Release Notes for Splunk Enterprise Security

Version 4.6.0 is a cloud-only release of Splunk Enterprise Security.

What's New

Version 4.6.0 of Splunk Enterprise Security requires Splunk platform version 6.5.x.

• Upload STIX, OpenIOC, and CSV-formatted threat intelligence files to Enterprise Security. See Configure threat intelligence sources.
• Programmatically upload, create, read, update, or delete threat intelligence using the threat intelligence REST APIs. See Threat Intelligence API reference in Splunk Enterprise Security REST API Reference.
• Better manage investigations into potential security incidents with more granular role-based access control for investigations and a new capability to view all investigations in your environment. See Create and track investigations in Splunk Enterprise Security and Manage security investigations in Splunk Enterprise Security.
• More easily make changes to the organization of the Enterprise Security menu bar. See Customize the menu bar in Splunk Enterprise Security.
• The load time and performance of the Identity Center, Session Center, Vulnerability Operations, and Access Anomalies dashboards were improved.

Updates in version 4.5.0 that you might have missed:

• Use adaptive response actions to automate and accelerate your incident response and notable event triage. See Included adaptive response actions and Set up adaptive response actions in the User Manual.
• Create glass tables to display and monitor security metrics. See Create a glass table. For an example of creating a glass table with security metrics, see Monitor threat activity on a glass table.
• Send correlation search results to Splunk UBA to be processed as anomalies. See Send correlation search results to Splunk UBA to be processed as anomalies in the User Manual.
• Enable asset and identity correlation selectively by sourcetype. See Configure asset and identity correlation in Splunk Enterprise Security.
• Asset and identity processing and merging now happens with saved searches in addition to the modular input. See How Splunk Enterprise Security processes and merges asset and identity data.
• Get help creating correlation searches with the correlation search tutorial. See Create a correlation search in Splunk Enterprise Security Tutorials.
• Learn more about developing content for Splunk Enterprise Security and the frameworks that make up Splunk Enterprise Security. See Build Integrations for Splunk Enterprise Security.
• Splunk Enterprise Security leverages the schedule_window setting for saved searches that run once an hour or less frequently, resulting in better search performance and fewer skipped searches.

Deprecated features

Starting with this release, the correlationsearches.conf file is no longer used to define correlation searches. Upgrade activity is required in some circumstances. See Correlation searches migration to savedsearches.conf.

Add-on deprecation

In a future release, Splunk Enterprise Security will no longer include all of the add-ons listed in Add-ons provided with Enterprise Security. Instead, you can download the add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.

Add-ons

• The Common Information Model Add-on is updated to version 4.7.0.