Known Issues
Version 8.0.40
| Date filed | Issue number | Description |
|---|---|---|
| 2025-04-29 | BLUERIDGE-16107 | ACS request fails in SHC for querying IP allow list |
| 2025-04-29 | BLUERIDGE-16077, BLUERIDGE-15433, BLUERIDGE-16189 | Reflect the MC note created_time/updated_time on findings' update_time |
| 2025-04-22 | BLUERIDGE-16006, BLUERIDGE-15855 | Wrong id sent while bulk update Assign to me for a finding |
| 2025-04-17 | BLUERIDGE-15954 | Searches on the Analyst Queue might not work with immutable data when the Splunk OR operator is used. |
| 2025-04-16 | BLUERIDGE-15899 | Large number of tokens generated during mc soar allowlist validation |
| 2025-03-06 | BLUERIDGE-15501 | Unable to create investigations and investigation types when using Splunk ES on-prem due to search head cluster re-direction issues.Workaround:Change all hostname references (non-FQDN) to FQDN in the server.conf configuration file. However, this might increase the load on the DNS.Alternatively edit /etc/hosts and create the link between IPaddes and SH_fqdn_hostname into each search head cluster Alternatively, you can disable the search head cluster redirection framework. However, this can lead to data loss or data corruption. Eg: Duplicate HRIDs. You can mitigate this by using the KV captain only for all the UI flows. If you are using Splunk Enterprise Security (on-prem), run the following CURL command:curl -k --location "https://<hostname>:8089/servicesNS/nobody/missioncontrol/configs/conf-infra/cloud?output_mode=json" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "disable_api_redirection=<true/false>" If you want to disable the search head cluster redirection framework but you are not using Splunk Enterprise Security (on-prem), open a support ticket on the Splunk Support portal. |
| 2025-03-03 | BLUERIDGE-15433, BLUERIDGE-16077 | Last updated field shows N/A after reloading |
| 2025-02-28 | BLUERIDGE-15425 | Next Steps in Finding Groups change when an edit is made to the Detection |
| 2025-02-27 | BLUERIDGE-15407 | Tags feature breaks for Finding Groups since Entity field in a findinggroup gets populated with "-" |
| 2024-11-18 | BLUERIDGE-13527 | Some workflow actions on the side-panel intermittently don't work after you have opened and investigation and go back to AQ without selecting another side-panelWorkaround:Close and re-open the side-panel or select another finding. |
| 2024-10-22 | BLUERIDGE-13380, BLUERIDGE-13575 | The link text for a finding in the side panel of the Analyst Queue for a Detection is incorrect when there are multiple sourcesWorkaround:Remove `source` before sending to detection. add `| fields - source` to end of search |
| 2024-10-18 | BLUERIDGE-13101 | Users can create a finding with an empty name for a custom field |
| 2024-10-17 | BLUERIDGE-13081, BLUERIDGE-13121, BLUERIDGE-13122, BLUERIDGE-13124 | The "Edit filter groups" capability is confusing because the feature it controls is called "Saved Views" elsewhere |
| 2024-10-16 | BLUERIDGE-13006, BLUERIDGE-12968, BLUERIDGE-13425 | The "Edit Tags" modal does not communicate errors properly when it is unable to save the changes |
| 2024-10-15 | BLUERIDGE-12966 | Eventtypes based on the notable index will not match investigations since they aren't from the notable index |
| 2024-10-14 | BLUERIDGE-12939 | Bulk adding a finding (that was already in the investigation) along with other findings on the Analyst Queue shows a success message even though the finding that was already included wasn't added |
| 2024-10-09 | BLUERIDGE-12864 | Missing validation in UI while adding duplicate Finding fields in AQ settings page |
| 2024-09-27 | BLUERIDGE-12602, BLUERIDGE-11983 | Cleanup `local/*.conf` files for deprecated modinputs, savedsearches, alert_actions |
| 2024-09-13 | BLUERIDGE-12347 | Prompt modal shows reference ID and HRID combined instead of HRID for investigations |
| 2024-09-09 | BLUERIDGE-12190 | Automation tab may appear for users who cannot run playbooks |
| 2024-09-06 | BLUERIDGE-12176 | Resizing columns on the Analyst Queue can cause the column to be sorted or to show the column sort dialog |
| 2024-09-03 | BLUERIDGE-12100 | Included findings table in AQ side panel is not sortable |
| 2024-08-20 | BLUERIDGE-11791, BLUERIDGE-11790 | Missing input validation for file upload size |
| 2024-05-13 | BLUERIDGE-9351 | Status and owner both have a status called "unassigned" but also show a "unassigned" if no status is assigned which can be confusing |
| Date filed | Issue number | Description |
|---|---|---|
| 2022-03-25 | SINT-7432 | Cloning MITRE is blocked in the UI for several back releases. |
Version 8.0.31
| Date filed | Issue number | Description |
|---|---|---|
| 2025-04-30 | SOLNESS-51027 | Unable to add "Log event" adaptive response action, error "Alert No event text specified for log event action" |
| 2025-04-24 | SOLNESS-50741 | Duplicated findings are created by detection reoccurring - same as SOLNESS-47237 |
| 2025-03-27 | SOLNESS-50362 | Detection migration script is taking default folder Risk. |
| 2025-02-21 | SOLNESS-49794 | Discrepancy when saving custom FBD with versioning off/on |
| 2025-02-14 | SOLNESS-49668 | Skip migration script for private searches |
| Date filed | Issue number | Description |
|---|---|---|
| 2025-04-29 | BLUERIDGE-16077, BLUERIDGE-15433, BLUERIDGE-16189 | Reflect the MC note created_time/updated_time on findings' update_time |
| 2025-04-17 | BLUERIDGE-15954 | Searches on the Analyst Queue might not work with immutable data when the Splunk OR operator is used. |
| 2025-04-16 | BLUERIDGE-15899 | Large number of tokens generated during mc soar allowlist validation |
| 2025-04-10 | BLUERIDGE-15855, BLUERIDGE-16006 | AQ now showing errors and performs optimistic update event when bulk update fails |
| 2025-04-07 | BLUERIDGE-15832 | Pagination Does Not Reset When Applying New Filters on AQ Table |
| 2025-03-13 | BLUERIDGE-15531 | MC Title Column Filter only searches Findings and not Investigations |
| 2025-03-11 | BLUERIDGE-15514 | Splunk core inserts hostname into Mission Control tab in the navbar when SAML authenticated and there's no `name` attribute defined, causing redirection errorWorkaround:Press the big mission control button on the main ES page to access the mission control page. |
| 2025-03-11 | BLUERIDGE-15515, MCHELP-521 | After upgrade of Enterprise Security (ES) to ES 8.0.2, customer's Incident Review (Analyst Queue) filters are broken |
| 2025-03-10 | BLUERIDGE-15508 | Users cannot search with SPL in AQ Search Bar |
| 2025-03-10 | BLUERIDGE-15507 | Pairing errors "Invalid credentials" even after being provided credentials |
| 2025-03-07 | BLUERIDGE-15505 | SidePanel breaks for findings with variable called `comment` |
| 2025-03-06 | BLUERIDGE-15501 | Unable to create investigations and investigation types when using Splunk ES on-prem due to search head cluster re-direction issues.Workaround:Change all hostname references (non-FQDN) to FQDN in the server.conf configuration file. However, this might increase the load on the DNS.Alternatively edit /etc/hosts and create the link between IPaddes and SH_fqdn_hostname into each search head cluster Alternatively, you can disable the search head cluster redirection framework. However, this can lead to data loss or data corruption. Eg: Duplicate HRIDs. You can mitigate this by using the KV captain only for all the UI flows. If you are using Splunk Enterprise Security (on-prem), run the following CURL command:curl -k --location "https://<hostname>:8089/servicesNS/nobody/missioncontrol/configs/conf-infra/cloud?output_mode=json" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "disable_api_redirection=<true/false>" If you want to disable the search head cluster redirection framework but you are not using Splunk Enterprise Security (on-prem), open a support ticket on the Splunk Support portal. |
| 2025-03-03 | BLUERIDGE-15433, BLUERIDGE-16077 | Last updated field shows N/A after reloading |
| 2025-02-28 | BLUERIDGE-15425 | Next Steps in Finding Groups change when an edit is made to the Detection |
| 2025-02-27 | BLUERIDGE-15407 | Tags feature breaks for Finding Groups since Entity field in a findinggroup gets populated with "-" |
| 2025-02-19 | BLUERIDGE-15342 | Auto Populated ES URL on Pairing page does not match expected ES URL on Azure SHC |
| 2025-02-14 | BLUERIDGE-15218 | IR Table field "label1" got changed to "Destination" after Upgrade |
| 2025-01-17 | BLUERIDGE-14236 | Front end checks as part of PO automation.Workaround:Remove `/SA-ThreatIntelligence/local/data/ui/views/incident_review.xml` and restart, or Navigate to Views -> Search "Incident Review" -> edit and replace what's there with the 8.x file so a restart is not required. |
| 2024-12-19 | BLUERIDGE-14052, BLUERIDGE-13938 | Removing investigation type description completely causes stuck loading spinner |
| 2024-11-25 | BLUERIDGE-13617 | Do not show feedback controls while streaming response (show only after the whole response has come through) |
