Known issues for Splunk Enterprise Security
Known issues for version 7.3.3
For more information on release dates for the major versions of Splunk Enterprise Security, see Software Support Policy page.
Splunk Enterprise Security 7.3.3 was released on February 12, 2025.
This release includes the following known issues. If this table is blank, there are no known issues for this release.
| Date filed | Issue number | Description |
|---|---|---|
| 2025-02-04 | SOLNESS-49540 | log_review.conf uses the older risk_object field but should use normalized_risk_object |
| 2024-10-07 | SOLNESS-47198 | Severity incorrectly mapped as Unknown instead of High in AQ for Detection upgraded with only finding ARA configured |
Splunk Enterprise Security 7.3.2 was released on June 11, 2024.
This release includes the following known issues. If this table is blank, there are no known issues for this release.
| Date filed | Issue number | Description |
|---|---|---|
| 2025-02-04 | SOLNESS-49540 | The log_review.conf file uses the older risk_object field but must use normalized_risk_object. |
| 2024-12-03 | SOLNESS-48316, SOLNESS-48522 | Max_size Error for Threat Input Source : Feed Discarded Despite Adjusted Settings. |
| 2024-12-02 | SOLNESS-48285, SOLNESS-47969 | Threat - Threat List Activity - Rule Search is missing Risk Message |
| 2024-11-14 | SOLNESS-47961 | In ES 7.3.x on Incident Review dashboard, while adding tags the field value associated with each value in the table is showing as undefined |
| 2024-11-14 | SOLNESS-47955 | STIX2 feed download issue with ParserException errors. |
| 2024-11-12 | SOLNESS-47900, SOLNESS-36603 | Data Model definition for Identity_Management leads to a bug where DMA summary can't be rebuild. |
| 2024-10-17 | SOLNESS-47461 | ES Investigations load slowly . |
| 2024-10-11 | SOLNESS-47303 | Drill-down searches can't use time value in milliseconds.Workaround:Once the drill-down search is run, the time token passed to the search (URI) is in milliseconds and the search throws the error. If you convert time to seconds (from the URL), the search runs as expected. For example: auto_pause=120&earliest=1720479465000&latest=1720490265000 was the tail end of the generated URL from the drill-down search. if you modify this as earliest=1720479465&latest=1720490265 and remove the 000 from the end of earliest and latest time, search runs as expected. |
| 2024-10-11 | SOLNESS-47312 | When expanding the notable event in the Incident Review dashboard, error message occurs instead of the drill-down search. Workaround: 1. Open the following file: /opt/splunk/etc/apps/SA-ThreatIntelligence/local/savedsearches.conf. 2. Delete the following stanza from the file: [Incident Review - Main] 3. Reload the savedsearches.conf file. 4. Use the following curl command to reload the configuration file: {{curl -k -u admin:password https://{hostname}:8089/servicesNS/nobody/SA-ThreatIntelligence/saved/searches/_reload?output_mode=json}} |
| 2024-10-01 | SOLNESS-47124, SOLNESS-47415, BLUERIDGE-12923 | Error message appears when severity is selected as Unknown from the available dropdown options |
| 2024-09-01 | SOLNESS-46727 | Capability tag_notable_events that is associated with the ES component "Tag Notable Events" is not added to any roles on the ES search head. |
| 2024-08-28 | SOLNESS-46669 | Threat intelligence data retention issues. |
| 2024-07-08 | SOLNESS-45632, SOLNESS-47290 | Drill-down searches can't use time value in milliseconds.Workaround:Once the drill-down search is run, the time token passed to the search (URI) is in milliseconds and the search throws the error. If you convert time to seconds (from the URL), the search runs as expected. For example: auto_pause=120&earliest=1720479465000&latest=1720490265000 was the tail end of the generated URL from the drill-down search. if you modify this as earliest=1720479465&latest=1720490265 and remove the 000 from the end of earliest and latest time, search runs as expected. |
| 2024-07-01 | SOLNESS-45369, SOLNESS-47317 | Error: Add a disposition other than "Undetermined" to update or close the notable event. |
| 2024-06-05 | SOLNESS-44563, SOLNESS-47320 | Displays "Action Forbidden" errors in the Security Posture dashboard for SAML authenticated users. |
| 2024-05-29 | SOLNESS-44356, SOLNESS-47325, SOLNESS-46866, SOLNESS-46937 | Invalid IP's are merged into asset and identity lookups. |
| 2024-04-19 | SOLNESS-43346, BLUERIDGE-12191, SOLNESS-47298 | Incident Review Timeline does not edit selected filters even though it indicates that only selected filters are edited. Workaround: 1. Manually increase the number of results in the IR dashboard to 100. 2. Use the checkbox at the top left and select all the viewable notables on the page. 3. Edit the selected events and update the notables in bulk. |
| 2024-04-16 | SOLNESS-43255 | Hovering over "Add Selected to Investigation" on the Incident Review dashboard displays the message: "You do not have permissions to edit notable events". |
| 2024-02-06 | SOLNESS-40942 | IR page stuck in Updating after user with ess_analyst role updates notables. |
| 2024-01-12 | SOLNESS-40632 | Discrepancy in the notable events timeline visualization. |
| 2023-08-08 | SOLNESS-36864 | Timeline on Incident Review page: Cannot zoom in by double clicking. |
| 2023-07-27 | SOLNESS-36731 | Timeline on Incident Review page: Cannot activate or deactivate timeline buttons. |
| 2023-07-25 | SOLNESS-36660 | Timeline on Incident Review page: Cannot zoom in on a selection of < 1 minute. |
| 2023-07-18 | SOLNESS-36563 | Timeline on Incident Review page: cannot select a bar that was previously deselected. Workaround: 1. Select, then deselect, a different bar. 2. Then select the bar that you originally wanted to select. |
| 2023-04-12 | SOLNESS-35433, SOLNESS-47334 | Events viewer component: Tags not displayed if there are more than 30 tags Workaround: To view relevant tags, if any, select each individual field value. |
Splunk Enterprise Security 7.3.1 was released on March 27, 2024.
This release includes the following known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2025-02-04 | SOLNESS-49540 | The log_review.conf uses the older risk_object field but should use normalized_risk_object. |
| 2024-10-11 | SOLNESS-47313, SOLNESS-43069, SOLNESS-49305 | Incident Review page breaks after Splunk Core upgrade to Python 3.9 module 'time' has no attribute. |
| 2024-10-11 | SOLNESS-47326, SOLNESS-45320 | Workflow actions are not able to be used correctly from within the incident review dashboard with multi value fields. |
| 2024-09-19 | SOLNESS-47028 | Ingesting intelligence file does not extract expected lines using regex command. Workaround: Restart the search head. If you are using a search head cluster, push the changes from the deployer where these settings are saved within inputs.conf inside the .\etc\apps\SA-ThreatIntelligence\local\inputs.conf file. |
| 2024-08-08 | SOLNESS-46276, SOLNESS-47314 | Create Notables page only displays error: Cannot read properties of undefined (reading 'value'). |
| 2024-07-01 | SOLNESS-45369, SOLNESS-47317 | Error: Add a disposition other than "Undetermined" to update/close the notable event. |
| 2024-06-05 | SOLNESS-44563, SOLNESS-47320 | Displays "Action Forbidden" errors in the Security Posture dashboard for SAML authenticated users. |
| 2024-05-08 | SOLNESS-43753 | Fix Clone dashboard bug for sharing cloned dashboard by role sc_admin on CO2. |
| 2024-04-25 | SOLNESS-43458, SOLNESS-47295 | The descriptions of notable event suppression are not saved upon entering invalid characters in title name. |
| 2024-04-19 | SOLNESS-43346, BLUERIDGE-12191, SOLNESS-47298 | Incident Review Timeline does not edit selected filters even though it indicates that only selected filters are edited. Workaround: 1. Manually increase the number of results in the IR dashboard to 100. 2. Use the checkbox at the top left and select all the viewable notables on the page. 3. Edit the selected events and update the notables in bulk. |
| 2024-04-16 | SOLNESS-43255 | Hovering over "Add Selected to Investigation" on the Incident review dashboard displays the message: "You do not have permissions to edit notable events". |
| 2024-04-15 | SOLNESS-43210 | Notable adaptive response action - "Next Steps" - URL action is not properly redirecting with multiple query parameters. |
| 2024-04-05 | SOLNESS-43069, SOLNESS-47313 | Incident Review page breaks after Splunk Core upgrade to Python 3.9 module 'time' has no attribute. |
| 2024-02-06 | SOLNESS-40942 | IR page stuck in Updating after user with ess_analyst role updates notables. |
| 2024-01-12 | SOLNESS-40632 | Discrepancy in the notable events timeline visualization. |
| 2023-08-16 | SOLNESS-36952, SOLNESS-47316 | Risk Analysis 'Source' drop-down list results truncated Workaround: Searches appear in alphabetical order. To move important searches to the top of the list, rename them to appear earlier in the alphabet. For example, add "AAA -" to the beginning of the search name. |
| 2023-08-08 | SOLNESS-36864 | Timeline on Incident Review page doesn't zoom upon double clicking. |
| 2023-07-27 | SOLNESS-36731 | Timeline on Incident Review page doesn't activate or deactivate timeline buttons. |
| 2023-07-25 | SOLNESS-36660 | Timeline on Incident Review page doesn't zoom in on a selection of < 1 minute. |
| 2023-07-18 | SOLNESS-36563 | Timeline on Incident Review page: cannot select a bar that was previously deselected. Workaround: 1. Select, then deselect, a different bar. 2. Select the bar that you originally wanted to select. |
| 2023-04-12 | SOLNESS-35433, SOLNESS-47334 | Events viewer component: Tags are not displayed if there are more than 30 tags. Workaround: To view relevant tags, if any, select each individual field value. |
Splunk Enterprise Security 7.3.0 was released on December 19, 2023.
This release includes the following known issues.
| Date filed | Issue number | Description |
|---|---|---|
| 2025-02-04 | SOLNESS-49540 | The <code>log_review.conf</code> file uses the older <code>risk_object</code> field but must use <code>normalized_risk_object</code>. |
| 2024-11-05 | SOLNESS-47715 | Threat match configuration that uses Endpoint datasets do not show the default metakey _time sourcetype source host. Workaround: Do not edit the default data model unless you have already edited it. Wait until the changes are on-boarded on the splunk SA_CIM data model structure. If you modify the datamodel, any future changes "Default made" set by splunk official app might not be applied. The local changes of the data model take precedence upon any future default changes made by Splunk to that data model and pushed though an update. Instead, if you have already modified this data model and it misses these fields, apply the following changes:
|
| 2024-10-11 | SOLNESS-47293, SOLNESS-44220, SOLNESS-48006 | Correlation searches "Threat Activity - Systems Impacted By Multiple Threats" and "Threat Activity - Threats Impacting Multiple Systems" were impacted since modifications to threat match searches updated a field. |
| 2024-10-11 | SOLNESS-47313, SOLNESS-43069, SOLNESS-49305 | Incident Review page breaks after Splunk Core upgrade to Python 3.9 module 'time' has no attribute |
| 2024-07-24 | SOLNESS-45992, SOLNESS-48049 | Threat intelligence feed facing download issues with POST configuration errors |
| 2024-05-22 | SOLNESS-44220, SOLNESS-47293 | Correlation searches "Threat Activity - Systems Impacted By Multiple Threats" and "Threat Activity - Threats Impacting Multiple Systems" were impacted since modifications to threat match searches updated a field. |
| 2024-05-16 | SOLNESS-44061, SOLNESS-47289 | Threat Intelligence |
| 2024-05-07 | SOLNESS-43726 | Investigate performance regression in the main search on the Incident Review page. Workaround: Remove references to the Get drilldown searches macro in the Get correlations macro in the following file: /apps/SA-ThreatIntelligence/default/macros.conf. However, this can cause notables to no longer display drilldown searches in the Incident Review page. |
| 2024-04-29 | SOLNESS-43530 | Collaborators disappears after refreshing the Investigations Tab. |
| 2024-04-23 | SOLNESS-43404, SOLNESS-46942, SOLNESS-47332 | 3460846 - New lines and special characters no longer appearing correctly in notable event Next Steps |
| 2024-04-19 | SOLNESS-43346, BLUERIDGE-12191, SOLNESS-47298 | IR Timeline is not editing selected filters even though shows that only those will be editedWorkaround:Manual and slow steps: Changes could be achieved by manually increasing the number of results in the IR dashboard to 100. Then using the checkbox at the top left, select all the viewable notables in the page. Edit the "selected Events" and update these 100s in bulk. |
| 2024-04-16 | SOLNESS-43255 | Hovering over "Add Selected to Investigation" on the Incident review dashboard displays the message: "You do not have permissions to edit notable events". |
| 2024-04-11 | SOLNESS-43160 | 3448390 - RBA risk score dispensaries |
| 2024-04-05 | SOLNESS-43069, SOLNESS-47313 | Incident Review page breaks after Splunk Core upgrade to Python 3.9 module 'time' has no attribute |
| 2024-03-19 | SOLNESS-42315 | TIF - Mitre Parser - ICS |
| 2024-03-13 | SOLNESS-42110 | "Something went wrong" error in Risk Analysis Dashboard |
| 2024-02-28 | SOLNESS-41634, SOLNESS-47315 | IR not applying notable_xref filter from generated URL on ES 7.3 |
| 2024-02-06 | SOLNESS-40942 | IR page stuck in Updating after user with ess_analyst role updates notables. |
| 2024-02-01 | SOLNESS-40916, SOLNESS-47330 | "View related investigations" link requires excess permissionsWorkaround:Add additional role read permissions to the Investigation Collection in local.meta configuration file: [collections/investigation] access = read: [ admin, test_role] , write: [admin] |
| 2024-01-23 | SOLNESS-40719 | Time range settings are not saved successfully on the Incident Review page, irrespective of whether the time range is valid or not. |
| 2024-01-12 | SOLNESS-40632 | Discrepancy in the notable events timeline visualization. |
| 2023-12-05 | SOLNESS-40127, SOLNESS-40436 | Identity Manager with values in the "blacklist" or "blacklist_fields" fields are ignored. Workaround: Update the exclusion fields using the UI. Go to *Configure > Data Enrichment > Assets & Identity Management.* Select the relevant asset or identity lookup. Update the Denylist checkbox or update the field exclusion list. |
| 2023-11-30 | SOLNESS-40082 | Timeline options for the Investigations do not display correctly for Splunk Enterprise Security version 7.0.2 and higher. |
| 2023-11-29 | SOLNESS-40066 | The dialog for suppressing notable events does not open after the first suppression is added on the Incident Review page. Workaround: Refresh the Incident Review page so that you can add more suppression rules for notables. |
| 2023-10-02 | SOLNESS-38795 | Error using the max_mem_usage_mb macro when upgrading from ES 7.0.2.Workaround:Make a clone of the notable macro, but remove the portions having to do with the get_drilldown_searches macro:{noformat}[get_drilldown_searches] definition = streamstats count as drilldown_event_id | eval updated_drilldown_searches=if((isnull(drilldown_searches) OR match(drilldown_searches, "\[\]")), json_array(json_object("name", drilldown_name, "search", drilldown_search, "earliest_offset", drilldown_earliest_offset, "latest_offset", drilldown_latest_offset)), drilldown_searches) | eval updated_drilldown_searches=json_array_to_mv(updated_drilldown_searches, true()) | mvexpand updated_drilldown_searches | spath input=updated_drilldown_searches path=name output=_temp_dd_name_ | spath input=updated_drilldown_searches path=search output=_temp_dd_search_ | spath input=updated_drilldown_searches path=earliest_offset output=earliest_offset | spath input=updated_drilldown_searches path=latest_offset output=latest_offset | eval drilldown_index_earliest=case(isint(earliest_offset) AND isint(use_index_time),_time-earliest_offset,earliest_offset="$info_min_time$",'info_min_indextime',1=1,null()),drilldown_index_latest=case(isint(latest_offset) AND isint(use_index_time),_time+latest_offset,latest_offset="$info_max_time$",'info_max_indextime',1=1,null()), earliest_offset=case(isint(earliest_offset),_time-earliest_offset,earliest_offset="$info_min_time$",'info_min_time',1=1,null()), latest_offset=case(isint(latest_offset),_time+latest_offset,latest_offset="$info_max_time$",'info_max_time',1=1,null()) | eval updated_drilldown_obj=json_object("name", _temp_dd_name_, "search", _temp_dd_search_, "earliest", earliest_offset, "latest", latest_offset, "index_earliest", drilldown_index_earliest, "index_latest", drilldown_index_latest) | fields - _temp_dd_search_, _temp_dd_name_, earliest_offset, latest_offset, updated_drilldown_searches | eventstats list(updated_drilldown_obj) as updated_drilldown_obj by drilldown_event_id | dedup drilldown_event_id | eval drilldown_searches=if(((isnull(drilldown_searches) AND isnull(drilldown_search)) OR match(drilldown_searches, "\[\]")), null(), updated_drilldown_obj) | fields - drilldown_event_id, updated_drilldown_obj{noformat} Recommended resolution |
| 2023-08-30 | SOLNESS-37237 | Cloned dashboards in Splunk Enterprise Security version 7.1.1 returns a 404 error. |
| 2023-08-16 | SOLNESS-36952, SOLNESS-47316 | Risk Analysis 'Source' drop-down list results truncated Workaround: Searches appear in alphabetical order. To move important searches to the top of the list, rename them to appear earlier in the alphabet. For example, add "AAA -" to the beginning of the search name. |
| 2023-08-08 | SOLNESS-36864 | The timeline on the Incident Review page cannot zoom in upon double clicking. |
| 2023-07-27 | SOLNESS-36731 | The timeline on the Incident Review page cannot activate or deactivate timeline buttons. |
| 2023-07-25 | SOLNESS-36660 | The timeline on the Incident Review page cannot zoom in on a selection of < 1 minute. |
| 2023-07-20 | SOLNESS-36590 | The script <code>confcheck_es_bias_language_cleanup</code> is reported as missing in Splunk Enterprise Security 7.2.0. |
| 2023-07-18 | SOLNESS-36563 | The timeline on the Incident Review page cannot select a bar that was previously deselected. Workaround: 1. Select and then deselect a different bar on the timeline. 2. Then, select the bar that you originally selected. |
| 2022-09-14 | SOLNESS-32647 | Saved searches created in the Content Management page with private settings are not displayed. |