Known issues for Splunk Enterprise Security

Splunk Enterprise Security 7.2.0 was released on September 6, 2023. For more information on release dates for the major versions of Splunk Enterprise Security, see Software Support Policy page.

This release includes the following known issues.

Date filed Issue number Description
2025-02-04SOLNESS-49540log_review.conf uses the older risk_object field but should use normalized_risk_object
2024-11-05SOLNESS-47715Threat match configuration that uses Endpoint datasets do not show default metakey _time sourcetype source host
Workaround:
It Is not advised to edit the default datamodel (unless you have already done it), for this specific is better to await for changes to be officially onboarded on the future splunk SA_CIM datamodel structure. If you modify the Datamodel, any future changes "Default made" set by splunk official app may not be applied (local changes of the datamodel will take precedence upon any future default changes made by splunk to that datamodel pushed though an update) . Instead if you have already modified this datamodel and it misses these fields please apply these changes:
  1. Stop the Datamodel acceleration (if enabled) which has these field missing under the field list: _time=* sourcetype=* host=* source=*
  2. Add these missing fields into each dataset

_time=* sourcetype=* host=* source=* (could be necessary to add index="NAME OF THE INDEXES" unless specified within the linked macro

  1. Edit the dataset extracted fields and checkbox _time=* sourcetype=* host=* source=*
  2. save the changes
  3. enable acceleration if it was enabled
  4. edit affected threat matching datasets by adding these matching fields
2024-10-11SOLNESS-47268Certain Regex Expressions Within drilldown_searches Not Applying Properly to correlationsearches_lookup
Workaround:
Update get_drilldown_searches macro changing {{(drilldown_searches, "\[\]")}} to {{(drilldown_searches, "\[\{\}\]")}}
2024-05-07SOLNESS-43726Investigate performance regression in the main search on the Incident Review page.
Workaround:

Remove references to the get_drilldown_searches macro in the get_correlations macro in the following file: .../apps/SA-ThreatIntelligence/default/macros.conf file. However, this can cause notables to no longer display drilldown searches in the Incident Review page.

2024-04-25SOLNESS-43458, SOLNESS-47295Notable Event Suppression Descriptions not saving after entering illegal characters in title name
2024-04-22SOLNESS-43399Splunk Enterprise Security asset and identity management KV Lookups is broken on Splunk Core version 9.3.0.
2024-02-06SOLNESS-40942IR page stuck in Updating after user with ess_analyst role updates notables.
2024-01-12SOLNESS-40632Discrepancy in the notable events timeline visualization.
Workaround:
No workaround
2023-12-05SOLNESS-40127, SOLNESS-40436Identity Manager with values in the "blacklist" or "blacklist_fields" fields are ignored.
Workaround:
Update the exclusion fields using the UI. Go to *Configure > Data Enrichment > Assets & Identity Management.* Select the relevant asset or identity lookup. Update the Denylist checkbox or update the field exclusion list.
2023-11-30SOLNESS-40082Timeline options for the Investigations do not display correctly for Splunk Enterprise Security version 7.0.2 and higher.
2023-11-30SOLNESS-40087In Drilldown Searches, "Latest Offset" UI helper text displays "Earliest Time" instead of "Latest Time".
2023-11-09SOLNESS-39519Saved filters in the Incident Review page results in a blank page after upgrading to version 7.2.
2023-11-07SOLNESS-39507Updating notable event actions results in the following error: "The update failed: 'list' object has no attribute 'startswith'"
2023-11-02SOLNESS-39506Asset and identity enrichment for "dest" assets causes alignment issue in the Incident Review page.
Workaround:
dest_asset is not needed in Incident Review. The fields Destination IP, Destination DNS, Destination NT Hostname, Destination MAC Address can be added separately.
2023-11-02SOLNESS-39469Cannot customize fields in Risk Analysis DataModel
2023-10-20SOLNESS-39223Modular input "confcheck_es_bias_language_cleanup" displays an error after upgrade even when it is turned off.
Workaround:
  1. Modify the following file:
    On the search head cluster:
    /opt/splunk/etc/shcluster/apps/SplunkEnterpriseSecuritySuite/README/input.conf.spec
    On a standalone ES instance this file:
    /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/README/input.conf.spec
  2. Add the following comment at the end of the file.

    Conf File Check for Bias Language

    [confcheck_es_bias_language_cleanup://default]

    debug = <boolean>

(Optional steps if you are on standalone search head)
  1. Push changes to search head cluster by pushing the bundle apps.
  2. Clean the messages from the top of the page so that they do not display again.
  3. In case of a standalone search head, restart the Splunk process.
2023-10-11SOLNESS-39022No results returned when searching for a notable using the Short ID.
2023-10-02SOLNESS-38795Error using the max_mem_usage_mb macro when upgrading from ES 7.0.2.
Workaround:
Make a clone of the notable macro, but remove the portions having to do with the get_drilldown_searches macro:

{noformat}[get_drilldown_searches] definition = streamstats count as drilldown_event_id | eval updated_drilldown_searches=if((isnull(drilldown_searches) OR match(drilldown_searches, "\[\]")), json_array(json_object("name", drilldown_name, "search", drilldown_search, "earliest_offset", drilldown_earliest_offset, "latest_offset", drilldown_latest_offset)), drilldown_searches) | eval updated_drilldown_searches=json_array_to_mv(updated_drilldown_searches, true()) | mvexpand updated_drilldown_searches | spath input=updated_drilldown_searches path=name output=_temp_dd_name_ | spath input=updated_drilldown_searches path=search output=_temp_dd_search_ | spath input=updated_drilldown_searches path=earliest_offset output=earliest_offset | spath input=updated_drilldown_searches path=latest_offset output=latest_offset | eval drilldown_index_earliest=case(isint(earliest_offset) AND isint(use_index_time),_time-earliest_offset,earliest_offset="$info_min_time$",'info_min_indextime',1=1,null()),drilldown_index_latest=case(isint(latest_offset) AND isint(use_index_time),_time+latest_offset,latest_offset="$info_max_time$",'info_max_indextime',1=1,null()), earliest_offset=case(isint(earliest_offset),_time-earliest_offset,earliest_offset="$info_min_time$",'info_min_time',1=1,null()), latest_offset=case(isint(latest_offset),_time+latest_offset,latest_offset="$info_max_time$",'info_max_time',1=1,null()) | eval updated_drilldown_obj=json_object("name", _temp_dd_name_, "search", _temp_dd_search_, "earliest", earliest_offset, "latest", latest_offset, "index_earliest", drilldown_index_earliest, "index_latest", drilldown_index_latest) | fields - _temp_dd_search_, _temp_dd_name_, earliest_offset, latest_offset, updated_drilldown_searches | eventstats list(updated_drilldown_obj) as updated_drilldown_obj by drilldown_event_id | dedup drilldown_event_id | eval drilldown_searches=if(((isnull(drilldown_searches) AND isnull(drilldown_search)) OR match(drilldown_searches, "\[\]")), null(), updated_drilldown_obj) | fields - drilldown_event_id, updated_drilldown_obj{noformat}

Recommended resolution

[1]

2023-09-25SOLNESS-38785Incident Review - Results Per Page Setting Goes Back to Default after Clicking Refresh
2023-09-22SOLNESS-38777Error message might be displayed when expanding notables in the Incident Review page.
2023-09-11SOLNESS-38498The Risk Score field is not displayed as a link when you expand the rows in Incident Review and go to Additional Fields.
2023-09-07SOLNESS-38261Unable to filter for events using "event_id=notable_id" in the Incident Review page and getting redirected to default filters.
2023-08-30SOLNESS-37237Cloned dashboards in Splunk Enterprise Security version 7.1.1 returns a 404 error.
2023-08-25SOLNESS-37062New drill-down searches in the Correlation Editor can show validation errors if they were saved earlier.
2023-08-08SOLNESS-36864Timeline on Incident Review page: Cannot zoom in by double clicking
2023-08-02SOLNESS-36801Clicking the Save or Save new filters twice might cause the Incident Review page page to freeze or remain unresponsive.
2023-07-27SOLNESS-36746, SOLNESS-36748Notable title with non-existent tokens are normalized with "empty strings" in Incident Review page.
2023-07-27SOLNESS-36731Timeline on Incident Review page: Cannot activate or deactivate timeline buttons
2023-07-25SOLNESS-36660Timeline on Incident Review page: Cannot zoom in on a selection of < 1 minute
2023-07-20SOLNESS-36590The script 'confcheck_es_bias_language_cleanup' is reported as missing in Splunk Enterprise Security 7.2.0.
2023-07-18SOLNESS-36563Timeline on Incident Review page: cannot select a bar that was previously deselected
Workaround:
Select, then deselect, a different bar. Then select the bar that you originally wanted to select.
2022-09-14SOLNESS-32647Saved searches created in the Content Management page with private settings are not displayed.