Known issues for Splunk Enterprise Security
Splunk Enterprise Security 7.3.2 was released on June 11, 2024. For more information on release dates for the major versions of Splunk Enterprise Security, see Software Support Policy page.
This release includes the following known issues. If this table is blank, there are no known issues for this release.
| Date filed | Issue number | Description |
|---|---|---|
| 2025-02-04 | SOLNESS-49540 | log_review.conf uses the older risk_object field but should use normalized_risk_object |
| 2024-12-03 | SOLNESS-48316, SOLNESS-48522 | Max_size Error for Threat Input Source : Feed Discarded Despite Adjusted Settings Workaround: N/A.. |
| 2024-12-02 | SOLNESS-48285, SOLNESS-47969 | Threat - Threat List Activity - Rule Search is missing Risk Message |
| 2024-11-14 | SOLNESS-47961 | In ES 7.3.x on Incident Review dashboard, while adding tags the field value associated with each value in the table is showing as undefined |
| 2024-11-14 | SOLNESS-47955 | STIX2 feed download issue with ParserException errors |
| 2024-11-12 | SOLNESS-47900, SOLNESS-36603 | Data Model definition for Identity_Management leads to a bug where DMA summary can't be rebuild |
| 2024-10-17 | SOLNESS-47461 | ES Investigations Loading Slowly Workaround: none. |
| 2024-10-11 | SOLNESS-47303 | D for 7.3.3 Fix - D for 7.3.3 Fix - ES drilldown could not handle the time value in milliseconds. Workaround: Once the drill-down is executed the time token passed to the search (URI) is in milliseconds and the search could not handle that and throws the error. Converting to seconds (from the URL) the search executes as expected. Example: auto_pause=120&earliest=1720479465000&latest=1720490265000 This was the tail end of the generated URL from the drill-down search. I modified the above as earliest=1720479465&latest=1720490265 ( Removed the 000 from the end of earliest and latest time. (Remove last 2 zeroes from earliest and latest variable) |
| 2024-10-11 | SOLNESS-47312 | D for 7.3.3 Fix - D for 7.3.3 Fix - Error message "something went wrong" occurs instead of the drill-down search when expanding the notable event in the Incident Review dashboard. Workaround: # Open the following file: Template:Vim /opt/splunk/etc/apps/SA-ThreatIntelligence/local/savedsearches.conf
{{curl -k -u admin:password https://{hostname}:8089/servicesNS/nobody/SA-ThreatIntelligence/saved/searches/_reload?output_mode=json}} |
| 2024-10-01 | SOLNESS-47124, SOLNESS-47415, BLUERIDGE-12923 | Error message appears when severity is selected as Unknown from the available dropdown options |
| 2024-09-01 | SOLNESS-46727 | Capability tag_notable_events(associated with ES component "Tag Notable Events") is not added to any roles on ES search head |
| 2024-08-28 | SOLNESS-46669 | Threat Intel data retention issues |
| 2024-07-08 | SOLNESS-45632, SOLNESS-47290 | ES drilldown could not handle the time value in milliseconds. Workaround: Once the drill-down is executed the time token passed to the search (URI) is in milliseconds and the search could not handle that and throws the error. Converting to seconds (from the URL) the search executes as expected. Example: auto_pause=120&earliest=1720479465000&latest=1720490265000 This was the tail end of the generated URL from the drill-down search. I modified the above as earliest=1720479465&latest=1720490265 ( Removed the 000 from the end of earliest and latest time. (Remove last 2 zeroes from earliest and latest variable) |
| 2024-07-01 | SOLNESS-45369, SOLNESS-47317 | Error: Add a disposition other than "Undetermined" to update/close the notable event |
| 2024-06-05 | SOLNESS-44563, SOLNESS-47320 | Displays "Action Forbidden" errors in the Security Posture dashboard for SAML authenticated users. |
| 2024-05-29 | SOLNESS-44356, SOLNESS-47325, SOLNESS-46866, SOLNESS-46937 | Invalid IP's getting merged into A&I lookups |
| 2024-04-19 | SOLNESS-43346, BLUERIDGE-12191, SOLNESS-47298 | IR Timeline is not editing selected filters even though shows that only those will be edited Workaround: Manual and slow steps: Changes could be achieved by manually increasing the number of results in the IR dashboard to 100.
Then using the checkbox at the top left, select all the viewable notables in the page.
Edit the "selected Events" and update these 100s in bulk. |
| 2024-04-16 | SOLNESS-43255 | Hovering over "Add Selected to Investigation" on the Incident review dashboard displays the message: "You do not have permissions to edit notable events". Workaround: No workaround. |
| 2024-02-06 | SOLNESS-40942 | IR page stuck in Updating after user with ess_analyst role updates notables. |
| 2024-01-12 | SOLNESS-40632 | Discrepancy in the notable events timeline visualization. Workaround: No workaround |
| 2023-08-08 | SOLNESS-36864 | Timeline on Incident Review page: Cannot zoom in by double clicking |
| 2023-07-27 | SOLNESS-36731 | Timeline on Incident Review page: Cannot activate or deactivate timeline buttons |
| 2023-07-25 | SOLNESS-36660 | Timeline on Incident Review page: Cannot zoom in on a selection of < 1 minute |
| 2023-07-18 | SOLNESS-36563 | Timeline on Incident Review page: cannot select a bar that was previously deselected Workaround: Select, then deselect, a different bar. Then select the bar that you originally wanted to select. |
| 2023-04-12 | SOLNESS-35433, SOLNESS-47334 | Events viewer component: Tags not displayed if there are more than 30 tags Workaround: To view relevant tags, if any, select each individual field value. |
| Fixed issues for Splunk Enterprise Security | How to find answers and get help with Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.3.2
Download manual
Feedback submitted, thanks!