Splunk® Enterprise Security

Release Notes

Known issues

Date filed Issue number Description
2024-11-05 SOLNESS-47715 Threat match configuration that uses Endpoint datasets do not show default metakey _time sourcetype source host

Workaround:
It Is not advised to edit the default datamodel (unless you have already done it), for this specific is better to await for changes to be officially onboarded on the future splunk SA_CIM datamodel structure. If you modify the Datamodel, any future changes "Default made" set by splunk official app may not be applied (local changes of the datamodel will take precedence upon any future default changes made by splunk to that datamodel pushed though an update) . Instead if you have already modified this datamodel and it misses these fields please apply these changes:
  1. Stop the Datamodel acceleration (if enabled) which has these field missing under the field list: _time=* sourcetype=* host=* source=*
  2. Add these missing fields into each dataset

_time=* sourcetype=* host=* source=* (could be necessary to add index="NAME OF THE INDEXES" unless specified within the linked macro

  1. Edit the dataset extracted fields and checkbox _time=* sourcetype=* host=* source=*
  2. save the changes
  3. enable acceleration if it was enabled
  4. edit affected threat matching datasets by adding these matching fields
2024-10-22 SOLNESS-47561, BLUERIDGE-13686 After stack creation the disposition and finding/investigation status values are not populated on AQ page side panel for some time

Workaround:
This is known issue for ES 8.0.0 amd 8.0.1. To get around this, the customer can manually run the Template:Administrative reload modinput which hydrates their kvstore data.

{noformat}administrative_reload (modinput) -> adminstrative_redload.py -> packages/app-ess/apps/SA-ThreatIntelligence/package/bin/reviewstatuses_rest_handler.py handleReload function -> Read conf file and updates the kvstore record{noformat}


Date filed Issue number Description
2024-11-25 BLUERIDGE-13617 Do not show feedback controls while streaming response (show only after the whole response has come through)
2024-11-18 BLUERIDGE-13527 Some workflow actions on the side-panel intermittently don't work after you have opened and investigation and go back to AQ without selecting another side-panel

Workaround:
Close and re-open the side-panel or select another finding.
2024-11-18 BLUERIDGE-13526 Embedded workbench field action shows on the investigation details page without being requested

Workaround:
Close the embedded workbench dialog
2024-11-18 BLUERIDGE-13528 Multiple workflow field actions can be opened on the investigation details page

Workaround:
Click any whitespace to close the workflow action
2024-11-07 BLUERIDGE-13415 Analyst Queue; filtering on a title returns only Findings and not Investigations
2024-11-04 BLUERIDGE-13359, BLUERIDGE-11468 Legacy URL parameters are not handled correctly in Analyst Queue (those that start with with "form.")

Workaround:
Re-run the search on the Analyst Queue
2024-10-22 BLUERIDGE-13380, BLUERIDGE-13575 The link text for a finding in the side panel of the Analyst Queue for a Detection is incorrect when there are multiple sources

Workaround:
Remove `source` before sending to detection.

add `| fields - source` to end of search

2024-10-22 BLUERIDGE-13172 Entities for a finding group on Analyst Queue says 'Multiple' even if there is only a single entity
2024-10-18 BLUERIDGE-13101 Users can create a finding with an empty name for a custom field
2024-10-17 BLUERIDGE-13081, BLUERIDGE-13121, BLUERIDGE-13122, BLUERIDGE-13124 The "Edit filter groups" capability is confusing because the feature it controls is called "Saved Views" elsewhere
2024-10-16 BLUERIDGE-13006, BLUERIDGE-12968, BLUERIDGE-13425 The "Edit Tags" modal does not communicate errors properly when it is unable to save the changes
2024-10-15 BLUERIDGE-12966 Eventtypes based on the notable index will not match investigations since they aren't from the notable index
2024-10-15 BLUERIDGE-12972 Users should not be able to add an intermediate finding to an investigation using the three-dot menu
2024-10-14 BLUERIDGE-12939 Bulk adding a finding (that was already in the investigation) along with other findings on the Analyst Queue shows a success message even though the finding that was already included wasn't added
2024-10-10 BLUERIDGE-12912, BLUERIDGE-13032 Only 100 findings are shown for a finding group even if more than 100 exist and you can only add the visible findings to an investigation
2024-10-09 BLUERIDGE-12864 Missing validation in UI while adding duplicate Finding fields in AQ settings page
2024-09-27 BLUERIDGE-12602, BLUERIDGE-11983 Cleanup `local/*.conf` files for deprecated modinputs, savedsearches, alert_actions
2024-09-13 BLUERIDGE-12347 Prompt modal shows reference ID and HRID combined instead of HRID for investigations
2024-09-10 BLUERIDGE-12231 The usernames in nested findings do not use the account real-names (unlike the search results)
2024-09-09 BLUERIDGE-12221 Selecting a time-range on Analyst Queue by clicking the timeline can cause recent changes to findings to appear to be reverted

Workaround:
Re-run the search on Analyst Queue to see the most recent changes
2024-09-09 BLUERIDGE-12190 Automation tab may appear for users who cannot run playbooks
2024-09-06 BLUERIDGE-12176 Resizing columns on the Analyst Queue can cause the column to be sorted or to show the column sort dialog
2024-09-03 BLUERIDGE-12100 Included findings table in AQ side panel is not sortable
2024-08-20 BLUERIDGE-11791, BLUERIDGE-11790 Missing input validation for file upload size
2024-05-13 BLUERIDGE-9351 Status and owner both have a status called "unassigned" but also show a "unassigned" if no status is assigned which can be confusing


See also

For known issues in Splunk SOAR (Cloud), see Known issues for Splunk SOAR (Cloud).

Last modified on 17 December, 2024
Fixed issues   Limitations

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters