Known issues for Splunk Enterprise Security

Splunk Enterprise Security 7.3.1 was released on March 27, 2024. For more information on release dates for the major versions of Splunk Enterprise Security, see Software Support Policy page.

This release includes the following known issues.

Date filed	Issue number	Description
2024-09-19	SOLNESS-47028	Ingesting intelligence file does not extract expected lines thorugh regex rule Workaround: Because of a bug in the GUI the field Template:Delim regex= takes precedence within the stanza defined for any threat intel setting, upon the Template:Extract regex=. The workaround is to manually force the the Template:Delim regex= to be as equal as the Template:Extract regex stanza. A debug/refresh should be sufficient OR SH restart may be necessary after the change. If you are using SHC feel free to push changes from the deployer these settings are saved within inputs.conf inside .\etc\apps\SA-ThreatIntelligence\local\inputs.conf splunk@so1:/opt/splunk/etc/apps/SA-ThreatIntelligence/local$ grep emmanuetest -A 25 inputs.conf {noformat}[threatlist://emmanuetest] extract_regex = ^\\|\\|((?:\d{1,3}\.){3}\d{1,3})\|^\\|\\|([a-zA-Z0-9.-]+\.[a-zA-Z]{2,}) delim_regex = ^\\|\\|((?:\d{1,3}\.){3}\d{1,3})\|^\\|\\|([a-zA-Z0-9.-]+\.[a-zA-Z]{2,}){noformat}
2024-08-08	SOLNESS-46276, SOLNESS-47314	Create Notables page only displays error: Cannot read properties of undefined (reading 'value')
2024-06-05	SOLNESS-44563, SOLNESS-47320	Displays "Action Forbidden" errors in the Security Posture dashboard for SAML authenticated users.
2024-05-08	SOLNESS-43753	Fix Clone dashboard bug for sharing cloned dashboard by role sc_admin on CO2
2024-04-25	SOLNESS-43458, SOLNESS-47295	Notable Event Suppression Descriptions not saving after entering illegal characters in title name
2024-04-19	SOLNESS-43346, SOLNESS-47298, BLUERIDGE-12191	IR Timeline is not editing selected filters even though shows that only those will be edited Workaround: Manual and slow steps: Changes could be achieved by manually increasing the number of results in the IR dashboard to 100. Then using the checkbox at the top left, select all the viewable notables in the page. Edit the "selected Events" and update these 100s in bulk.
2024-04-16	SOLNESS-43255	Hovering over "Add Selected to Investigation" on the Incident review dashboard displays the message: "You do not have permissions to edit notable events". Workaround: No workaround.
2024-04-15	SOLNESS-43210	notable adaptive response action - "Next Steps" - URL action is not properly redirecting with multiple query parameters. Workaround: N/A
2024-04-05	SOLNESS-43069, SOLNESS-47313	Incident Review page breaks after Splunk Core upgrade to Python 3.9 module 'time' has no attribute
2024-02-06	SOLNESS-40942	IR page stuck in Updating after user with ess_analyst role updates notables.
2024-01-12	SOLNESS-40632	Discrepancy in the notable events timeline visualization. Workaround: No workaround
2023-08-16	SOLNESS-36952, SOLNESS-47316	Risk Analysis 'Source' drop-down list results truncated Workaround: Searches appear in alphabetical order. To move important searches to the top of the list, rename them to appear earlier in the alphabet. For example, add "AAA -" to the beginning of the search name.
2023-08-08	SOLNESS-36864	Timeline on Incident Review page: Cannot zoom in by double clicking
2023-07-27	SOLNESS-36731	Timeline on Incident Review page: Cannot activate or deactivate timeline buttons
2023-07-25	SOLNESS-36660	Timeline on Incident Review page: Cannot zoom in on a selection of < 1 minute
2023-07-18	SOLNESS-36563	Timeline on Incident Review page: cannot select a bar that was previously deselected Workaround: Select, then deselect, a different bar. Then select the bar that you originally wanted to select.
2023-04-12	SOLNESS-35433, SOLNESS-47334	Events viewer component: Tags not displayed if there are more than 30 tags Workaround: To view relevant tags, if any, select each individual field value.

Related answers from Splunk Community

Known issues for Splunk Enterprise Security

Comments

Was this topic useful?