Splunk® Enterprise Security

Release Notes

Download manual as PDF

Download topic as PDF

Known Issues for Splunk Enterprise Security

The following are issues and workarounds for this version of Splunk Enterprise Security.

Date filed Issue number Description
2020-03-23 SOLNESS-22110 Threat Intelligence: Maxmind ASN database can no longer be consumed
2020-02-28 SOLNESS-21907, SOLNESS-21911 Threat Intelligence Manager: Incomplete/Orphaned stanzas will cause the manager to exit
2020-02-24 SOLNESS-21847 Threat Intelligence Framework: When download is anything other than TAXII we change file extension
2020-02-24 SOLNESS-21848 Threat Intelligence Framework: Files in pickup dirs when sinkhole not in use causing large SHC Snapshots
2020-02-23 SOLNESS-21845 Entities merge on previous foreign keys
2020-02-20 SOLNESS-21817, SOLNESS-21910 When you add more than 30 statuses in Notable Status Configuration and then try to change earlier ones, you get an error message "Notable status of label <number> does not exist."

Workaround:
Manually clean up reviewstatuses.conf to reduce number of statuses down to 30 or less:
./etc/apps/SA-ThreatIntelligence/local/reviewstatuses.conf
./etc/apps/SplunkEnterpriseSecuritySuite/local/reviewstatuses.conf
2020-02-13 SOLNESS-21783 Incident Review does not load when read permissions on pertinent lookups are limited to select roles
2020-01-30 SOLNESS-21581 Entity merge not parsing MV fields in KV Store sources
2020-01-24 SOLNESS-21476 Notable Event Framework: Invalid severity values afflict urgency calculation
2020-01-16 SOLNESS-21220, SOLNESS-21618 Identity Management: Preview search request issued via query string (issue for IE)
2019-12-13 SOLNESS-21001 Identity Management: Inferred/Implicit "identity" key values can cause unintended identity record merges

Workaround:
In ES 6.0 we merge Asset and Identity records which have overlapping secondary keys ("asset" and "identity" fields respectively). When this is combined with inferred/implicit key values based on email, email_short and/or convention based mapping, it's possible that unintended records are merged.

If you are *not* interested in the inferred/implicit identity values (i.e. email, email_short), simply disable on an input-by-input basis by using the "Asset and Identity Management" UI to uncheck or remove conventions as needed for each input.
If you are interested in the inferred/implicit identity values, consider relocating items which overlap into their own identity_manager input such that conventions can be disabled just for this specific input.

2019-12-10 SOLNESS-20951, SOLNESS-20994 Postinstall fails when upgrading due to error enabling modular inputs

Workaround:
The enablement of modular inputs during post-install can lead to failures if the role performing the install is missing capabilities.


Verify the role being used to install (i.e. role_admin) inherits the additional roles shipped by ES (ess_admin, ess_analyst, ess_user) and re-run setup.

2018-10-03 SOLNESS-16682, SPL-170703 Internal Error: Missing a search command before *
Last modified on 26 March, 2020
PREVIOUS
Fixed Issues for Splunk Enterprise Security
  NEXT
How to find answers and get help with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.1.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters