to the upgrade are not displayed on the Incident Review page. However, you can recreate all the short IDs that were available prior to the upgrade.

Release Notes

Related Answers

Known issues for Splunk Enterprise Security

Comments