Splunk® Enterprise Security

Release Notes

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Known issues for Splunk Enterprise Security

Splunk Enterprise Security 7.3.0 was released on December 19, 2023. For more information on release dates for the major versions of Splunk Enterprise Security, see Software Support Policy page.

This release includes the following known issues:


Date filed Issue number Description
2024-11-05 SOLNESS-47715 Threat match configuration that uses Endpoint datasets do not show default metakey _time sourcetype source host

Workaround:
It Is not advised to edit the default datamodel (unless you have already done it), for this specific is better to await for changes to be officially onboarded on the future splunk SA_CIM datamodel structure. If you modify the Datamodel, any future changes "Default made" set by splunk official app may not be applied (local changes of the datamodel will take precedence upon any future default changes made by splunk to that datamodel pushed though an update) . Instead if you have already modified this datamodel and it misses these fields please apply these changes:
  1. Stop the Datamodel acceleration (if enabled) which has these field missing under the field list: _time=* sourcetype=* host=* source=*
  2. Add these missing fields into each dataset

_time=* sourcetype=* host=* source=* (could be necessary to add index="NAME OF THE INDEXES" unless specified within the linked macro

  1. Edit the dataset extracted fields and checkbox _time=* sourcetype=* host=* source=*
  2. save the changes
  3. enable acceleration if it was enabled
  4. edit affected threat matching datasets by adding these matching fields
2024-10-11 SOLNESS-47293, SOLNESS-44220, SOLNESS-48006 D for 7.3.3 Fix - Correlation searches "Threat Activity - Systems Impacted By Multiple Threats" and "Threat Activity - Threats Impacting Multiple Systems" were impacted since modifications to threat match searches updated a field.
2024-07-24 SOLNESS-45992, SOLNESS-48049 Threat intelligence feed facing download issues with POST configuration errors

Workaround:
N/A
2024-05-22 SOLNESS-44220, SOLNESS-47293 Correlation searches "Threat Activity - Systems Impacted By Multiple Threats" and "Threat Activity - Threats Impacting Multiple Systems" were impacted since modifications to threat match searches updated a field.
2024-05-16 SOLNESS-44061, SOLNESS-47289 Threat Intelligence

Workaround:
Not applicable
2024-05-07 SOLNESS-43726 Investigate performance regression in the main search on the Incident Review page.

Workaround:
For customers in ES 7.2 to ES 7.3.1 who are facing slowness in IR page, the fix that Bhanu introduced in ES 7.3.2 will help improve the IR page load times. ES 7.3.2 GA is scheduled for June 5.

Until ES 7.3.2 is released the workaround for this is to remove the reference to Template:Get drilldown searches macro in the Template:Get correlations macro the customer's Template:.../apps/SA-ThreatIntelligence/default/macros.conf file. However, this will also cause notables to no longer show drilldowns in the IR page.

2024-04-29 SOLNESS-43530 Collaborators disappears after refreshing the Investigations Tab.

Workaround:
N/A
2024-04-23 SOLNESS-43404, SOLNESS-46942, SOLNESS-47332 3460846 - New lines and special characters no longer appearing correctly in notable event Next Steps
2024-04-19 SOLNESS-43346, SOLNESS-47298, BLUERIDGE-12191 IR Timeline is not editing selected filters even though shows that only those will be edited

Workaround:
Manual and slow steps:

Changes could be achieved by manually increasing the number of results in the IR dashboard to 100. Then using the checkbox at the top left, select all the viewable notables in the page. Edit the "selected Events" and update these 100s in bulk.

2024-04-16 SOLNESS-43255 Hovering over "Add Selected to Investigation" on the Incident review dashboard displays the message: "You do not have permissions to edit notable events".

Workaround:
No workaround.
2024-04-11 SOLNESS-43160 3448390 - RBA risk score dispensaries
2024-04-05 SOLNESS-43069, SOLNESS-47313 Incident Review page breaks after Splunk Core upgrade to Python 3.9 module 'time' has no attribute
2024-03-19 SOLNESS-42315 Threat Intelligence Management Parsing - mitre parser
2024-03-13 SOLNESS-42110 "Something went wrong" error in Risk Analysis Dashboard

Workaround:
Not Applicable
2024-02-28 SOLNESS-41634, SOLNESS-47315 IR not applying notable_xref filter from generated URL on ES 7.3
2024-02-06 SOLNESS-40942 IR page stuck in Updating after user with ess_analyst role updates notables.
2024-02-01 SOLNESS-40916, SOLNESS-47330 "View related investigations" link requires excess permissions

Workaround:
Add additional role read permissions to the Investigation Collection in local.meta configuration file:

[collections/investigation] access = read: [ admin, test_role] , write: [admin]

2024-01-23 SOLNESS-40719 Time range settings are not saved successfully on the Incident Review page, irrespective of whether the time range is valid or not.
2024-01-12 SOLNESS-40632 Discrepancy in the notable events timeline visualization.

Workaround:
No workaround
2023-12-05 SOLNESS-40127, SOLNESS-40436 Identity Manager with values in the "blacklist" or "blacklist_fields" fields are ignored.

Workaround:
Update the exclusion fields using the UI. Go to *Configure > Data Enrichment > Assets & Identity Management.* Select the relevant asset or identity lookup. Update the Denylist checkbox or update the field exclusion list.
2023-11-30 SOLNESS-40082 Timeline options for the Investigations do not display correctly for Splunk Enterprise Security version 7.0.2 and higher.
2023-11-29 SOLNESS-40066 The dialog for suppressing notable events does not open after the first suppression is added on the Incident Review page.

Workaround:
Refresh the Incident Review page so that you can add more suppression rules for notables.
2023-10-02 SOLNESS-38795 Error using the max_mem_usage_mb macro when upgrading from ES 7.0.2.

Workaround:
Make a clone of the notable macro, but remove the portions having to do with the get_drilldown_searches macro:

{noformat}[get_drilldown_searches] definition = streamstats count as drilldown_event_id | eval updated_drilldown_searches=if((isnull(drilldown_searches) OR match(drilldown_searches, "\[\]")), json_array(json_object("name", drilldown_name, "search", drilldown_search, "earliest_offset", drilldown_earliest_offset, "latest_offset", drilldown_latest_offset)), drilldown_searches) | eval updated_drilldown_searches=json_array_to_mv(updated_drilldown_searches, true()) | mvexpand updated_drilldown_searches | spath input=updated_drilldown_searches path=name output=_temp_dd_name_ | spath input=updated_drilldown_searches path=search output=_temp_dd_search_ | spath input=updated_drilldown_searches path=earliest_offset output=earliest_offset | spath input=updated_drilldown_searches path=latest_offset output=latest_offset | eval drilldown_index_earliest=case(isint(earliest_offset) AND isint(use_index_time),_time-earliest_offset,earliest_offset="$info_min_time$",'info_min_indextime',1=1,null()),drilldown_index_latest=case(isint(latest_offset) AND isint(use_index_time),_time+latest_offset,latest_offset="$info_max_time$",'info_max_indextime',1=1,null()), earliest_offset=case(isint(earliest_offset),_time-earliest_offset,earliest_offset="$info_min_time$",'info_min_time',1=1,null()), latest_offset=case(isint(latest_offset),_time+latest_offset,latest_offset="$info_max_time$",'info_max_time',1=1,null()) | eval updated_drilldown_obj=json_object("name", _temp_dd_name_, "search", _temp_dd_search_, "earliest", earliest_offset, "latest", latest_offset, "index_earliest", drilldown_index_earliest, "index_latest", drilldown_index_latest) | fields - _temp_dd_search_, _temp_dd_name_, earliest_offset, latest_offset, updated_drilldown_searches | eventstats list(updated_drilldown_obj) as updated_drilldown_obj by drilldown_event_id | dedup drilldown_event_id | eval drilldown_searches=if(((isnull(drilldown_searches) AND isnull(drilldown_search)) OR match(drilldown_searches, "\[\]")), null(), updated_drilldown_obj) | fields - drilldown_event_id, updated_drilldown_obj{noformat}

Recommended resolution

[1]

2023-08-30 SOLNESS-37237 Cloned dashboards in Splunk Enterprise Security version 7.1.1 returns a 404 error.
2023-08-16 SOLNESS-36952, SOLNESS-47316 Risk Analysis 'Source' drop-down list results truncated

Workaround:
Searches appear in alphabetical order. To move important searches to the top of the list, rename them to appear earlier in the alphabet. For example, add "AAA -" to the beginning of the search name.
2023-08-08 SOLNESS-36864 Timeline on Incident Review page: Cannot zoom in by double clicking
2023-07-27 SOLNESS-36731 Timeline on Incident Review page: Cannot activate or deactivate timeline buttons
2023-07-25 SOLNESS-36660 Timeline on Incident Review page: Cannot zoom in on a selection of < 1 minute
2023-07-20 SOLNESS-36590 The script 'confcheck_es_bias_language_cleanup' is reported as missing in Splunk Enterprise Security 7.2.0.
2023-07-18 SOLNESS-36563 Timeline on Incident Review page: cannot select a bar that was previously deselected

Workaround:
Select, then deselect, a different bar. Then select the bar that you originally wanted to select.
2022-09-14 SOLNESS-32647 Saved searches created in the Content Management page with private settings are not displayed.
Last modified on 27 November, 2024
Fixed issues for Splunk Enterprise Security   How to find answers and get help with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters