Splunk® Enterprise Security

Release Notes

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Release Notes for Splunk Enterprise Security

This version of Splunk Enterprise Security is compatible only with specific versions of the Splunk platform. See Splunk Enterprise system requirements in the Installation and Upgrade Manual.

Because the navigation now respects your local changes, you might need to make changes to the navigation menu bar after upgrading. See Configure > General > Navigation to see which views are upgraded, new, or deprecated.

What's New

Splunk Enterprise Security version 6.2.0 includes the following enhancements.

New Feature or Enhancement Description
Many bundled technology add-ons (TAs) are removed from the ES installer, and some are deprecated. Splunk Add-on for UBA is still included. Though the installer no longer includes many technology add-ons in the Splunk Enterprise Security package, any technology add-ons already in your environment are not removed. See Deploy add-ons to Splunk Enterprise Security for further information about deploying add-ons. See Add-on deprecation or removal for further information about the specific add-ons that are deprecated.
Behavior change for capability check during install/setup. The install_apps capability check is now at the beginning of the installation process. If the setting is incorrect, you will be informed ahead of time. See Splunk Enterprise platform considerations in the Installation and Upgrade Manual.
Behavior change when upgrading from the command line in a search head cluster. You no longer need to run additional steps before every upgrade from the command line in a search head cluster environment to preserve CSV lookups in the domain add-ons (DAs) and supporting add-ons (SAs) that are bundled in Splunk Enterprise Security. The default for the deployer's -preserve-lookups option is now true to retain lookup file content generated on the search head cluster members. The [shclustering] stanza is now included in the app.conf file of each bundled DA and SA. The deployer_lookups_push_mode is set to always_preserve by default. See shclustering in the Splunk Enterprise Admin Manual and Upgrade Splunk Enterprise Security in a search head cluster environment.
Behavior change in enforcements used by the identity manager framework. After upgrading to Enterprise Security 6.2.0, you need to enable the Enforce props toggle in the Global Settings of Asset and Identity Management if you want the identity manager to enforce settings on your behalf. This setting periodically checks your defined automatic lookup settings in props.conf, ensuring that they are consistent with the rest of your asset and identity settings, and it removes legacy settings. On a fresh installation, Enterprise Security 6.2.0 has Enforce props set to enabled by default and the setting is enforced continuously. However, prior versions only enforce once and then switch the setting to false right away. If you're already using a previous version of ES with assets and identities, the /local/inputs.conf file already has enforce_props=false and it needs to be set back to true after you upgrade, if you want to ensure that settings are enforced for you. The majority of users who configure settings through the Splunk Web UI will benefit from enabling the setting. See Revise the enforcements used by the identity manager framework.
New limits for unique number of foreign keys per asset and identity. The identity manager has a configurable parameter that limits the number of multi-value keys allowed in a single row for assets and identities. See Revise multivalue field limits for assets and

Revise multivalue field limits for identities in Administer Splunk Enterprise Security.

New configurable null values per asset and identity. The identity manager has new global settings for configuring which values to treat as null, so that the framework does not merge on null fields. See Global Settings in Administer Splunk Enterprise Security.
New ability to disable merge per asset and identity. The identity manager has new global settings for disabling the merge process, so that the framework does not merge duplicate fields. See Global Settings in Administer Splunk Enterprise Security.
The "enable selectively by sourcetype" enforcement is reverted for cloud deployments. For Splunk Cloud deployments of Enterprise Security prior to ES 6.2.0, the "enable for all sourcetypes" option is not available. See Enable correlation setup to compare indexed events with asset and identity data in Administer Splunk Enterprise Security.
New configurable indexes for some adaptive response actions. Indexes are now configurable for the adaptive response actions of ping, nbtstat, and nslookup. See Ping a host, Run nbtstat, and Run nslookup in Administer Splunk Enterprise Security.
New access in the manage_all_investigations capability. You can now add incidents to investigations where you are not a collaborator or owner. See Add a Splunk event to an investigation in Use Splunk Enterprise Security.
New Authentication tab in the investigation workbench. Import cloud-authentication-related notable events into an investigation and get context about what you are investigating. See Add new tabs and profiles to the workbench in Use Splunk Enterprise Security.
New embedded workbench. Create a custom prebuilt embedded workbench panel as workflow field action to get more context about specific values in Incident Review. See Create a workbench panel workflow action in Splunk Enterprise Security in Administer Splunk Enterprise Security. Use a default embedded workbench to take action on a notable event. See Using the embedded workbench in Use Splunk Enterprise Security.
MLTK upgrade to 5.1.0. MLTK app version 5.1.0 is now included in the ES installer. The previously generated models from MLTK 5.0 are compatible as-is. The previously generated models MLTK 4.x are not compatible and have to be regenerated. See Machine Learning Toolkit Overview in Splunk Enterprise Security for general information about models in MLTK 5.1.0.
Behavior change for correlation searches. When correlation searches produce a notable event, severity is now validated as one of "critical," "high," "medium," "low," or "informational." If it is not one of the aforementioned values, the severity is set to "unknown." See Create a notable event in the Administer Splunk Enterprise Security manual.
Behavior change for creating an identity lookup configuration. An identity lookup can use email conventions to uniquely identify identities in your data. When the email convention check box is checked, the email address is used as an additional primary key for identity. The Email and Email Short conventions are now disabled by default. See Add an identity input stanza for the lookup source in the Administer Splunk Enterprise Security manual.
Behavior change for threat intelligence file retention. The default behavior is now set to sinkhole=True for all Intelligence Downloads and shipped Threat Intelligence pickup directories. See Download a threat intelligence feed from the Internet in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual.
Behavior change with Splunk Enterprise max_memtable_bytes setting. With the release of Splunk version 8.0.2004, KV Store backed lookups respect the max_memtable_bytes setting. See Revise asset and identity lookups memory usage behavior in the Administer Splunk Enterprise Security manual.
Telemetry update Telemetry includes usage information on data.context. Reports how many times a given workbench panel was used, and the distribution of fields drilled into from workflow actions. See Share data in Splunk Enterprise Security in the Installation and Upgrade Manual
UI refresh and doc update for general settings. Change threshold values, macro definitions, search filters, and other commonly changed values on the General Settings page. See General settings.
Doc update for end of support. The release notes are updated with a schedule so that you can verify the end of support date for your Enterprise Security version. See End of support schedule.

Deprecated or removed features

Enterprise Security 6.2.0 no longer includes many bundled Technology Add-ons in the ES installer. See Add-ons.

Enterprise Security 6.1.x is the last major release to bundle many of the Technology Add-ons in the ES installer. See Add-ons.

Enterprise Security 6.0.x is the last major release that is compatible with Python 2 and with Machine Learning Toolkit 4.0. The 6.1.x release of ES is compatible with Python 3 only. The 6.1.x release is compatible with versions of Splunk Enterprise that ship with the Python 3 interpreter only, and MLTK 5.0 and above only.

The end-of-life'd technology add-on called Splunk Add-on for Tenable, or Splunk_TA_nessus, is removed from the ES installer.

The following threat intelligence sample files are removed from DA-ESS-ThreatIntelligence/default/data/threat_intel/: Appendix_D_FQDNs.xml, Appendix_F_SSLCertificates.xml, Appendix_G_IOCs_No_OpenIOC.xml, fireeye-pivy-report-with-indicators.xml, and Mandiant_APT1_Report.xml.

In a future release, Enterprise Security is no longer shipping with the setting that enables SSL for Splunk Web. This is a system setting that should not be enabled and disabled by the ES app. When this setting is removed, in-product adjustments will make the transition as seamless as possible.

With the Extreme Search app (Splunk_SA_ExtremeSearch) removed from the Splunk Enterprise Security package, there are replacements and deprecations for some of the XS components that ship with Enterprise Security. The following Extreme Search macros are deprecated and will be removed in the future: [xs_default_direction_concepts], [xs_default_magnitude_concepts], [xs_default_change_concepts]

The luhn_lookup custom lookup script for detecting personally identifiable credit card information is deprecated in favor of the luhn_lite_lookup, and will be removed in a future release. No features are being removed or modified, only the legacy implementation of this algorithm.

The getcron search command is removed. Instead, use | join my_saved_search_name [| rest splunk_server=local count=0 /services/saved/searches | table title,cron_schedule | rename title as my_saved_search_name, cron_schedule as cron] rather than | getcron inputField=my_saved_search_name outputField=cron.

The audit dashboard for Content Profile is removed in favor of the Content Management data model row expansion. See Expand Content Management searches to view dependency and usage information in Splunk Enterprise Security.

The deprecated lookup generating search for Traffic Volume Tracker is now removed, resolving an issue with exporting all objects in Content Management.

The deprecated automatic (continuous) creation and deployment of the "indexer package" (Splunk_TA_ForIndexers) to the Indexer tier via deployment server proxy feature is now removed. See Deploy add-ons to indexers.

The notable_adhoc_invocations macro in the SA-ThreatIntelligence app is deprecated in favor of the incident review saved search to fix ad-hoc alerts on sequenced events. This macro will be removed in a future release.

Alexa Top 1 Million Sites is deprecated. See Included generic intelligence sources for alternatives.

End of support schedule

Use the following to verify the end of support date for your Enterprise Security version.

Splunk Support Policy

Add-ons

Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. See Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.

Add-on deprecation or removal

Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.

The following technology add-ons are removed from the installer, but still supported:

The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:

  • TA-airdefense
  • TA-alcatel
  • TA-cef
  • TA-fortinet
  • TA-ftp
  • TA-nmap
  • TA-tippingpoint
  • TA-trendmicro

End of Life

  • Splunk Add-on for NetFlow announced: March 18, 2019 | Ends: June 16, 2019
  • Splunk Add-on for Tenable announced: April 8, 2019 | Ends: July 7, 2019

Updated add-ons

The Common Information Model Add-on is updated to version 4.16.0.

Last modified on 27 August, 2020
  NEXT
Fixed Issues for Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.2.0

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters