Splunk Enterprise Security

Why are we unable to assign notable events when upgrading from ES 4.7.2 to 5.2.2?

vinkumar_splunk
Splunk Employee
Splunk Employee

We have upgraded our ES app from 4.7.2 to 5.2.2 and we are facing issue while assigning the alert. The issue was resolved by restarting the instance, but it seems that it was not the permanent fix. Received the below error while assigning the notable event.

"transition from new to assign is not allowed"

Any advice?

0 Karma
1 Solution

mbadhusha_splun
Splunk Employee
Splunk Employee

I found a similar bug regarding this. Below are the details,

Bug ID: SOLNESS-17285

It appears the ES app is not handling multi-level inheritance for roles well for status transitions (meaning if we have roles A->B-C), transitions for out of the box statuses are only implicitly enabled for B, for C status transitions are not enabled. The problem is with the transitioners rest handler.

If we have the following role hierarchy test1->test2 (and test1 inherits ess_analyst, ess_user, and user) – we only show test1 in the imported roles for test2 (and not the full expanded list – test1, ess_analyst, ess_user, user).

Looks like this is not an issue with the upgrade but rather the issue with the ES version, where it cannot handle multi-level inheritance as expected.

The bug will be fixed in the next release 5.3 which is targeted to be released around March 2019 timeframe.

From the configurations, it looks like the affected user is importing other roles (ess_analyst; user) listed in the reviewstatues.conf. It appears that the role inheritance works one time but not the next.

The workaround for this is to assign the affected user all roles (default role) / ess_analyst / user vs just the one role that inherits the other two.

Hope this helps. Cheers!

View solution in original post

0 Karma

mbadhusha_splun
Splunk Employee
Splunk Employee

I found a similar bug regarding this. Below are the details,

Bug ID: SOLNESS-17285

It appears the ES app is not handling multi-level inheritance for roles well for status transitions (meaning if we have roles A->B-C), transitions for out of the box statuses are only implicitly enabled for B, for C status transitions are not enabled. The problem is with the transitioners rest handler.

If we have the following role hierarchy test1->test2 (and test1 inherits ess_analyst, ess_user, and user) – we only show test1 in the imported roles for test2 (and not the full expanded list – test1, ess_analyst, ess_user, user).

Looks like this is not an issue with the upgrade but rather the issue with the ES version, where it cannot handle multi-level inheritance as expected.

The bug will be fixed in the next release 5.3 which is targeted to be released around March 2019 timeframe.

From the configurations, it looks like the affected user is importing other roles (ess_analyst; user) listed in the reviewstatues.conf. It appears that the role inheritance works one time but not the next.

The workaround for this is to assign the affected user all roles (default role) / ess_analyst / user vs just the one role that inherits the other two.

Hope this helps. Cheers!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...