Known Issues
| Date filed | Issue number | Description |
|---|---|---|
| 2024-10-31 | SOLNESS-47689 | Leading space added to a detection field with multiline (line breaks) text input when versioning is turned on for the first time |
| 2024-10-30 | SOLNESS-47686 | Square brackets fail on CMS Parsing Workaround: Workaround is simply recreate the detection that was affected. For example if the user created a detection named {{[Test] Name}} it won't be properly versioned. The workaround is to just recreate it after versioning is on. Alternatively, one can Clone the detection via the Content Management Page. In order to disable a detection that was created in this state, go to {{Settings -> Searches, reports and alerts}} and disable/delete the detection there. |
| 2024-10-24 | SOLNESS-47626 | Global Banners obscure the 'save' button for EBD/FBD |
| 2024-10-24 | SOLNESS-47625 | Detection Versioning - cant save a duplicate version |
| 2024-10-22 | SOLNESS-47542 | Unversioned Detections created during Versioning Initialization Workaround: Workaround is simply recreate the detection that was affected. For example if the user created a detection during versioning initialization (while the Template:Cms parser modinput was running) it won't be properly versioned, and the actions like Enabling, Saving or Cloning won't work. The workaround is to just recreate it after versioning is on. Alternatively, one can Clone the detection via the Content Management Page. In order to disable a detection that was created in this state, go to {{Settings -> Searches, reports and alerts}} and disable/delete the detection there. |
| 2024-10-22 | SOLNESS-47584 | the link text in the aq to content management for 24hr risk detection is incorrect |
| 2024-10-15 | SOLNESS-47413 | Status sort doesn't work |
| 2024-10-15 | SOLNESS-47420 | Detections Editor lets me leave the page while I have unsaved changes |
| 2024-10-15 | SOLNESS-47418 | Detections Editor should disable Save button if no changes have been made |
| 2024-10-15 | SOLNESS-47419 | Detections Editor - switching between versions shows a blank page with full screen loading spinner |
| 2024-10-15 | SOLNESS-47421 | Detections Editor - Switching on/off and saving have inconsistent success behaviors |
| 2024-10-15 | SOLNESS-47424 | EBD - detections create multiple findings when there are multiple risk objects |
| 2024-10-14 | SOLNESS-47349 | Bookmarks to few Analytic stories on Use Case Library dashboard are removed post upgrade |
| 2024-10-11 | SOLNESS-47267, BLUERIDGE-12937 | Spunk ES Post install configuration page has references to correlation search, Notable, Risk |
| 2024-10-07 | SOLNESS-47198 | Severity incorrectly mapped as Unknown instead of High in AQ for Detection upgraded with only finding ARA configured |
| 2024-10-06 | SOLNESS-47185 | ess_analyst user not able to edit EBD after upgrade |
| 2024-10-03 | SOLNESS-47166 | "risk_message" is being populated populated with "saved search description" on a BA search |
| 2024-10-01 | SOLNESS-47124, SOLNESS-47415, BLUERIDGE-12923 | Error message appears when severity is selected as Unknown from the available dropdown options |
| 2024-09-25 | SOLNESS-47095 | Custom EBD upgraded with both notable and risk ARA post upgrade when scheduled generates multiple notables for each risk modifier |
| 2024-09-13 | SOLNESS-46937, SOLNESS-44356 | old terminology on detection editor |
| 2024-09-09 | SOLNESS-46872 | Detection link of AQ side panel redirect to EBD editor |
| 2024-09-09 | SOLNESS-46876 | Duplicate UBA threats in ES |
| 2024-08-29 | SOLNESS-46712 | Modifying SPL through conf files/configuration settings does not load the FBD as custom |
| 2024-05-21 | SOLNESS-44228, BLUERIDGE-9615 | Detection search name to notify analysts of untriaged findings might or might not exist |
| Date filed | Issue number | Description |
|---|---|---|
| 2024-10-31 | BLUERIDGE-13304 | ID appears to change when loading the Response Plan on a duplicate Investigation |
| 2024-10-25 | BLUERIDGE-13219 | ES Stacks previously connected to brsoar stacks may need to run `create_soar_jwk_key_pair` manually for ES-SOAR connectivity to work properly. |
| 2024-10-23 | BLUERIDGE-13191, BLUERIDGE-13185 | Add a check to see if mc_investigations is ready for convert_pre_es_convergence_incidents_mod_input |
| 2024-10-22 | BLUERIDGE-13172 | Entities for a finding group on Analyst Queue says 'Multiple' even if there is only a single entity |
| 2024-10-22 | BLUERIDGE-13380 | the link text in the aq to content management for 24hr risk detection is incorrect |
| 2024-10-18 | BLUERIDGE-13101 | Users can create a finding with an empty name for a custom field |
| 2024-10-17 | BLUERIDGE-13081, BLUERIDGE-13121, BLUERIDGE-13122, BLUERIDGE-13124 | The "Edit filter groups" capability is confusing because the feature it controls is called "Saved Views" elsewhere |
| 2024-10-16 | BLUERIDGE-13006, BLUERIDGE-12968 | The "Edit Tags" modal does not communicate errors properly when it is unable to save the changes |
| 2024-10-15 | BLUERIDGE-12966 | Eventtypes based on the notable index will not match investigations since they aren't from the notable index |
| 2024-10-15 | BLUERIDGE-12950 | Pagination is sometimes not visible on the Analyst Queue due to findings on other pages being selected Workaround: Click the checkbox on Analyst Queue twice in order to unselect the findings |
| 2024-10-15 | BLUERIDGE-12972 | Users should not be able to add an intermediate finding to an investigation using the three-dot menu |
| 2024-10-14 | BLUERIDGE-12939 | Bulk adding a finding (that was already in the investigation) along with other findings on the Analyst Queue shows a success message even though the finding that was already included wasn't added |
| 2024-10-10 | BLUERIDGE-12912, BLUERIDGE-13032 | Only 100 findings are shown for a finding group even if more than 100 exist and you can only add the visible findings to an investigation |
| 2024-10-09 | BLUERIDGE-12864 | Missing validation in UI while adding duplicate Finding fields in AQ settings page |
| 2024-09-27 | BLUERIDGE-12593 | Saving a note before image upload completes breaks the image preview and does not successfully upload the image |
| 2024-09-27 | BLUERIDGE-12602, BLUERIDGE-11983 | Cleanup `local/*.conf` files for deprecated modinputs, savedsearches, alert_actions |
| 2024-09-13 | BLUERIDGE-12347 | Prompt modal shows reference ID and HRID combined instead of HRID for investigations |
| 2024-09-10 | BLUERIDGE-12231 | The usernames in nested findings do not use the account real-names (unlike the search results) |
| 2024-09-09 | BLUERIDGE-12221 | Selecting a time-range on Analyst Queue by clicking the timeline can cause recent changes to findings to appear to be reverted Workaround: Re-run the search on Analyst Queue to see the most recent changes |
| 2024-09-09 | BLUERIDGE-12190 | Automation tab may appear for users who cannot run playbooks |
| 2024-09-06 | BLUERIDGE-12176 | Resizing columns on the Analyst Queue can cause the column to be sorted or to show the column sort dialog |
| 2024-09-03 | BLUERIDGE-12100 | Included findings table in AQ side panel is not sortable |
| 2024-08-20 | BLUERIDGE-11791, BLUERIDGE-11790 | Missing input validation for file upload size |
| 2024-08-08 | BLUERIDGE-11658 | Analyst Queue doesn't always recover from a search error and instead shows a spinner (implying the search is still running) Workaround: Reload the Analyst Queue to restart the search |
| 2024-08-05 | BLUERIDGE-11468, SOLNESS-40830, BLUERIDGE-13359 | The "Top Notable Events" panel on the Security Posture dashboard doesn't properly link to the Analyst Queue (the filter for "rule name" is not properly applied) Workaround: Re-run the search on the Analyst Queue |
| 2024-05-13 | BLUERIDGE-9351 | Status and owner both have a status called "unassigned" but also show a "unassigned" if no status is assigned which can be confusing |
| 2024-05-08 | BLUERIDGE-9246 | Notes required toggle in AQ settings is not enforced |
See also
For known issues in Splunk SOAR (Cloud), see Known issues for Splunk SOAR (Cloud).
Last modified on 05 November, 2024
| Fixed Issues | Limitations |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Download manual
Feedback submitted, thanks!