Known issues

The following tables include issues and workarounds for releases of Splunk Enterprise Security. Issues are listed in all relevant sections. Some issues appear more than once.

Splunk Enterprise Security 8.3.0 known issues

A list of key known issues in this version of Splunk Enterprise Security.

Date filedIssue numberDescription
2025-10-15SOLNESS-52759

Non-admin ES users cannot update Automation Rules

Workaround: Give admin_all_objects permission to users, including admins, who must use automation rules.

2025-07-14SOLNESS-51824URLs linked to ES documentations need to be updated
Date filedIssue numberDescription
2025-11-25BLUERIDGE-20237

SOAR update finding or investigation not respecting Note enforcement setting

2025-11-12BLUERIDGE-20190`get phase id` in Enterprise Security on custom Response plan with similar names errors with 400
2025-11-07BLUERIDGE-20157

SHC stacks cache older UI immediately after upgrade which leads to 'Something went wrong' error

Workarounds: There are two possible workarounds.

  • (Preferred) A user with admin permissions navigates to `[stack]/en-US/_bump` URL in their browser on the impacted search heads and clicks the "Bump" button. This resets the Splunk web cache and starts using the latest UI code on the search head. Happens almost instantly and does not require a restart.

  • Restart Splunk to reset the web cache.

2025-11-06BLUERIDGE-20123After enabling zones, Entity name gets changed on the analyst queue, causing entity risk scoring to not work
2025-11-03BLUERIDGE-20030

Not able to re-pair SOAR on on-premises S3 consistently

Workaround: Wait two minutes before attempting to unpair the SOAR cluster to ensure all feature flag values have been synced across the SOAR nodes.

Date filedIssue numberDescription
2025-08-06SPL-282727

Cannot upload Splunk Enterprise Security 8.x on an on-premises deployment of Splunk Enterprise 10.x using the UI.

Workaround: Install Splunk Enterprise Security 8.x using the command line. See Install Splunk Enterprise Security from the command line.

Date filedIssue numberDescription
2025-07-27UEBA-3326Several events are flagged as anomalous by the "AD Rare Device Access Unusual Device Access" detection for domain controllers
2025-10-02UEBA-3177Contributing Events search for the "Unusual Volume Outgoing Connections Per User" detection might show unrelated events
2025-09-22UEBA-3090Baseline visualization might not be populated due to lengthy internal searches
2025-11-04UEBA-878Rare Device Access detections don't process events from all logon processes