Splunk® Enterprise Security

Release Notes

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Known Issues

Date filed Issue number Description
2024-11-05 SOLNESS-47715 Threat match configuration that uses Endpoint datasets do not show default metakey _time sourcetype source host

Workaround:
It Is not advised to edit the default datamodel (unless you have already done it), for this specific is better to await for changes to be officially onboarded on the future splunk SA_CIM datamodel structure. If you modify the Datamodel, any future changes "Default made" set by splunk official app may not be applied (local changes of the datamodel will take precedence upon any future default changes made by splunk to that datamodel pushed though an update) . Instead if you have already modified this datamodel and it misses these fields please apply these changes:
  1. Stop the Datamodel acceleration (if enabled) which has these field missing under the field list: _time=* sourcetype=* host=* source=*
  2. Add these missing fields into each dataset

_time=* sourcetype=* host=* source=* (could be necessary to add index="NAME OF THE INDEXES" unless specified within the linked macro

  1. Edit the dataset extracted fields and checkbox _time=* sourcetype=* host=* source=*
  2. save the changes
  3. enable acceleration if it was enabled
  4. edit affected threat matching datasets by adding these matching fields
2024-10-31 SOLNESS-47689 Leading space added to a detection field with multiline (line breaks) text input when versioning is turned on for the first time
2024-10-30 SOLNESS-47686 Square brackets fail on CMS Parsing

Workaround:
Workaround is simply recreate the detection that was affected. For example if the user created a detection named {{[Test] Name}} it won't be properly versioned. The workaround is to just recreate it after versioning is on. Alternatively, one can Clone the detection via the Content Management Page.

In order to disable a detection that was created in this state, go to {{Settings -> Searches, reports and alerts}} and disable/delete the detection there.

2024-10-24 SOLNESS-47625 Detection Versioning - cant save a duplicate version
2024-10-22 SOLNESS-47561, BLUERIDGE-13686 After stack creation the disposition and finding/investigation status values are not populated on AQ page side panel for some time

Workaround:
This is known issue for ES 8.0.0 amd 8.0.1. To get around this, the customer can manually run the Template:Administrative reload modinput which hydrates their kvstore data.

{noformat}administrative_reload (modinput) -> adminstrative_redload.py -> packages/app-ess/apps/SA-ThreatIntelligence/package/bin/reviewstatuses_rest_handler.py handleReload function -> Read conf file and updates the kvstore record{noformat}

2024-10-22 SOLNESS-47542 Unversioned Detections created during Versioning Initialization

Workaround:
Workaround is simply recreate the detection that was affected. For example if the user created a detection during versioning initialization (while the Template:Cms parser modinput was running) it won't be properly versioned, and the actions like Enabling, Saving or Cloning won't work. The workaround is to just recreate it after versioning is on. Alternatively, one can Clone the detection via the Content Management Page.

In order to disable a detection that was created in this state, go to {{Settings -> Searches, reports and alerts}} and disable/delete the detection there.

2024-10-15 SOLNESS-47413 Status sort doesn't work
2024-10-15 SOLNESS-47420 Detections Editor lets me leave the page while I have unsaved changes
2024-10-15 SOLNESS-47418 Detections Editor should disable Save button if no changes have been made
2024-10-15 SOLNESS-47419 Detections Editor - switching between versions shows a blank page with full screen loading spinner
2024-10-15 SOLNESS-47421 Detections Editor - Switching on/off and saving have inconsistent success behaviors
2024-10-15 SOLNESS-47424 EBD - detections create multiple findings when there are multiple risk objects
2024-10-14 SOLNESS-47349 Bookmarks to few Analytic stories on Use Case Library dashboard are removed post upgrade
2024-10-11 SOLNESS-47267, BLUERIDGE-12937 Spunk ES Post install configuration page has references to correlation search, Notable, Risk
2024-10-07 SOLNESS-47198 Severity incorrectly mapped as Unknown instead of High in AQ for Detection upgraded with only finding ARA configured
2024-10-06 SOLNESS-47185 ess_analyst user not able to edit EBD after upgrade
2024-10-03 SOLNESS-47166 "risk_message" is being populated populated with "saved search description" on a BA search
2024-10-01 SOLNESS-47124, SOLNESS-47415, BLUERIDGE-12923 Error message appears when severity is selected as Unknown from the available dropdown options
2024-09-25 SOLNESS-47095 Custom EBD upgraded with both notable and risk ARA post upgrade when scheduled generates multiple notables for each risk modifier
2024-09-19 SOLNESS-47028 Ingesting intelligence file does not extract expected lines thorugh regex rule

Workaround:
Because of a bug in the GUI the field Template:Delim regex= takes precedence within the stanza defined for any threat intel setting, upon the Template:Extract regex=.

The workaround is to manually force the the Template:Delim regex= to be as equal as the Template:Extract regex stanza. A debug/refresh should be sufficient OR SH restart may be necessary after the change.

If you are using SHC feel free to push changes from the deployer these settings are saved within inputs.conf inside .\etc\apps\SA-ThreatIntelligence\local\inputs.conf

splunk@so1:/opt/splunk/etc/apps/SA-ThreatIntelligence/local$ grep emmanuetest -A 25  inputs.conf 

{noformat}[threatlist://emmanuetest] extract_regex = ^\|\|((?:\d{1,3}\.){3}\d{1,3})|^\|\|([a-zA-Z0-9*.-]+\.[a-zA-Z]{2,}) delim_regex = ^\|\|((?:\d{1,3}\.){3}\d{1,3})|^\|\|([a-zA-Z0-9*.-]+\.[a-zA-Z]{2,}){noformat}

2024-09-13 SOLNESS-46937, SOLNESS-44356 old terminology on detection editor
2024-09-09 SOLNESS-46872 Detection link of AQ side panel redirect to EBD editor
2024-09-09 SOLNESS-46876 Duplicate UBA threats in ES
2024-08-29 SOLNESS-46712 Modifying SPL through conf files/configuration settings does not load the FBD as custom
2024-05-21 SOLNESS-44228, BLUERIDGE-9615 Detection search name to notify analysts of untriaged findings might or might not exist


Date filed Issue number Description
2024-11-18 BLUERIDGE-13527 Some workflow actions on the side-panel intermittently don't work after you have opened and investigation and go back to AQ without selecting another side-panel

Workaround:
Close and re-open the side-panel or select another finding.
2024-11-18 BLUERIDGE-13526 Embedded workbench field action shows on the investigation details page without being requested

Workaround:
Close the embedded workbench dialog
2024-11-18 BLUERIDGE-13528 Multiple workflow field actions can be opened on the investigation details page

Workaround:
Click any whitespace to close the workflow action
2024-11-07 BLUERIDGE-13415 Analyst Queue; filtering on a title returns only Findings and not Investigations
2024-10-31 BLUERIDGE-13304 ID appears to change when loading the Response Plan on a duplicate Investigation
2024-10-25 BLUERIDGE-13219 ES Stacks previously connected to brsoar stacks may need to run `create_soar_jwk_key_pair` manually for ES-SOAR connectivity to work properly.
2024-10-23 BLUERIDGE-13191, BLUERIDGE-13185 Add a check to see if mc_investigations is ready for convert_pre_es_convergence_incidents_mod_input
2024-10-22 BLUERIDGE-13380, BLUERIDGE-13575 The link text for a finding in the side panel of the Analyst Queue for a Detection is incorrect when there are multiple sources

Workaround:
Remove `source` before sending to detection.

add `| fields - source` to end of search

2024-10-22 BLUERIDGE-13172 Entities for a finding group on Analyst Queue says 'Multiple' even if there is only a single entity
2024-10-18 BLUERIDGE-13101 Users can create a finding with an empty name for a custom field
2024-10-17 BLUERIDGE-13081, BLUERIDGE-13121, BLUERIDGE-13122, BLUERIDGE-13124 The "Edit filter groups" capability is confusing because the feature it controls is called "Saved Views" elsewhere
2024-10-16 BLUERIDGE-13006, BLUERIDGE-12968, BLUERIDGE-13425 The "Edit Tags" modal does not communicate errors properly when it is unable to save the changes
2024-10-15 BLUERIDGE-12950 Pagination is sometimes not visible on the Analyst Queue due to findings on other pages being selected

Workaround:
Click the checkbox on Analyst Queue twice in order to unselect the findings
2024-10-15 BLUERIDGE-12966 Eventtypes based on the notable index will not match investigations since they aren't from the notable index
2024-10-15 BLUERIDGE-12972 Users should not be able to add an intermediate finding to an investigation using the three-dot menu
2024-10-14 BLUERIDGE-12939 Bulk adding a finding (that was already in the investigation) along with other findings on the Analyst Queue shows a success message even though the finding that was already included wasn't added
2024-10-10 BLUERIDGE-12912, BLUERIDGE-13032 Only 100 findings are shown for a finding group even if more than 100 exist and you can only add the visible findings to an investigation
2024-10-09 BLUERIDGE-12864 Missing validation in UI while adding duplicate Finding fields in AQ settings page
2024-09-27 BLUERIDGE-12593 Saving a note before image upload completes breaks the image preview and does not successfully upload the image
2024-09-27 BLUERIDGE-12602, BLUERIDGE-11983 Cleanup `local/*.conf` files for deprecated modinputs, savedsearches, alert_actions
2024-09-13 BLUERIDGE-12347 Prompt modal shows reference ID and HRID combined instead of HRID for investigations
2024-09-10 BLUERIDGE-12231 The usernames in nested findings do not use the account real-names (unlike the search results)
2024-09-09 BLUERIDGE-12221 Selecting a time-range on Analyst Queue by clicking the timeline can cause recent changes to findings to appear to be reverted

Workaround:
Re-run the search on Analyst Queue to see the most recent changes
2024-09-09 BLUERIDGE-12190 Automation tab may appear for users who cannot run playbooks
2024-09-06 BLUERIDGE-12176 Resizing columns on the Analyst Queue can cause the column to be sorted or to show the column sort dialog
2024-09-03 BLUERIDGE-12100 Included findings table in AQ side panel is not sortable
2024-08-20 BLUERIDGE-11791, BLUERIDGE-11790 Missing input validation for file upload size
2024-08-08 BLUERIDGE-11658 Analyst Queue doesn't always recover from a search error and instead shows a spinner (implying the search is still running)

Workaround:
Reload the Analyst Queue to restart the search
2024-08-05 BLUERIDGE-11468, SOLNESS-40830, BLUERIDGE-13359 The "Top Notable Events" panel on the Security Posture dashboard doesn't properly link to the Analyst Queue (the filter for "rule name" is not properly applied)

Workaround:
Re-run the search on the Analyst Queue
2024-05-13 BLUERIDGE-9351 Status and owner both have a status called "unassigned" but also show a "unassigned" if no status is assigned which can be confusing
2024-05-08 BLUERIDGE-9246 Notes required toggle in AQ settings is not enforced


See also

For known issues in Splunk SOAR (Cloud), see Known issues for Splunk SOAR (Cloud).

Last modified on 17 December, 2024
Fixed Issues   Limitations

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters