Splunk® Enterprise Security

Release Notes

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Known issues for Splunk Enterprise Security

Splunk Enterprise Security 7.1.0 was released on January 11, 2023. For more information on release dates for the major versions of Splunk Enterprise Security, see Software Support Policy page.

This release includes the following known issues.


Date filed Issue number Description
2023-11-30 SOLNESS-40082 Timeline options for the Investigations do not display correctly for Splunk Enterprise Security version 7.0.2 and higher.
2023-08-15 SOLNESS-36949, SOLNESS-47319 The handler for managed lookups is slow.
2023-08-03 SOLNESS-36813 The threat_match_field value in threat match searches is updated to include the datamodel.
2023-08-02 SOLNESS-36789 Uploading and later deleting a threat intelligence management document does not remove the threat intelligence document from threat artifacts.
2023-06-12 SOLNESS-36169 The Incident Review page loads entire asset and identity tables into memory.

Workaround:
Disable Assets and Identities and clear out the A and I "asset_lookup_by_str" and "identity_lookup_expanded" lookups
2023-05-24 SOLNESS-35988 Macro endpoint links from the General settings in Splunk Enterprise Security results in a broken URL.
2023-04-17 SOLNESS-35512, SOLNESS-35031 Support for Home Dashboards in ES 7.1.0 and above
2023-04-03 SOLNESS-35335 In Content Management page selecting multiple saved searches and selecting "Enable" or "Disable" causes the entire page to freeze.
2023-03-28 SOLNESS-35291 Threat Intelligence Framework is not passing the weights of Indicators of Compromise (IOCs).
2023-03-07 SOLNESS-35073 Regression of SOLNESS-28926 - Editing risk factors with a custom user with the edit_risk_factors permission shows an error

Workaround:
Edit etc/apps/SA-ThreatIntelligence/metadata/local.meta and add write permissions for your user under the risk_factors and datamodels/Risk stanzas:

{noformat}[risk_factors]

access = read : [ * ], write : [ admin, my_user ]

[datamodels/Risk] access = read : [ * ], write : [ admin, my_user ]{noformat}

2023-03-06 SOLNESS-35064 Search cannot be added to the Splunk Enterprise Security analytic story.
2023-02-27 SOLNESS-35022 Loading of the Dashboard frameworks page must consider that write permissions might be turned off.

Workaround:
Customer can add a write permission in effected app (SplunkEnterpriseSecurity suite) to any role to cause api response to have "write" in its response.
2023-02-15 SOLNESS-34928 Users cannot create tokens if "admin" is hardcoded in splunkd when the token is created.
2023-02-14 SOLNESS-34918 The search "Threat - Correlation Searches - Lookup Gen" requests all the fields from the /saved/searches endpoint.
2023-02-08 SOLNESS-34842 Broken help link ("Learn more") link on the UDF modal.

Workaround:
Customer should create a support ticket and TO can remove the copies of simpleXML definitions from local folder as per these instructions - [1] .
2023-02-07 SOLNESS-34771 Visibility issues in the "Enable behavioral analytics service" panel in the light or enterprise theme.
2023-02-07 SOLNESS-34766 Users with the role sc_admin are unable to edit UDF dashboards.

Workaround:
To enable editing UDF dashboard for non admin users (like sc_admin) in Enterprise Security, do the following.
  1. On the Splunk Enterprise menu bar, select *Settings > Knowledge > User Interface*.
  2. Click *Views*.
  3. Search for the dashboard you want to edit. Example: *ess_security_posture*.
  4. Click *permissions* for the view
  5. Select *sc_admin* under the *Write*
  6. Click *Save*.
  7. Now you can load the dashboard page and edit the definition.
2023-01-11 SOLNESS-34429 Initial values for the Urgency field in Incident Review shows as 'unknown' until it gets re-rendered.

Workaround:
Users can hover over affected rows or click any checkbox on the table to re-render entire table which refreshes + shows values properly.
2023-01-10 SOLNESS-34381, SOLNESS-34324 Risk Events Timeline might not display contributing risk events for risk notables when changes are made to CIM entity zones or the A&I framework.

Workaround:
Use the risk_object or the all_risk_objects fields in the risk notable event and run a search on the risk data model to view the data that would populate the risk notable.
2023-01-09 SOLNESS-34365 Enabling the selection for saved searches breaks the Content Management page.
2023-01-09 SOLNESS-34351 LinkGraph (Threat-Topology) unable to render special characters.

Workaround:
The special characters are replaced by underscore character to allow rendering threat-topology viz
2022-09-14 SOLNESS-32647 Saved searches created in the Content Management page with private settings are not displayed.
2022-03-01 SOLNESS-30155 Make Contributing Events Link always work in Risk Event Timeline
2022-02-07 SOLNESS-34215 Recent risk modifiers drill down show no results after five minutes.
Last modified on 12 October, 2024
Fixed issues for Splunk Enterprise Security   How to find answers and get help with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters