Release Notes for Splunk Enterprise Security

Version 4.5.0 of Splunk Enterprise Security follows version 4.2.0 of Splunk Enterprise Security.

What's New

Version 4.5.0 of Splunk Enterprise Security requires Splunk platform version 6.4.x or later. To use the updated asset and identity correlation functionality, you need Splunk platform version 6.4.4 or later.

• Use adaptive response actions to automate and accelerate your incident response and notable event triage. See Included adaptive response actions and Set up adaptive response actions in the User Manual.
• Create glass tables to display and monitor security metrics. See Create a glass table. For an example of creating a glass table with security metrics, see Monitor threat activity on a glass table.
• Send correlation search results to Splunk UBA to be processed as anomalies. See Send correlation search results to Splunk UBA to be processed as anomalies in the User Manual.
• Enable asset and identity correlation selectively by sourcetype. See Configure asset and identity correlation in Splunk Enterprise Security.
• Asset and identity processing and merging now happens with saved searches in addition to the modular input. See How Splunk Enterprise Security processes and merges asset and identity data.
• Get help creating correlation searches with the correlation search tutorial. See Create a correlation search in Splunk Enterprise Security Tutorials.
• Learn more about developing content for Splunk Enterprise Security and the frameworks that make up Splunk Enterprise Security. See Build Integrations for Splunk Enterprise Security.
• Splunk Enterprise Security leverages the schedule_window setting for saved searches that run once an hour or less frequently, resulting in better search performance and fewer skipped searches.

New features in the cloud-only release of Splunk Enterprise Security 4.2.0 that you might have missed.

• Create search-driven lookups. See Search-driven lookups in the User Manual.
• Audit adaptive response actions on the Adaptive Response Action Center. See Adaptive Response Action Center in the User Manual.
• Add, create, or modify threat intelligence sources and asset and identity sources in a search head cluster without using the deployer.

Add-on deprecation

In a future release, Splunk Enterprise Security will no longer include all of the add-ons listed in Add-ons provided with Enterprise Security. Instead, you can download the add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.

Add-ons

• The Common Information Model Add-on is updated to version 4.6.0.
• TA-fireeye is deprecated. You can replace it with the FireEye Add-on for Splunk Enterprise. The old TA-fireeye remains in Splunk Enterprise Security. Uninstall it and replace it with the FireEye Add-on for Splunk Enterprise to avoid the risk of incorrectly mapped data.
• TA-ncircle is deprecated. You can replace it with the Tripwire IP360 Add-on for Splunk.

Deprecated features

• The `map_notable_fields` macro is deprecated and changed to noop. The notable.py script performs the field transformations for you. Remove `map_notable_fields` from custom correlation searches.
• The alert action Include in RSS feed has been removed from Enterprise Security. Correlation searches currently configured to include alerts in RSS feeds will stop sending alerts in RSS feeds.
• The globedistance.py search command is deprecated and will no longer produce search results. Instead, use the `globedistance` macro.