Known issues for Splunk Enterprise Security
Splunk Enterprise Security 7.3.0 was released on December 19, 2023. For more information on release dates for the major versions of Splunk Enterprise Security, see Software Support Policy page.
This release includes the following known issues:
Date filed | Issue number | Description |
---|---|---|
2024-11-05 | SOLNESS-47715 | Threat match configuration that uses Endpoint datasets do not show default metakey _time sourcetype source host Workaround: It Is not advised to edit the default datamodel (unless you have already done it), for this specific is better to await for changes to be officially onboarded on the future splunk SA_CIM datamodel structure. If you modify the Datamodel, any future changes "Default made" set by splunk official app may not be applied (local changes of the datamodel will take precedence upon any future default changes made by splunk to that datamodel pushed though an update) . Instead if you have already modified this datamodel and it misses these fields please apply these changes:
_time=* sourcetype=* host=* source=* (could be necessary to add index="NAME OF THE INDEXES" unless specified within the linked macro
|
2024-10-11 | SOLNESS-47293, SOLNESS-44220, SOLNESS-48006 | D for 7.3.3 Fix - Correlation searches "Threat Activity - Systems Impacted By Multiple Threats" and "Threat Activity - Threats Impacting Multiple Systems" were impacted since modifications to threat match searches updated a field. |
2024-07-24 | SOLNESS-45992, SOLNESS-48049 | Threat intelligence feed facing download issues with POST configuration errors Workaround: N/A |
2024-05-22 | SOLNESS-44220, SOLNESS-47293 | Correlation searches "Threat Activity - Systems Impacted By Multiple Threats" and "Threat Activity - Threats Impacting Multiple Systems" were impacted since modifications to threat match searches updated a field. |
2024-05-16 | SOLNESS-44061, SOLNESS-47289 | Threat Intelligence Workaround: Not applicable |
2024-05-07 | SOLNESS-43726 | Investigate performance regression in the main search on the Incident Review page. Workaround: For customers in ES 7.2 to ES 7.3.1 who are facing slowness in IR page, the fix that Bhanu introduced in ES 7.3.2 will help improve the IR page load times. ES 7.3.2 GA is scheduled for June 5. Until ES 7.3.2 is released the workaround for this is to remove the reference to Template:Get drilldown searches macro in the Template:Get correlations macro the customer's Template:.../apps/SA-ThreatIntelligence/default/macros.conf file. However, this will also cause notables to no longer show drilldowns in the IR page. |
2024-04-29 | SOLNESS-43530 | Collaborators disappears after refreshing the Investigations Tab. Workaround: N/A |
2024-04-23 | SOLNESS-43404, SOLNESS-46942, SOLNESS-47332 | 3460846 - New lines and special characters no longer appearing correctly in notable event Next Steps |
2024-04-19 | SOLNESS-43346, SOLNESS-47298, BLUERIDGE-12191 | IR Timeline is not editing selected filters even though shows that only those will be edited Workaround: Manual and slow steps: Changes could be achieved by manually increasing the number of results in the IR dashboard to 100.
Then using the checkbox at the top left, select all the viewable notables in the page.
Edit the "selected Events" and update these 100s in bulk. |
2024-04-16 | SOLNESS-43255 | Hovering over "Add Selected to Investigation" on the Incident review dashboard displays the message: "You do not have permissions to edit notable events". Workaround: No workaround. |
2024-04-11 | SOLNESS-43160 | 3448390 - RBA risk score dispensaries |
2024-04-05 | SOLNESS-43069, SOLNESS-47313 | Incident Review page breaks after Splunk Core upgrade to Python 3.9 module 'time' has no attribute |
2024-03-19 | SOLNESS-42315 | Threat Intelligence Management Parsing - mitre parser |
2024-03-13 | SOLNESS-42110 | "Something went wrong" error in Risk Analysis Dashboard Workaround: Not Applicable |
2024-02-28 | SOLNESS-41634, SOLNESS-47315 | IR not applying notable_xref filter from generated URL on ES 7.3 |
2024-02-06 | SOLNESS-40942 | IR page stuck in Updating after user with ess_analyst role updates notables. |
2024-02-01 | SOLNESS-40916, SOLNESS-47330 | "View related investigations" link requires excess permissions Workaround: Add additional role read permissions to the Investigation Collection in local.meta configuration file: [collections/investigation]
access = read: [ admin, test_role] , write: [admin] |
2024-01-23 | SOLNESS-40719 | Time range settings are not saved successfully on the Incident Review page, irrespective of whether the time range is valid or not. |
2024-01-12 | SOLNESS-40632 | Discrepancy in the notable events timeline visualization. Workaround: No workaround |
2023-12-05 | SOLNESS-40127, SOLNESS-40436 | Identity Manager with values in the "blacklist" or "blacklist_fields" fields are ignored. Workaround: Update the exclusion fields using the UI. Go to *Configure > Data Enrichment > Assets & Identity Management.* Select the relevant asset or identity lookup. Update the Denylist checkbox or update the field exclusion list. |
2023-11-30 | SOLNESS-40082 | Timeline options for the Investigations do not display correctly for Splunk Enterprise Security version 7.0.2 and higher. |
2023-11-29 | SOLNESS-40066 | The dialog for suppressing notable events does not open after the first suppression is added on the Incident Review page. Workaround: Refresh the Incident Review page so that you can add more suppression rules for notables. |
2023-10-02 | SOLNESS-38795 | Error using the max_mem_usage_mb macro when upgrading from ES 7.0.2.Workaround: Make a clone of the notable macro, but remove the portions having to do with the get_drilldown_searches macro: {noformat}[get_drilldown_searches] definition = streamstats count as drilldown_event_id | eval updated_drilldown_searches=if((isnull(drilldown_searches) OR match(drilldown_searches, "\[\]")), json_array(json_object("name", drilldown_name, "search", drilldown_search, "earliest_offset", drilldown_earliest_offset, "latest_offset", drilldown_latest_offset)), drilldown_searches) | eval updated_drilldown_searches=json_array_to_mv(updated_drilldown_searches, true()) | mvexpand updated_drilldown_searches | spath input=updated_drilldown_searches path=name output=_temp_dd_name_ | spath input=updated_drilldown_searches path=search output=_temp_dd_search_ | spath input=updated_drilldown_searches path=earliest_offset output=earliest_offset | spath input=updated_drilldown_searches path=latest_offset output=latest_offset | eval drilldown_index_earliest=case(isint(earliest_offset) AND isint(use_index_time),_time-earliest_offset,earliest_offset="$info_min_time$",'info_min_indextime',1=1,null()),drilldown_index_latest=case(isint(latest_offset) AND isint(use_index_time),_time+latest_offset,latest_offset="$info_max_time$",'info_max_indextime',1=1,null()), earliest_offset=case(isint(earliest_offset),_time-earliest_offset,earliest_offset="$info_min_time$",'info_min_time',1=1,null()), latest_offset=case(isint(latest_offset),_time+latest_offset,latest_offset="$info_max_time$",'info_max_time',1=1,null()) | eval updated_drilldown_obj=json_object("name", _temp_dd_name_, "search", _temp_dd_search_, "earliest", earliest_offset, "latest", latest_offset, "index_earliest", drilldown_index_earliest, "index_latest", drilldown_index_latest) | fields - _temp_dd_search_, _temp_dd_name_, earliest_offset, latest_offset, updated_drilldown_searches | eventstats list(updated_drilldown_obj) as updated_drilldown_obj by drilldown_event_id | dedup drilldown_event_id | eval drilldown_searches=if(((isnull(drilldown_searches) AND isnull(drilldown_search)) OR match(drilldown_searches, "\[\]")), null(), updated_drilldown_obj) | fields - drilldown_event_id, updated_drilldown_obj{noformat} Recommended resolution |
2023-08-30 | SOLNESS-37237 | Cloned dashboards in Splunk Enterprise Security version 7.1.1 returns a 404 error. |
2023-08-16 | SOLNESS-36952, SOLNESS-47316 | Risk Analysis 'Source' drop-down list results truncated Workaround: Searches appear in alphabetical order. To move important searches to the top of the list, rename them to appear earlier in the alphabet. For example, add "AAA -" to the beginning of the search name. |
2023-08-08 | SOLNESS-36864 | Timeline on Incident Review page: Cannot zoom in by double clicking |
2023-07-27 | SOLNESS-36731 | Timeline on Incident Review page: Cannot activate or deactivate timeline buttons |
2023-07-25 | SOLNESS-36660 | Timeline on Incident Review page: Cannot zoom in on a selection of < 1 minute |
2023-07-20 | SOLNESS-36590 | The script 'confcheck_es_bias_language_cleanup' is reported as missing in Splunk Enterprise Security 7.2.0. |
2023-07-18 | SOLNESS-36563 | Timeline on Incident Review page: cannot select a bar that was previously deselected Workaround: Select, then deselect, a different bar. Then select the bar that you originally wanted to select. |
2022-09-14 | SOLNESS-32647 | Saved searches created in the Content Management page with private settings are not displayed. |
Fixed issues for Splunk Enterprise Security | How to find answers and get help with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.0
Feedback submitted, thanks!