| 2024-11-18 | BLUERIDGE-13527 | Some workflow actions on the side-panel intermittently don't work after you have opened and investigation and go back to AQ without selecting another side-panelWorkaround:Close and re-open the side-panel or select another finding. |
| 2024-11-18 | BLUERIDGE-13526 | Embedded workbench field action shows on the investigation details page without being requestedWorkaround:Close the embedded workbench dialog |
| 2024-11-07 | BLUERIDGE-13415 | Analyst Queue; filtering on a title returns only Findings and not Investigations |
| 2024-10-22 | BLUERIDGE-13380, BLUERIDGE-13575 | The link text for a finding in the side panel of the Analyst Queue for a Detection is incorrect when there are multiple sourcesWorkaround:Remove `source` before sending to detection. add `| fields - source` to end of search |
| 2024-10-22 | BLUERIDGE-13172 | Entities for a finding group on Analyst Queue says 'Multiple' even if there is only a single entity |
| 2024-10-18 | BLUERIDGE-13101 | Users can create a finding with an empty name for a custom field |
| 2024-10-17 | BLUERIDGE-13081, BLUERIDGE-13121, BLUERIDGE-13122, BLUERIDGE-13124 | The "Edit filter groups" capability is confusing because the feature it controls is called "Saved Views" elsewhere |
| 2024-10-16 | BLUERIDGE-13006, BLUERIDGE-12968, BLUERIDGE-13425 | The "Edit Tags" modal does not communicate errors properly when it is unable to save the changes |
| 2024-10-15 | BLUERIDGE-12966 | Eventtypes based on the notable index will not match investigations since they aren't from the notable index |
| 2024-10-14 | BLUERIDGE-12939 | Bulk adding a finding (that was already in the investigation) along with other findings on the Analyst Queue shows a success message even though the finding that was already included wasn't added |
| 2024-10-09 | BLUERIDGE-12864 | Missing validation in UI while adding duplicate Finding fields in AQ settings page |
| 2024-09-27 | BLUERIDGE-12602, BLUERIDGE-11983 | Cleanup `local/*.conf` files for deprecated modinputs, savedsearches, alert_actions |
| 2024-09-13 | BLUERIDGE-12347 | Prompt modal shows reference ID and HRID combined instead of HRID for investigations |
| 2024-09-10 | BLUERIDGE-12231 | The usernames in nested findings do not use the account real-names (unlike the search results) |
| 2024-09-09 | BLUERIDGE-12221 | Selecting a time-range on Analyst Queue by clicking the timeline can cause recent changes to findings to appear to be revertedWorkaround:Re-run the search on Analyst Queue to see the most recent changes |
| 2024-09-09 | BLUERIDGE-12190 | Automation tab may appear for users who cannot run playbooks |
| 2024-09-06 | BLUERIDGE-12176 | Resizing columns on the Analyst Queue can cause the column to be sorted or to show the column sort dialog |
| 2024-09-03 | BLUERIDGE-12100 | Included findings table in AQ side panel is not sortable |
| 2024-08-20 | BLUERIDGE-11791, BLUERIDGE-11790 | Missing input validation for file upload size |
| 2024-08-05 | BLUERIDGE-11468, SOLNESS-40830, BLUERIDGE-13359 | The "Top Notable Events" panel on the Security Posture dashboard doesn't properly link to the Analyst Queue (the filter for "rule name" is not properly applied)Workaround:Re-run the search on the Analyst Queue |
| 2024-05-13 | BLUERIDGE-9351 | Status and owner both have a status called "unassigned" but also show a "unassigned" if no status is assigned which can be confusing |
| Date filed | Issue number | Description |
|---|---|---|
| 2022-03-25 | SINT-7432 | Cloning MITRE is blocked in the UI for several back releases. |
Version 8.0.3
| Date filed | Issue number | Description |
|---|---|---|
| 2025-02-21 | SOLNESS-49794 | Discrepancy when saving custom FBD with versioning off/on |
| Date filed | Issue number | Description |
|---|---|---|
| 2025-03-13 | BLUERIDGE-15531 | MC Title Column Filter only searches Findings and not Investigations |
| 2025-03-11 | BLUERIDGE-15514 | Splunk core inserts hostname into Mission Control tab in the navbar when SAML authenticated and there's no `name` attribute defined, causing redirection errorWorkaround:Press the big mission control button on the main ES page to access the mission control page. |
| 2025-03-11 | BLUERIDGE-15515, MCHELP-521 | After upgrade of Enterprise Security (ES) to ES 8.0.2, customer's Incident Review (Analyst Queue) filters are broken |
| 2025-03-10 | BLUERIDGE-15508 | Users cannot search with SPL in AQ Search Bar |
| 2025-03-10 | BLUERIDGE-15507 | Pairing errors "Invalid credentials" even after being provided credentials |
| 2025-03-07 | BLUERIDGE-15505 | SidePanel breaks for findings with variable called `comment` |
| 2025-03-06 | BLUERIDGE-15501 | Unable to create investigations and investigation types when using Splunk ES on-prem due to search head cluster re-direction issues.Workaround:Change all hostname references (non-FQDN) to FQDN in the server.conf configuration file. However, this might increase the load on the DNS.Alternatively edit /etc/hosts and create the link between IPaddes and SH_fqdn_hostname into each search head cluster Alternatively, you can disable the search head cluster redirection framework. However, this can lead to data loss or data corruption. Eg: Duplicate HRIDs. You can mitigate this by using the KV captain only for all the UI flows. If you are using Splunk Enterprise Security (on-prem), run the following CURL command:curl -k --location "https://<hostname>:8089/servicesNS/nobody/missioncontrol/configs/conf-infra/cloud?output_mode=json" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "disable_api_redirection=<true/false>" If you want to disable the search head cluster redirection framework but you are not using Splunk Enterprise Security (on-prem), open a support ticket on the Splunk Support portal. |
| 2025-03-03 | BLUERIDGE-15433 | Last updated field shows N/A after reloading |
| 2025-02-28 | BLUERIDGE-15425 | Next Steps in Finding Groups change when an edit is made to the Detection |
| 2025-02-27 | BLUERIDGE-15407 | Tags feature breaks for Finding Groups since Entity field in a findinggroup gets populated with "-" |
| 2025-02-19 | BLUERIDGE-15342 | Auto Populated ES URL on Pairing page does not match expected ES URL on Azure SHC |
| 2025-02-14 | BLUERIDGE-15218 | IR Table field "label1" got changed to "Destination" after Upgrade |
| 2025-01-17 | BLUERIDGE-14236 | Front end checks as part of PO automation.Workaround:Remove `/SA-ThreatIntelligence/local/data/ui/views/incident_review.xml` and restart, or Navigate to Views -> Search "Incident Review" -> edit and replace what's there with the 8.x file so a restart is not required. |
| 2024-12-19 | BLUERIDGE-14052, BLUERIDGE-13938 | Removing investigation type description completely causes stuck loading spinner |
| 2024-11-25 | BLUERIDGE-13617 | Do not show feedback controls while streaming response (show only after the whole response has come through) |
| 2024-11-18 | BLUERIDGE-13527 | Some workflow actions on the side-panel intermittently don't work after you have opened and investigation and go back to AQ without selecting another side-panelWorkaround:Close and re-open the side-panel or select another finding. |
| 2024-11-18 | BLUERIDGE-13526 | Embedded workbench field action shows on the investigation details page without being requestedWorkaround:Close the embedded workbench dialog |
| 2024-11-07 | BLUERIDGE-13415 | Analyst Queue; filtering on a title returns only Findings and not Investigations |
| 2024-11-04 | BLUERIDGE-13359, BLUERIDGE-11468 | Legacy URL parameters are not handled correctly in Analyst Queue (those that start with with "form.")Workaround:Re-run the search on the Analyst Queue |
| 2024-10-22 | BLUERIDGE-13380, BLUERIDGE-13575 | The link text for a finding in the side panel of the Analyst Queue for a Detection is incorrect when there are multiple sourcesWorkaround:Remove `source` before sending to detection. add `| fields - source` to end of search |
| 2024-10-22 | BLUERIDGE-13172 | Entities for a finding group on Analyst Queue says 'Multiple' even if there is only a single entity |
| 2024-10-18 | BLUERIDGE-13101 | Users can create a finding with an empty name for a custom field |
| 2024-10-17 | BLUERIDGE-13081, BLUERIDGE-13121, BLUERIDGE-13122, BLUERIDGE-13124 | The "Edit filter groups" capability is confusing because the feature it controls is called "Saved Views" elsewhere |
| 2024-10-16 | BLUERIDGE-13006, BLUERIDGE-12968, BLUERIDGE-13425 | The "Edit Tags" modal does not communicate errors properly when it is unable to save the changes |
| 2024-10-15 | BLUERIDGE-12966 | Eventtypes based on the notable index will not match investigations since they aren't from the notable index |
| 2024-10-14 | BLUERIDGE-12939 | Bulk adding a finding (that was already in the investigation) along with other findings on the Analyst Queue shows a success message even though the finding that was already included wasn't added |
| 2024-10-10 | BLUERIDGE-12912, BLUERIDGE-13032 | Only 100 findings are shown for a finding group even if more than 100 exist and you can only add the visible findings to an investigation |
| 2024-10-09 | BLUERIDGE-12864 | Missing validation in UI while adding duplicate Finding fields in AQ settings page |
| 2024-09-27 | BLUERIDGE-12602, BLUERIDGE-11983 | Cleanup `local/*.conf` files for deprecated modinputs, savedsearches, alert_actions |
| 2024-09-13 | BLUERIDGE-12347 | Prompt modal shows reference ID and HRID combined instead of HRID for investigations |
| 2024-09-10 | BLUERIDGE-12231 | The usernames in nested findings do not use the account real-names (unlike the search results) |
| 2024-09-09 | BLUERIDGE-12221 | Selecting a time-range on Analyst Queue by clicking the timeline can cause recent changes to findings to appear to be revertedWorkaround:Re-run the search on Analyst Queue to see the most recent changes |
| 2024-09-09 | BLUERIDGE-12190 | Automation tab may appear for users who cannot run playbooks |
| 2024-09-06 | BLUERIDGE-12176 | Resizing columns on the Analyst Queue can cause the column to be sorted or to show the column sort dialog |
| 2024-09-03 | BLUERIDGE-12100 | Included findings table in AQ side panel is not sortable |
| 2024-08-20 | BLUERIDGE-11791, BLUERIDGE-11790 | Missing input validation for file upload size |
| 2024-05-13 | BLUERIDGE-9351 | Status and owner both have a status called "unassigned" but also show a "unassigned" if no status is assigned which can be confusing |
Version 8.0.2
| Date filed | Issue number | Description |
|---|---|---|
| 2025-02-19 | SOLNESS-49775 | Update got to the latest version to remediate CVE-2022-33987 |
| 2025-01-07 | SOLNESS-48923, BLUERIDGE-14095 | Saved views are not visible post upgrade from ES 7.0.2 to ES 8.0.2 |
| Date filed | Issue number | Description |
|---|---|---|
| 2025-03-18 | BLUERIDGE-15547 | Records of findings are not visible in an investigation after 30 days. |
| 2025-03-18 | BLUERIDGE-15562 | The Investigation Overview page does not show investigation data when all findings are deleted from the investigation. |
| 2025-03-11 | BLUERIDGE-15515, MCHELP-521 | After upgrade of Enterprise Security (ES) to ES 8.0.2, customer's Incident Review (Analyst Queue) filters are broken |
| 2025-03-10 | BLUERIDGE-15508 | Users cannot search with SPL in AQ Search Bar |
| 2025-03-10 | BLUERIDGE-15507 | Pairing errors "Invalid credentials" even after being provided credentials |
| 2025-03-06 | BLUERIDGE-15501 | Unable to create investigations and investigation types when using Splunk ES on-prem due to search head cluster re-direction issues.Workaround:Change all hostname references (non-FQDN) to FQDN in the server.conf configuration file. However, this might increase the load on the DNS.Alternatively edit /etc/hosts and create the link between IPaddes and SH_fqdn_hostname into each search head cluster Alternatively, you can disable the search head cluster redirection framework. However, this can lead to data loss or data corruption. Eg: Duplicate HRIDs. You can mitigate this by using the KV captain only for all the UI flows. If you are using Splunk Enterprise Security (on-prem), run the following CURL command:curl -k --location "https://<hostname>:8089/servicesNS/nobody/missioncontrol/configs/conf-infra/cloud?output_mode=json" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "disable_api_redirection=<true/false>" If you want to disable the search head cluster redirection framework but you are not using Splunk Enterprise Security (on-prem), open a support ticket on the Splunk Support portal. |
| 2025-03-03 | BLUERIDGE-15433 | Last updated field shows N/A after reloading |
| 2025-02-19 | BLUERIDGE-15342 | Auto Populated ES URL on Pairing page does not match expected ES URL on Azure SHC |
| 2025-02-17 | BLUERIDGE-15280 | Summary fields not rendered on Investigations Overview |
| 2025-02-14 | BLUERIDGE-15218 | IR Table field "label1" got changed to "Destination" after Upgrade |
| 2025-01-17 | BLUERIDGE-14236 | Front end checks as part of PO automation.Workaround:Remove `/SA-ThreatIntelligence/local/data/ui/views/incident_review.xml` and restart, or Navigate to Views -> Search "Incident Review" -> edit and replace what's there with the 8.x file so a restart is not required. |
| 2024-12-19 | BLUERIDGE-14052, BLUERIDGE-13938 | Removing investigation type description completely causes stuck loading spinner |
| 2024-11-25 | BLUERIDGE-13617 | Do not show feedback controls while streaming response (show only after the whole response has come through) |
| 2024-11-18 | BLUERIDGE-13527 | Some workflow actions on the side-panel intermittently don't work after you have opened and investigation and go back to AQ without selecting another side-panelWorkaround:Close and re-open the side-panel or select another finding. |
| 2024-11-18 | BLUERIDGE-13526 | Embedded workbench field action shows on the investigation details page without being requestedWorkaround:Close the embedded workbench dialog |
| 2024-11-18 | BLUERIDGE-13528 | Multiple workflow field actions can be opened on the investigation details pageWorkaround:Click any whitespace to close the workflow action |
| 2024-11-07 | BLUERIDGE-13415 | Analyst Queue; filtering on a title returns only Findings and not Investigations |
| 2024-11-04 | BLUERIDGE-13359, BLUERIDGE-11468 | Legacy URL parameters are not handled correctly in Analyst Queue (those that start with with "form.")Workaround:Re-run the search on the Analyst Queue |
| 2024-10-22 | BLUERIDGE-13380, BLUERIDGE-13575 | The link text for a finding in the side panel of the Analyst Queue for a Detection is incorrect when there are multiple sourcesWorkaround:Remove `source` before sending to detection. add `| fields - source` to end of search |
| 2024-10-22 | BLUERIDGE-13172 | Entities for a finding group on Analyst Queue says 'Multiple' even if there is only a single entity |
| 2024-10-18 | BLUERIDGE-13101 | Users can create a finding with an empty name for a custom field |
| 2024-10-17 | BLUERIDGE-13081, BLUERIDGE-13121, BLUERIDGE-13122, BLUERIDGE-13124 | The "Edit filter groups" capability is confusing because the feature it controls is called "Saved Views" elsewhere |
| 2024-10-16 | BLUERIDGE-13006, BLUERIDGE-12968, BLUERIDGE-13425 | The "Edit Tags" modal does not communicate errors properly when it is unable to save the changes |
| 2024-10-15 | BLUERIDGE-12966 | Eventtypes based on the notable index will not match investigations since they aren't from the notable index |
| 2024-10-14 | BLUERIDGE-12939 | Bulk adding a finding (that was already in the investigation) along with other findings on the Analyst Queue shows a success message even though the finding that was already included wasn't added |
| 2024-10-10 | BLUERIDGE-12912, BLUERIDGE-13032 | Only 100 findings are shown for a finding group even if more than 100 exist and you can only add the visible findings to an investigation |
| 2024-10-09 | BLUERIDGE-12864 | Missing validation in UI while adding duplicate Finding fields in AQ settings page |
| 2024-09-27 | BLUERIDGE-12602, BLUERIDGE-11983 | Cleanup `local/*.conf` files for deprecated modinputs, savedsearches, alert_actions |
| 2024-09-13 | BLUERIDGE-12347 | Prompt modal shows reference ID and HRID combined instead of HRID for investigations |
| 2024-09-10 | BLUERIDGE-12231 | The usernames in nested findings do not use the account real-names (unlike the search results) |
| 2024-09-09 | BLUERIDGE-12221 | Selecting a time-range on Analyst Queue by clicking the timeline can cause recent changes to findings to appear to be revertedWorkaround:Re-run the search on Analyst Queue to see the most recent changes |
| 2024-09-09 | BLUERIDGE-12190 | Automation tab may appear for users who cannot run playbooks |
| 2024-09-06 | BLUERIDGE-12176 | Resizing columns on the Analyst Queue can cause the column to be sorted or to show the column sort dialog |
| 2024-09-03 | BLUERIDGE-12100 | Included findings table in AQ side panel is not sortable |
| 2024-08-20 | BLUERIDGE-11791, BLUERIDGE-11790 | Missing input validation for file upload size |
| 2024-05-13 | BLUERIDGE-9351 | Status and owner both have a status called "unassigned" but also show a "unassigned" if no status is assigned which can be confusing |
Version 8.0.1
Version 8.0.1
| Date filed | Issue number | Description |
|---|---|---|
| 2024-12-02 | SOLNESS-48285, SOLNESS-47969 | Threat - Threat List Activity - Rule Search is missing Risk Message |
| 2024-11-05 | SOLNESS-47715 | Threat match configuration that uses Endpoint datasets do not show default metakey _time sourcetype source hostWorkaround:It Is not advised to edit the default datamodel (unless you have already done it), for this specific is better to await for changes to be officially onboarded on the future splunk SA_CIM datamodel structure. If you modify the Datamodel, any future changes "Default made" set by splunk official app may not be applied (local changes of the datamodel will take precedence upon any future default changes made by splunk to that datamodel pushed though an update) . Instead if you have already modified this datamodel and it misses these fields please apply these changes:
_time=* sourcetype=* host=* source=* (could be necessary to add index="NAME OF THE INDEXES" unless specified within the linked macro
|
| 2024-10-22 | SOLNESS-47561, BLUERIDGE-13686 | After stack creation the disposition and finding/investigation status values are not populated on AQ page side panel for some timeWorkaround:This is known issue for ES 8.0.0 amd 8.0.1. To get around this, the customer can manually run the Template:Administrative reload modinput which hydrates their kvstore data. {noformat}administrative_reload (modinput) -> adminstrative_redload.py -> packages/app-ess/apps/SA-ThreatIntelligence/package/bin/reviewstatuses_rest_handler.py handleReload function -> Read conf file and updates the kvstore record{noformat} |
| Date filed | Issue number | Description |
|---|---|---|
| 2025-03-18 | BLUERIDGE-15547 | Records of findings are not visible in an investigation after 30 days. |
| 2025-03-18 | BLUERIDGE-15562 | The Investigation Overview page does not show investigation data when all findings are deleted from the investigation. |
| 2025-03-06 | BLUERIDGE-15501 | Unable to create investigations and investigation types when using Splunk ES on-prem due to search head cluster re-direction issues.Workaround:Change all hostname references (non-FQDN) to FQDN in the server.conf configuration file. However, this might increase the load on the DNS.Alternatively edit /etc/hosts and create the link between IPaddes and SH_fqdn_hostname into each search head cluster Alternatively, you can disable the search head cluster redirection framework. However, this can lead to data loss or data corruption. Eg: Duplicate HRIDs. You can mitigate this by using the KV captain only for all the UI flows. If you are using Splunk Enterprise Security (on-prem), run the following CURL command:curl -k --location "https://<hostname>:8089/servicesNS/nobody/missioncontrol/configs/conf-infra/cloud?output_mode=json" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "disable_api_redirection=<true/false>" If you want to disable the search head cluster redirection framework but you are not using Splunk Enterprise Security (on-prem), open a support ticket on the Splunk Support portal. |
| 2025-02-17 | BLUERIDGE-15280 | Summary fields not rendered on Investigations Overview |
| 2025-02-14 | BLUERIDGE-15218 | IR Table field "label1" got changed to "Destination" after Upgrade |
| 2025-01-17 | BLUERIDGE-14236 | Front end checks as part of PO automation.Workaround:Remove `/SA-ThreatIntelligence/local/data/ui/views/incident_review.xml` and restart, or Navigate to Views -> Search "Incident Review" -> edit and replace what's there with the 8.x file so a restart is not required. |
| 2024-12-19 | BLUERIDGE-14052, BLUERIDGE-13938 | Removing investigation type description completely causes stuck loading spinner |
| 2024-11-25 | BLUERIDGE-13617 | Do not show feedback controls while streaming response (show only after the whole response has come through) |
| 2024-11-18 | BLUERIDGE-13527 | Some workflow actions on the side-panel intermittently don't work after you have opened and investigation and go back to AQ without selecting another side-panelWorkaround:Close and re-open the side-panel or select another finding. |
| 2024-11-18 | BLUERIDGE-13526 | Embedded workbench field action shows on the investigation details page without being requestedWorkaround:Close the embedded workbench dialog |
| 2024-11-18 | BLUERIDGE-13528 | Multiple workflow field actions can be opened on the investigation details pageWorkaround:Click any whitespace to close the workflow action |
| 2024-11-07 | BLUERIDGE-13415 | Analyst Queue; filtering on a title returns only Findings and not Investigations |
| 2024-11-04 | BLUERIDGE-13359, BLUERIDGE-11468 | Legacy URL parameters are not handled correctly in Analyst Queue (those that start with with "form.")Workaround:Re-run the search on the Analyst Queue |
| 2024-10-22 | BLUERIDGE-13380, BLUERIDGE-13575 | The link text for a finding in the side panel of the Analyst Queue for a Detection is incorrect when there are multiple sourcesWorkaround:Remove `source` before sending to detection. add `| fields - source` to end of search |
| 2024-10-22 | BLUERIDGE-13172 | Entities for a finding group on Analyst Queue says 'Multiple' even if there is only a single entity |
| 2024-10-18 | BLUERIDGE-13101 | Users can create a finding with an empty name for a custom field |
| 2024-10-17 | BLUERIDGE-13081, BLUERIDGE-13121, BLUERIDGE-13122, BLUERIDGE-13124 | The "Edit filter groups" capability is confusing because the feature it controls is called "Saved Views" elsewhere |
| 2024-10-16 | BLUERIDGE-13006, BLUERIDGE-12968, BLUERIDGE-13425 | The "Edit Tags" modal does not communicate errors properly when it is unable to save the changes |
| 2024-10-15 | BLUERIDGE-12966 | Eventtypes based on the notable index will not match investigations since they aren't from the notable index |
| 2024-10-14 | BLUERIDGE-12939 | Bulk adding a finding (that was already in the investigation) along with other findings on the Analyst Queue shows a success message even though the finding that was already included wasn't added |
| 2024-10-10 | BLUERIDGE-12912, BLUERIDGE-13032 | Only 100 findings are shown for a finding group even if more than 100 exist and you can only add the visible findings to an investigation |
| 2024-10-09 | BLUERIDGE-12864 | Missing validation in UI while adding duplicate Finding fields in AQ settings page |
| 2024-09-27 | BLUERIDGE-12602, BLUERIDGE-11983 | Cleanup `local/*.conf` files for deprecated modinputs, savedsearches, alert_actions |
| 2024-09-13 | BLUERIDGE-12347 | Prompt modal shows reference ID and HRID combined instead of HRID for investigations |
| 2024-09-10 | BLUERIDGE-12231 | The usernames in nested findings do not use the account real-names (unlike the search results) |
| 2024-09-09 | BLUERIDGE-12221 | Selecting a time-range on Analyst Queue by clicking the timeline can cause recent changes to findings to appear to be revertedWorkaround:Re-run the search on Analyst Queue to see the most recent changes |
| 2024-09-09 | BLUERIDGE-12190 | Automation tab may appear for users who cannot run playbooks |
| 2024-09-06 | BLUERIDGE-12176 | Resizing columns on the Analyst Queue can cause the column to be sorted or to show the column sort dialog |
| 2024-09-03 | BLUERIDGE-12100 | Included findings table in AQ side panel is not sortable |
| 2024-08-20 | BLUERIDGE-11791, BLUERIDGE-11790 | Missing input validation for file upload size |
| 2024-05-13 | BLUERIDGE-9351 | Status and owner both have a status called "unassigned" but also show a "unassigned" if no status is assigned which can be confusing |
| Date filed | Issue number | Description |
|---|---|---|
| 2025-01-27 | SINT-7114 | Invalid unicode characters (like emojis) cause TAXII errors |
| 2024-11-21 | SINT-6969, SINT-7056, SINT-7095 | Unable to populate URL threat intel feed for Accenture CywareWorkaround:Increased max_size parameter in configuration but it does not resolve the issue. (From past case) G-drive link for SH diag - [1] |
Version 8.0.2
| Date filed | Issue number | Description |
|---|---|---|
| 2025-02-19 | SOLNESS-49775 | Update got to the latest version to remediate CVE-2022-33987 |
| 2025-01-07 | SOLNESS-48923, BLUERIDGE-14095 | Saved views are not visible post upgrade from ES 7.0.2 to ES 8.0.2 |
| Date filed | Issue number | Description |
|---|---|---|
| 2025-03-18 | BLUERIDGE-15547 | Records of findings are not visible in an investigation after 30 days. |
| 2025-03-18 | BLUERIDGE-15562 | The Investigation Overview page does not show investigation data when all findings are deleted from the investigation. |
| 2025-03-11 | BLUERIDGE-15515, MCHELP-521 | After upgrade of Enterprise Security (ES) to ES 8.0.2, customer's Incident Review (Analyst Queue) filters are broken |
| 2025-03-10 | BLUERIDGE-15508 | Users cannot search with SPL in AQ Search Bar |
| 2025-03-10 | BLUERIDGE-15507 | Pairing errors "Invalid credentials" even after being provided credentials |
| 2025-03-06 | BLUERIDGE-15501 | Unable to create investigations and investigation types when using Splunk ES on-prem due to search head cluster re-direction issues.Workaround:Change all hostname references (non-FQDN) to FQDN in the server.conf configuration file. However, this might increase the load on the DNS.Alternatively edit /etc/hosts and create the link between IPaddes and SH_fqdn_hostname into each search head cluster Alternatively, you can disable the search head cluster redirection framework. However, this can lead to data loss or data corruption. Eg: Duplicate HRIDs. You can mitigate this by using the KV captain only for all the UI flows. If you are using Splunk Enterprise Security (on-prem), run the following CURL command:curl -k --location "https://<hostname>:8089/servicesNS/nobody/missioncontrol/configs/conf-infra/cloud?output_mode=json" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "disable_api_redirection=<true/false>" If you want to disable the search head cluster redirection framework but you are not using Splunk Enterprise Security (on-prem), open a support ticket on the Splunk Support portal. |
| 2025-03-03 | BLUERIDGE-15433 | Last updated field shows N/A after reloading |
| 2025-02-19 | BLUERIDGE-15342 | Auto Populated ES URL on Pairing page does not match expected ES URL on Azure SHC |
| 2025-02-17 | BLUERIDGE-15280 | Summary fields not rendered on Investigations Overview |
| 2025-02-14 | BLUERIDGE-15218 | IR Table field "label1" got changed to "Destination" after Upgrade |
| 2025-01-17 | BLUERIDGE-14236 | Front end checks as part of PO automation.Workaround:Remove `/SA-ThreatIntelligence/local/data/ui/views/incident_review.xml` and restart, or Navigate to Views -> Search "Incident Review" -> edit and replace what's there with the 8.x file so a restart is not required. |
| 2024-12-19 | BLUERIDGE-14052, BLUERIDGE-13938 | Removing investigation type description completely causes stuck loading spinner |
| 2024-11-25 | BLUERIDGE-13617 | Do not show feedback controls while streaming response (show only after the whole response has come through) |
| 2024-11-18 | BLUERIDGE-13527 | Some workflow actions on the side-panel intermittently don't work after you have opened and investigation and go back to AQ without selecting another side-panelWorkaround:Close and re-open the side-panel or select another finding. |
| 2024-11-18 | BLUERIDGE-13526 | Embedded workbench field action shows on the investigation details page without being requestedWorkaround:Close the embedded workbench dialog |
| 2024-11-18 | BLUERIDGE-13528 | Multiple workflow field actions can be opened on the investigation details pageWorkaround:Click any whitespace to close the workflow action |
| 2024-11-07 | BLUERIDGE-13415 | Analyst Queue; filtering on a title returns only Findings and not Investigations |
| 2024-11-04 | BLUERIDGE-13359, BLUERIDGE-11468 | Legacy URL parameters are not handled correctly in Analyst Queue (those that start with with "form.")Workaround:Re-run the search on the Analyst Queue |
| 2024-10-22 | BLUERIDGE-13380, BLUERIDGE-13575 | The link text for a finding in the side panel of the Analyst Queue for a Detection is incorrect when there are multiple sourcesWorkaround:Remove `source` before sending to detection. add `| fields - source` to end of search |
| 2024-10-22 | BLUERIDGE-13172 | Entities for a finding group on Analyst Queue says 'Multiple' even if there is only a single entity |
| 2024-10-18 | BLUERIDGE-13101 | Users can create a finding with an empty name for a custom field |
| 2024-10-17 | BLUERIDGE-13081, BLUERIDGE-13121, BLUERIDGE-13122, BLUERIDGE-13124 | The "Edit filter groups" capability is confusing because the feature it controls is called "Saved Views" elsewhere |
| 2024-10-16 | BLUERIDGE-13006, BLUERIDGE-12968, BLUERIDGE-13425 | The "Edit Tags" modal does not communicate errors properly when it is unable to save the changes |
| 2024-10-15 | BLUERIDGE-12966 | Eventtypes based on the notable index will not match investigations since they aren't from the notable index |
| 2024-10-14 | BLUERIDGE-12939 | Bulk adding a finding (that was already in the investigation) along with other findings on the Analyst Queue shows a success message even though the finding that was already included wasn't added |
| 2024-10-10 | BLUERIDGE-12912, BLUERIDGE-13032 | Only 100 findings are shown for a finding group even if more than 100 exist and you can only add the visible findings to an investigation |
| 2024-10-09 | BLUERIDGE-12864 | Missing validation in UI while adding duplicate Finding fields in AQ settings page |
| 2024-09-27 | BLUERIDGE-12602, BLUERIDGE-11983 | Cleanup `local/*.conf` files for deprecated modinputs, savedsearches, alert_actions |
| 2024-09-13 | BLUERIDGE-12347 | Prompt modal shows reference ID and HRID combined instead of HRID for investigations |
| 2024-09-10 | BLUERIDGE-12231 | The usernames in nested findings do not use the account real-names (unlike the search results) |
| 2024-09-09 | BLUERIDGE-12221 | Selecting a time-range on Analyst Queue by clicking the timeline can cause recent changes to findings to appear to be revertedWorkaround:Re-run the search on Analyst Queue to see the most recent changes |
| 2024-09-09 | BLUERIDGE-12190 | Automation tab may appear for users who cannot run playbooks |
| 2024-09-06 | BLUERIDGE-12176 | Resizing columns on the Analyst Queue can cause the column to be sorted or to show the column sort dialog |
| 2024-09-03 | BLUERIDGE-12100 | Included findings table in AQ side panel is not sortable |
| 2024-08-20 | BLUERIDGE-11791, BLUERIDGE-11790 | Missing input validation for file upload size |
| 2024-05-13 | BLUERIDGE-9351 | Status and owner both have a status called "unassigned" but also show a "unassigned" if no status is assigned which can be confusing |
Version 8.0.3
| Date filed | Issue number | Description |
|---|---|---|
| 2025-02-21 | SOLNESS-49794 | Discrepancy when saving custom FBD with versioning off/on |
| Date filed | Issue number | Description |
|---|---|---|
| 2025-03-13 | BLUERIDGE-15531 | MC Title Column Filter only searches Findings and not Investigations |
| 2025-03-11 | BLUERIDGE-15514 | Splunk core inserts hostname into Mission Control tab in the navbar when SAML authenticated and there's no `name` attribute defined, causing redirection errorWorkaround:Press the big mission control button on the main ES page to access the mission control page. |
| 2025-03-11 | BLUERIDGE-15515, MCHELP-521 | After upgrade of Enterprise Security (ES) to ES 8.0.2, customer's Incident Review (Analyst Queue) filters are broken |
| 2025-03-10 | BLUERIDGE-15508 | Users cannot search with SPL in AQ Search Bar |
| 2025-03-10 | BLUERIDGE-15507 | Pairing errors "Invalid credentials" even after being provided credentials |
| 2025-03-07 | BLUERIDGE-15505 | SidePanel breaks for findings with variable called `comment` |
| 2025-03-06 | BLUERIDGE-15501 | Unable to create investigations and investigation types when using Splunk ES on-prem due to search head cluster re-direction issues.Workaround:Change all hostname references (non-FQDN) to FQDN in the server.conf configuration file. However, this might increase the load on the DNS.Alternatively edit /etc/hosts and create the link between IPaddes and SH_fqdn_hostname into each search head cluster Alternatively, you can disable the search head cluster redirection framework. However, this can lead to data loss or data corruption. Eg: Duplicate HRIDs. You can mitigate this by using the KV captain only for all the UI flows. If you are using Splunk Enterprise Security (on-prem), run the following CURL command:curl -k --location "https://<hostname>:8089/servicesNS/nobody/missioncontrol/configs/conf-infra/cloud?output_mode=json" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "disable_api_redirection=<true/false>" If you want to disable the search head cluster redirection framework but you are not using Splunk Enterprise Security (on-prem), open a support ticket on the Splunk Support portal. |
| 2025-03-03 | BLUERIDGE-15433 | Last updated field shows N/A after reloading |
| 2025-02-28 | BLUERIDGE-15425 | Next Steps in Finding Groups change when an edit is made to the Detection |
| 2025-02-27 | BLUERIDGE-15407 | Tags feature breaks for Finding Groups since Entity field in a findinggroup gets populated with "-" |
| 2025-02-19 | BLUERIDGE-15342 | Auto Populated ES URL on Pairing page does not match expected ES URL on Azure SHC |
| 2025-02-14 | BLUERIDGE-15218 | IR Table field "label1" got changed to "Destination" after Upgrade |
| 2025-01-17 | BLUERIDGE-14236 | Front end checks as part of PO automation.Workaround:Remove `/SA-ThreatIntelligence/local/data/ui/views/incident_review.xml` and restart, or Navigate to Views -> Search "Incident Review" -> edit and replace what's there with the 8.x file so a restart is not required. |
| 2024-12-19 | BLUERIDGE-14052, BLUERIDGE-13938 | Removing investigation type description completely causes stuck loading spinner |
| 2024-11-25 | BLUERIDGE-13617 | Do not show feedback controls while streaming response (show only after the whole response has come through) |
| 2024-11-18 | BLUERIDGE-13527 | Some workflow actions on the side-panel intermittently don't work after you have opened and investigation and go back to AQ without selecting another side-panelWorkaround:Close and re-open the side-panel or select another finding. |
| 2024-11-18 | BLUERIDGE-13526 | Embedded workbench field action shows on the investigation details page without being requestedWorkaround:Close the embedded workbench dialog |
| 2024-11-07 | BLUERIDGE-13415 | Analyst Queue; filtering on a title returns only Findings and not Investigations |
| 2024-11-04 | BLUERIDGE-13359, BLUERIDGE-11468 | Legacy URL parameters are not handled correctly in Analyst Queue (those that start with with "form.")Workaround:Re-run the search on the Analyst Queue |
| 2024-10-22 | BLUERIDGE-13380, BLUERIDGE-13575 | The link text for a finding in the side panel of the Analyst Queue for a Detection is incorrect when there are multiple sourcesWorkaround:Remove `source` before sending to detection. add `| fields - source` to end of search |
| 2024-10-22 | BLUERIDGE-13172 | Entities for a finding group on Analyst Queue says 'Multiple' even if there is only a single entity |
| 2024-10-18 | BLUERIDGE-13101 | Users can create a finding with an empty name for a custom field |
| 2024-10-17 | BLUERIDGE-13081, BLUERIDGE-13121, BLUERIDGE-13122, BLUERIDGE-13124 | The "Edit filter groups" capability is confusing because the feature it controls is called "Saved Views" elsewhere |
| 2024-10-16 | BLUERIDGE-13006, BLUERIDGE-12968, BLUERIDGE-13425 | The "Edit Tags" modal does not communicate errors properly when it is unable to save the changes |
| 2024-10-15 | BLUERIDGE-12966 | Eventtypes based on the notable index will not match investigations since they aren't from the notable index |
| 2024-10-14 | BLUERIDGE-12939 | Bulk adding a finding (that was already in the investigation) along with other findings on the Analyst Queue shows a success message even though the finding that was already included wasn't added |
| 2024-10-10 | BLUERIDGE-12912, BLUERIDGE-13032 | Only 100 findings are shown for a finding group even if more than 100 exist and you can only add the visible findings to an investigation |
| 2024-10-09 | BLUERIDGE-12864 | Missing validation in UI while adding duplicate Finding fields in AQ settings page |
| 2024-09-27 | BLUERIDGE-12602, BLUERIDGE-11983 | Cleanup `local/*.conf` files for deprecated modinputs, savedsearches, alert_actions |
| 2024-09-13 | BLUERIDGE-12347 | Prompt modal shows reference ID and HRID combined instead of HRID for investigations |
| 2024-09-10 | BLUERIDGE-12231 | The usernames in nested findings do not use the account real-names (unlike the search results) |
| 2024-09-09 | BLUERIDGE-12221 | Selecting a time-range on Analyst Queue by clicking the timeline can cause recent changes to findings to appear to be revertedWorkaround:Re-run the search on Analyst Queue to see the most recent changes |
| 2024-09-09 | BLUERIDGE-12190 | Automation tab may appear for users who cannot run playbooks |
| 2024-09-06 | BLUERIDGE-12176 | Resizing columns on the Analyst Queue can cause the column to be sorted or to show the column sort dialog |
| 2024-09-03 | BLUERIDGE-12100 | Included findings table in AQ side panel is not sortable |
| 2024-08-20 | BLUERIDGE-11791, BLUERIDGE-11790 | Missing input validation for file upload size |
| 2024-05-13 | BLUERIDGE-9351 | Status and owner both have a status called "unassigned" but also show a "unassigned" if no status is assigned which can be confusing |
Version 8.0.31
| Date filed | Issue number | Description |
|---|---|---|
| 2025-04-30 | SOLNESS-51027 | Unable to add "Log event" adaptive response action, error "Alert No event text specified for log event action" |
| 2025-04-24 | SOLNESS-50741 | Duplicated findings are created by detection reoccurring - same as SOLNESS-47237 |
| 2025-03-27 | SOLNESS-50362 | Detection migration script is taking default folder Risk. |
| 2025-02-21 | SOLNESS-49794 | Discrepancy when saving custom FBD with versioning off/on |
| 2025-02-14 | SOLNESS-49668 | Skip migration script for private searches |
| Date filed | Issue number | Description |
|---|---|---|
| 2025-04-29 | BLUERIDGE-16077, BLUERIDGE-15433, BLUERIDGE-16189 | Reflect the MC note created_time/updated_time on findings' update_time |
| 2025-04-17 | BLUERIDGE-15954 | Searches on the Analyst Queue might not work with immutable data when the Splunk OR operator is used. |
| 2025-04-16 | BLUERIDGE-15899 | Large number of tokens generated during mc soar allowlist validation |
| 2025-04-10 | BLUERIDGE-15855, BLUERIDGE-16006 | AQ now showing errors and performs optimistic update event when bulk update fails |
| 2025-04-07 | BLUERIDGE-15832 | Pagination Does Not Reset When Applying New Filters on AQ Table |
| 2025-03-13 | BLUERIDGE-15531 | MC Title Column Filter only searches Findings and not Investigations |
| 2025-03-11 | BLUERIDGE-15514 | Splunk core inserts hostname into Mission Control tab in the navbar when SAML authenticated and there's no `name` attribute defined, causing redirection errorWorkaround:Press the big mission control button on the main ES page to access the mission control page. |
| 2025-03-11 | BLUERIDGE-15515, MCHELP-521 | After upgrade of Enterprise Security (ES) to ES 8.0.2, customer's Incident Review (Analyst Queue) filters are broken |
| 2025-03-10 | BLUERIDGE-15508 | Users cannot search with SPL in AQ Search Bar |
| 2025-03-10 | BLUERIDGE-15507 | Pairing errors "Invalid credentials" even after being provided credentials |
| 2025-03-07 | BLUERIDGE-15505 | SidePanel breaks for findings with variable called `comment` |
| 2025-03-06 | BLUERIDGE-15501 | Unable to create investigations and investigation types when using Splunk ES on-prem due to search head cluster re-direction issues.Workaround:Change all hostname references (non-FQDN) to FQDN in the server.conf configuration file. However, this might increase the load on the DNS.Alternatively edit /etc/hosts and create the link between IPaddes and SH_fqdn_hostname into each search head cluster Alternatively, you can disable the search head cluster redirection framework. However, this can lead to data loss or data corruption. Eg: Duplicate HRIDs. You can mitigate this by using the KV captain only for all the UI flows. If you are using Splunk Enterprise Security (on-prem), run the following CURL command:curl -k --location "https://<hostname>:8089/servicesNS/nobody/missioncontrol/configs/conf-infra/cloud?output_mode=json" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "disable_api_redirection=<true/false>" If you want to disable the search head cluster redirection framework but you are not using Splunk Enterprise Security (on-prem), open a support ticket on the Splunk Support portal. |
| 2025-03-03 | BLUERIDGE-15433, BLUERIDGE-16077 | Last updated field shows N/A after reloading |
| 2025-02-28 | BLUERIDGE-15425 | Next Steps in Finding Groups change when an edit is made to the Detection |
| 2025-02-27 | BLUERIDGE-15407 | Tags feature breaks for Finding Groups since Entity field in a findinggroup gets populated with "-" |
| 2025-02-19 | BLUERIDGE-15342 | Auto Populated ES URL on Pairing page does not match expected ES URL on Azure SHC |
| 2025-02-14 | BLUERIDGE-15218 | IR Table field "label1" got changed to "Destination" after Upgrade |
| 2025-01-17 | BLUERIDGE-14236 | Front end checks as part of PO automation.Workaround:Remove `/SA-ThreatIntelligence/local/data/ui/views/incident_review.xml` and restart, or Navigate to Views -> Search "Incident Review" -> edit and replace what's there with the 8.x file so a restart is not required. |
| 2024-12-19 | BLUERIDGE-14052, BLUERIDGE-13938 | Removing investigation type description completely causes stuck loading spinner |
| 2024-11-25 | BLUERIDGE-13617 | Do not show feedback controls while streaming response (show only after the whole response has come through) |
| 2024-11-18 | BLUERIDGE-13527 | Some workflow actions on the side-panel intermittently don't work after you have opened and investigation and go back to AQ without selecting another side-panelWorkaround:Close and re-open the side-panel or select another finding. |
| 2024-11-18 | BLUERIDGE-13526 | Embedded workbench field action shows on the investigation details page without being requestedWorkaround:Close the embedded workbench dialog |
| 2024-11-07 | BLUERIDGE-13415 | Analyst Queue; filtering on a title returns only Findings and not Investigations |
| 2024-10-22 | BLUERIDGE-13380, BLUERIDGE-13575 | The link text for a finding in the side panel of the Analyst Queue for a Detection is incorrect when there are multiple sourcesWorkaround:Remove `source` before sending to detection. add `| fields - source` to end of search |
| 2024-10-22 | BLUERIDGE-13172 | Entities for a finding group on Analyst Queue says 'Multiple' even if there is only a single entity |
| 2024-10-18 | BLUERIDGE-13101 | Users can create a finding with an empty name for a custom field |
| 2024-10-17 | BLUERIDGE-13081, BLUERIDGE-13121, BLUERIDGE-13122, BLUERIDGE-13124 | The "Edit filter groups" capability is confusing because the feature it controls is called "Saved Views" elsewhere |
| 2024-10-16 | BLUERIDGE-13006, BLUERIDGE-12968, BLUERIDGE-13425 | The "Edit Tags" modal does not communicate errors properly when it is unable to save the changes |
| 2024-10-15 | BLUERIDGE-12966 | Eventtypes based on the notable index will not match investigations since they aren't from the notable index |
| 2024-10-14 | BLUERIDGE-12939 | Bulk adding a finding (that was already in the investigation) along with other findings on the Analyst Queue shows a success message even though the finding that was already included wasn't added |
| 2024-10-09 | BLUERIDGE-12864 | Missing validation in UI while adding duplicate Finding fields in AQ settings page |
| 2024-09-27 | BLUERIDGE-12602, BLUERIDGE-11983 | Cleanup `local/*.conf` files for deprecated modinputs, savedsearches, alert_actions |
| 2024-09-13 | BLUERIDGE-12347 | Prompt modal shows reference ID and HRID combined instead of HRID for investigations |
| 2024-09-10 | BLUERIDGE-12231 | The usernames in nested findings do not use the account real-names (unlike the search results) |
| 2024-09-09 | BLUERIDGE-12221 | Selecting a time-range on Analyst Queue by clicking the timeline can cause recent changes to findings to appear to be revertedWorkaround:Re-run the search on Analyst Queue to see the most recent changes |
| 2024-09-09 | BLUERIDGE-12190 | Automation tab may appear for users who cannot run playbooks |
| 2024-09-06 | BLUERIDGE-12176 | Resizing columns on the Analyst Queue can cause the column to be sorted or to show the column sort dialog |
| 2024-09-03 | BLUERIDGE-12100 | Included findings table in AQ side panel is not sortable |
| 2024-08-20 | BLUERIDGE-11791, BLUERIDGE-11790 | Missing input validation for file upload size |
| 2024-08-05 | BLUERIDGE-11468, SOLNESS-40830, BLUERIDGE-13359 | The "Top Notable Events" panel on the Security Posture dashboard doesn't properly link to the Analyst Queue (the filter for "rule name" is not properly applied)Workaround:Re-run the search on the Analyst Queue |
| 2024-05-13 | BLUERIDGE-9351 | Status and owner both have a status called "unassigned" but also show a "unassigned" if no status is assigned which can be confusing |
| Date filed | Issue number | Description |
|---|---|---|
| 2022-03-25 | SINT-7432 | Cloning MITRE is blocked in the UI for several back releases. |
Version 8.0.0
| Date filed | Issue number | Description |
|---|---|---|
| 2024-11-15 | SOLNESS-47969, SOLNESS-47700, SOLNESS-48285 | CMP SHC - Assign Risk section for OOTB ES EBDs missing Assign Risk risk modifier values |
| 2024-11-05 | SOLNESS-47715 | Threat match configuration that uses Endpoint datasets do not show default metakey _time sourcetype source hostWorkaround:It Is not advised to edit the default datamodel (unless you have already done it), for this specific is better to await for changes to be officially onboarded on the future splunk SA_CIM datamodel structure. If you modify the Datamodel, any future changes "Default made" set by splunk official app may not be applied (local changes of the datamodel will take precedence upon any future default changes made by splunk to that datamodel pushed though an update) . Instead if you have already modified this datamodel and it misses these fields please apply these changes:
_time=* sourcetype=* host=* source=* (could be necessary to add index="NAME OF THE INDEXES" unless specified within the linked macro
|
| 2024-10-31 | SOLNESS-47689 | Leading space added to a detection field with multiline (line breaks) text input when versioning is turned on for the first time |
| 2024-10-30 | SOLNESS-47686 | Square brackets fail on CMS ParsingWorkaround:Workaround is simply recreate the detection that was affected. For example if the user created a detection named {{[Test] Name}} it won't be properly versioned. The workaround is to just recreate it after versioning is on. Alternatively, one can Clone the detection via the Content Management Page. In order to disable a detection that was created in this state, go to {{Settings -> Searches, reports and alerts}} and disable/delete the detection there. |
| 2024-10-24 | SOLNESS-47625 | Detection Versioning - cant save a duplicate version |
| 2024-10-22 | SOLNESS-47561, BLUERIDGE-13686 | After stack creation the disposition and finding/investigation status values are not populated on AQ page side panel for some timeWorkaround:This is known issue for ES 8.0.0 amd 8.0.1. To get around this, the customer can manually run the Administrative_reload_modinput which hydrates their kvstore data. administrative_reload (modinput) -> adminstrative_redload.py -> packages/app-ess/apps/SA-ThreatIntelligence/package/bin/reviewstatuses_rest_handler.py handleReload function -> Read conf file and updates the kvstore record |
| 2024-10-22 | SOLNESS-47542 | Unversioned Detections created during Versioning InitializationWorkaround:Workaround is simply recreate the detection that was affected. For example if the user created a detection during versioning initialization (while the Cms parser modinput was running) it won't be properly versioned, and the actions like Enabling, Saving or Cloning won't work. The workaround is to just recreate it after versioning is on. Alternatively, one can Clone the detection via the Content Management Page. In order to disable a detection that was created in this state, go to {{Settings -> Searches, reports and alerts}} and disable/delete the detection there. |
| 2024-10-15 | SOLNESS-47413 | Status sort doesn't work |
| 2024-10-15 | SOLNESS-47420 | Detections Editor lets me leave the page while I have unsaved changes |
| 2024-10-15 | SOLNESS-47418 | Detections Editor should disable Save button if no changes have been made |
| 2024-10-15 | SOLNESS-47419 | Detections Editor - switching between versions shows a blank page with full screen loading spinner |
| 2024-10-15 | SOLNESS-47421 | Detections Editor - Switching on/off and saving have inconsistent success behaviors |
| 2024-10-15 | SOLNESS-47424 | EBD - detections create multiple findings when there are multiple risk objects |
| 2024-10-14 | SOLNESS-47349 | Bookmarks to few Analytic stories on Use Case Library dashboard are removed post upgrade |
| 2024-10-11 | SOLNESS-47267, BLUERIDGE-12937 | Splunk ES Post install configuration page has references to correlation search, Notable, Risk |
| 2024-10-07 | SOLNESS-47198 | Severity incorrectly mapped as Unknown instead of High in AQ for Detection upgraded with only finding ARA configured |
| 2024-10-06 | SOLNESS-47185 | ess_analyst user not able to edit EBD after upgrade |
| 2024-10-03 | SOLNESS-47166 | "risk_message" is being populated populated with "saved search description" on a BA search |
| 2024-10-01 | SOLNESS-47124, SOLNESS-47415, BLUERIDGE-12923 | Error message appears when severity is selected as Unknown from the available dropdown options |
| 2024-09-25 | SOLNESS-47095 | Custom EBD upgraded with both notable and risk ARA post upgrade when scheduled generates multiple notables for each risk modifier |
| 2024-09-19 | SOLNESS-47028 | Ingesting intelligence file does not extract expected lines thorugh regex ruleWorkaround:Because of a bug in the GUI the field Delim_regex= takes precedence within the stanza defined for any threat intel setting, upon the Extract_regex. The workaround is to manually force the the If you are using SHC feel free to push changes from the deployer these settings are saved within inputs.conf inside .\etc\apps\SA-ThreatIntelligence\local\inputs.conf splunk@so1:/opt/splunk/etc/apps/SA-ThreatIntelligence/local$ grep emmanuetest -A 25 inputs.conf {noformat}[threatlist://emmanuetest] extract_regex = ^\|\|((?:\d{1,3}\.){3}\d{1,3})|^\|\|([a-zA-Z0-9*.-]+\.[a-zA-Z]{2,}) delim_regex = ^\|\|((?:\d{1,3}\.){3}\d{1,3})|^\|\|([a-zA-Z0-9*.-]+\.[a-zA-Z]{2,}){noformat} |
| 2024-09-13 | SOLNESS-46937, SOLNESS-44356 | old terminology on detection editor |
| 2024-09-09 | SOLNESS-46872 | Detection link of AQ side panel redirect to EBD editor |
| 2024-09-09 | SOLNESS-46876 | Duplicate UBA threats in ES |
| 2024-08-29 | SOLNESS-46712 | Modifying SPL through conf files/configuration settings does not load the FBD as custom |
| 2024-05-21 | SOLNESS-44228, BLUERIDGE-9615 | Detection search name to notify analysts of untriaged findings might or might not exist |
| Date filed | Issue number | Description |
|---|---|---|
| 2025-01-17 | BLUERIDGE-14236 | Front end checks as part of PO automation.Workaround:Remove `/SA-ThreatIntelligence/local/data/ui/views/incident_review.xml` and restart, or Navigate to Views -> Search "Incident Review" -> edit and replace what's there with the 8.x file so a restart is not required. |
| 2024-12-19 | BLUERIDGE-14052, BLUERIDGE-13938 | Removing investigation type description completely causes stuck loading spinner |
| 2024-12-17 | BLUERIDGE-13981 | "Reviewer" field is incorrectly set to "splunk-system-user" in _audit index f |
| 2024-11-18 | BLUERIDGE-13527 | Some workflow actions on the side-panel intermittently don't work after you have opened and investigation and go back to AQ without selecting another side-panelWorkaround: Close and re-open the side-panel or select another finding. |
| 2024-11-18 | BLUERIDGE-13526 | Embedded workbench field action shows on the investigation details page without being requestedWorkaround: Close the embedded workbench dialog |
| 2024-11-18 | BLUERIDGE-13528 | Multiple workflow field actions can be opened on the investigation details pageWorkaround:Click any whitespace to close the workflow action |
| 2024-11-07 | BLUERIDGE-13415 | Analyst Queue; filtering on a title returns only Findings and not Investigations |
| 2024-10-31 | BLUERIDGE-13304 | ID appears to change when loading the Response Plan on a duplicate Investigation |
| 2024-10-25 | BLUERIDGE-13219 | ES Stacks previously connected to brsoar stacks may need to run `create_soar_jwk_key_pair` manually for ES-SOAR connectivity to work properly. |
| 2024-10-23 | BLUERIDGE-13191, BLUERIDGE-13185 | Add a check to see if mc_investigations is ready for convert_pre_es_convergence_incidents_mod_input |
| 2024-10-22 | BLUERIDGE-13380, BLUERIDGE-13575 | The link text for a finding in the side panel of the Analyst Queue for a Detection is incorrect when there are multiple sourcesWorkaround:Remove `source` before sending to detection. add `| fields - source` to end of search |
| 2024-10-22 | BLUERIDGE-13172 | Entities for a finding group on Analyst Queue says 'Multiple' even if there is only a single entity |
| 2024-10-18 | BLUERIDGE-13101 | Users can create a finding with an empty name for a custom field |
| 2024-10-17 | BLUERIDGE-13081, BLUERIDGE-13121, BLUERIDGE-13122, BLUERIDGE-13124 | The "Edit filter groups" capability is confusing because the feature it controls is called "Saved Views" elsewhere |
| 2024-10-16 | BLUERIDGE-13006, BLUERIDGE-12968, BLUERIDGE-13425 | The "Edit Tags" modal does not communicate errors properly when it is unable to save the changes |
| 2024-10-15 | BLUERIDGE-12950 | Pagination is sometimes not visible on the Analyst Queue due to findings on other pages being selectedWorkaround:Click the checkbox on Analyst Queue twice in order to unselect the findings |
| 2024-10-15 | BLUERIDGE-12966 | Eventtypes based on the notable index will not match investigations since they aren't from the notable index |
| 2024-10-14 | BLUERIDGE-12939 | Bulk adding a finding (that was already in the investigation) along with other findings on the Analyst Queue shows a success message even though the finding that was already included wasn't added |
| 2024-10-10 | BLUERIDGE-12912, BLUERIDGE-13032 | Only 100 findings are shown for a finding group even if more than 100 exist and you can only add the visible findings to an investigation |
| 2024-10-09 | BLUERIDGE-12864 | Missing validation in UI while adding duplicate Finding fields in AQ settings page |
| 2024-09-27 | BLUERIDGE-12593 | Saving a note before image upload completes breaks the image preview and does not successfully upload the image |
| 2024-09-27 | BLUERIDGE-12602, BLUERIDGE-11983 | Cleanup `local/*.conf` files for deprecated modinputs, savedsearches, alert_actions |
| 2024-09-13 | BLUERIDGE-12347 | Prompt modal shows reference ID and HRID combined instead of HRID for investigations |
| 2024-09-10 | BLUERIDGE-12231 | The usernames in nested findings do not use the account real-names (unlike the search results) |
| 2024-09-09 | BLUERIDGE-12221 | Selecting a time-range on Analyst Queue by clicking the timeline can cause recent changes to findings to appear to be revertedWorkaround:Re-run the search on Analyst Queue to see the most recent changes |
| 2024-09-09 | BLUERIDGE-12190 | Automation tab may appear for users who cannot run playbooks |
| 2024-09-06 | BLUERIDGE-12176 | Resizing columns on the Analyst Queue can cause the column to be sorted or to show the column sort dialog |
| 2024-09-03 | BLUERIDGE-12100 | Included findings table in AQ side panel is not sortable |
| 2024-08-20 | BLUERIDGE-11791, BLUERIDGE-11790 | Missing input validation for file upload size |
| 2024-08-08 | BLUERIDGE-11658 | Analyst Queue doesn't always recover from a search error and instead shows a spinner (implying the search is still running)Workaround:Reload the Analyst Queue to restart the search |
| 2024-08-05 | BLUERIDGE-11468, SOLNESS-40830, BLUERIDGE-13359 | The "Top Notable Events" panel on the Security Posture dashboard doesn't properly link to the Analyst Queue (the filter for "rule name" is not properly applied)Workaround:Re-run the search on the Analyst Queue |
| 2024-05-13 | BLUERIDGE-9351 | Status and owner both have a status called "unassigned" but also show a "unassigned" if no status is assigned which can be confusing |
| 2024-05-08 | BLUERIDGE-9246 | Notes required toggle in AQ settings is not enforced |
| Date filed | Issue number | Description |
|---|---|---|
| 2025-01-27 | SINT-7114 | Invalid unicode characters (like emojis) cause TAXII errors |
| 2024-11-21 | SINT-6969, SINT-7056, SINT-7095 | Unable to populate URL threat intel feed for Accenture CywareWorkaround:Increased max_size parameter in configuration but it does not resolve the issue. (From past case) G-drive link for SH diag - [1] |
Version 8.0.40
| Date filed | Issue number | Description |
|---|---|---|
| 2025-04-29 | BLUERIDGE-16107 | ACS request fails in SHC for querying IP allow list |
| 2025-04-29 | BLUERIDGE-16077, BLUERIDGE-15433, BLUERIDGE-16189 | Reflect the MC note created_time/updated_time on findings' update_time |
| 2025-04-22 | BLUERIDGE-16006, BLUERIDGE-15855 | Wrong id sent while bulk update Assign to me for a finding |
| 2025-04-17 | BLUERIDGE-15954 | Searches on the Analyst Queue might not work with immutable data when the Splunk OR operator is used. |
| 2025-04-16 | BLUERIDGE-15899 | Large number of tokens generated during mc soar allowlist validation |
| 2025-03-06 | BLUERIDGE-15501 | Unable to create investigations and investigation types when using Splunk ES on-prem due to search head cluster re-direction issues.Workaround:Change all hostname references (non-FQDN) to FQDN in the server.conf configuration file. However, this might increase the load on the DNS.Alternatively edit /etc/hosts and create the link between IPaddes and SH_fqdn_hostname into each search head cluster Alternatively, you can disable the search head cluster redirection framework. However, this can lead to data loss or data corruption. Eg: Duplicate HRIDs. You can mitigate this by using the KV captain only for all the UI flows. If you are using Splunk Enterprise Security (on-prem), run the following CURL command:curl -k --location "https://<hostname>:8089/servicesNS/nobody/missioncontrol/configs/conf-infra/cloud?output_mode=json" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "disable_api_redirection=<true/false>" If you want to disable the search head cluster redirection framework but you are not using Splunk Enterprise Security (on-prem), open a support ticket on the Splunk Support portal. |
| 2025-03-03 | BLUERIDGE-15433, BLUERIDGE-16077 | Last updated field shows N/A after reloading |
| 2025-02-28 | BLUERIDGE-15425 | Next Steps in Finding Groups change when an edit is made to the Detection |
| 2025-02-27 | BLUERIDGE-15407 | Tags feature breaks for Finding Groups since Entity field in a findinggroup gets populated with "-" |
| 2024-11-18 | BLUERIDGE-13527 | Some workflow actions on the side-panel intermittently don't work after you have opened and investigation and go back to AQ without selecting another side-panelWorkaround:Close and re-open the side-panel or select another finding. |
| 2024-10-22 | BLUERIDGE-13380, BLUERIDGE-13575 | The link text for a finding in the side panel of the Analyst Queue for a Detection is incorrect when there are multiple sourcesWorkaround:Remove `source` before sending to detection. add `| fields - source` to end of search |
| 2024-10-18 | BLUERIDGE-13101 | Users can create a finding with an empty name for a custom field |
| 2024-10-17 | BLUERIDGE-13081, BLUERIDGE-13121, BLUERIDGE-13122, BLUERIDGE-13124 | The "Edit filter groups" capability is confusing because the feature it controls is called "Saved Views" elsewhere |
| 2024-10-16 | BLUERIDGE-13006, BLUERIDGE-12968, BLUERIDGE-13425 | The "Edit Tags" modal does not communicate errors properly when it is unable to save the changes |
| 2024-10-15 | BLUERIDGE-12966 | Eventtypes based on the notable index will not match investigations since they aren't from the notable index |
| 2024-10-14 | BLUERIDGE-12939 | Bulk adding a finding (that was already in the investigation) along with other findings on the Analyst Queue shows a success message even though the finding that was already included wasn't added |
| 2024-10-09 | BLUERIDGE-12864 | Missing validation in UI while adding duplicate Finding fields in AQ settings page |
| 2024-09-27 | BLUERIDGE-12602, BLUERIDGE-11983 | Cleanup `local/*.conf` files for deprecated modinputs, savedsearches, alert_actions |
| 2024-09-13 | BLUERIDGE-12347 | Prompt modal shows reference ID and HRID combined instead of HRID for investigations |
| 2024-09-09 | BLUERIDGE-12190 | Automation tab may appear for users who cannot run playbooks |
| 2024-09-06 | BLUERIDGE-12176 | Resizing columns on the Analyst Queue can cause the column to be sorted or to show the column sort dialog |
| 2024-09-03 | BLUERIDGE-12100 | Included findings table in AQ side panel is not sortable |
| 2024-08-20 | BLUERIDGE-11791, BLUERIDGE-11790 | Missing input validation for file upload size |
| 2024-05-13 | BLUERIDGE-9351 | Status and owner both have a status called "unassigned" but also show a "unassigned" if no status is assigned which can be confusing |
| Date filed | Issue number | Description |
|---|---|---|
| 2022-03-25 | SINT-7432 | Cloning MITRE is blocked in the UI for several back releases. |
See also
For known issues in Splunk SOAR (Cloud), see Known issues for Splunk SOAR (Cloud).