New features for Splunk Enterprise Security

What's new

Splunk Enterprise Security version 4.7.x includes the following enhancements.

Analyst workflow improvements

• Determine which notable events are associated with investigations by filtering on Incident Review by specific investigations. See Triage notable events on Incident Review in Splunk Enterprise Security in Use Splunk Enterprise Security.
• Generate a short ID for notable events in Incident Review, allowing you to communicate with people on your team about a specific event more easily. See Take action on a notable event on Incident Review in Splunk Enterprise Security in Use Splunk Enterprise Security and Investigate a notable event on Incident Review in Splunk Enterprise Security in Use Splunk Enterprise Security.
• Change the title of all entries on an investigation, view adaptive response actions, and see the last modified time of an investigation from the Investigations dashboard. See Make changes to an investigation in Splunk Enterprise Security and Add details to an investigation in Splunk Enterprise Security in Use Splunk Enterprise Security.
• Add threat intelligence using an ad hoc adaptive response action on Incident Review. See Included adaptive response actions with Splunk Enterprise Security in Use Splunk Enterprise Security.
• View user and device associations from Splunk UBA on the Session Center dashboard. See Session Center dashboard in Use Splunk Enterprise Security.

Admin and auditing improvements

• Ingest different versions of STIX and TAXII libraries such as that used by US-CERT Automatic Indicator Sharing (AIS) TAXII feeds, send a user agent along with a threat intelligence download request, and process threat lists larger than 2GB in size. See Download a threat intelligence feed from the Internet in Splunk Enterprise Security in Administer Splunk Enterprise Security.
• Add threat intelligence using an adaptive response action. See Configure adaptive response actions for a correlation search in Splunk Enterprise Security in Administer Splunk Enterprise Security
• Integrate with Splunk UBA to identify user and device associations from session data, allowing you to better identify the actors involved in a security incident. See Integrate Splunk Enterprise Security and Splunk UBA with this add-on in Splunk Add-on for Splunk UBA.
• See which views and collections in the navigation editor are new, updated, or deprecated. Easily restore the default menu configuration, and customizations that you previously made to the navigation are maintained on upgrade. See Customize the menu bar in Splunk Enterprise Security in Administer Splunk Enterprise Security.
• Configure additional scheduling settings and define trigger conditions for correlation searches. See Configure correlation searches in Splunk Enterprise Security in Administer Splunk Enterprise Security.
• For version 4.7.3 and 4.7.4, you can set up the Send Email adaptive response action to run from Incident Review by modifying the [sendemail] stanza in system/local/alert_actions.conf to match the following example.

param._cam = {"supports_adhoc": true}
command    = $action.email.preprocess_results{default="noop"}$ | sendemail "results_link=$results.url$" "ssname=$name$" "graceful=$graceful{default=True}$" "trigger_time=$trigger_time$" maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$" results_file="$results.file$" from="$action.email.from$" to="$action.email.to{default=""}$" cc="$action.email.cc{default=""}$" priority="$action.email.priority$" subject="$action.email.subject$" message="$action.email.message.alert$" inline="$action.email.inline$" format="$action.email.format$" sendresults="$action.email.sendresults$" sendcsv="$action.email.sendcsv$" sendpdf="$action.email.sendpdf$" content_type="$action.email.content_type$"

Performance enhancements

• Asset and identity lookup source files are now excluded from bundle replication to improve indexer cluster performance. See Include or exclude asset or identity lookups from bundle replication in Administer Splunk Enterprise Security.
• Improved load times for the Vulnerability Operations, Vulnerability Center, and Asset Center dashboards.
• Correlation searches included with Splunk Enterprise Security now use search schedule windows.
• Improved performance of the `notable` macro.

Documentation improvements

• Access reorganized documentation that improves usability for both analysts and admins. Admin-focused content now appears in its own manual, Administer Splunk Enterprise Security, that collects administrative procedures and reference material in topics that are easier to find. Analyst-focused content in Use Splunk Enterprise Security is also reorganized to make analyst workflows easier to find and use.

Enhancements for app developers

• Include additional information about views in your app to show Splunk admins which views are new, and create a collection of views to more easily add views to the menu navigation from your app. See Planning your integration for ES in the developer portal.
• Create and use adaptive response actions with default values, drop-down menus, and other dynamic functionality. See Custom HTML component reference in the Developer Guide on the Developer Portal.

Updates to included add-ons

• The Common Information Model Add-on is updated to version 4.8.0. Version 4.7.3 and 4.7.4 of Enterprise Security includes version 4.9.1 of this add-on.
• The Splunk Add-on for Splunk UBA is updated to version 1.1.0. Version 4.7.2 of Enterprise Security includes version 1.2.0 of this add-on. Version 4.7.3 and 4.7.4 of Enterprise Security includes version 1.3.0 of this add-on.
• The Splunk Add-on for RSA SecurID is updated to version 1.0.2.
• In version 4.7.3 and 4.7.4, SA-ExtremeSearch is updated to version 2.4.2.

Localization updates

Version 4.7.5 of Enterprise Security includes localization in the following languages:

• Korean
• Chinese
• Japanese
• French

Changes in the cloud-only version 4.6.0 of Splunk Enterprise Security that you might have missed

• Upload STIX, OpenIOC, and CSV-formatted threat intelligence files to Enterprise Security. See Add threat intelligence to Splunk Enterprise Security.
• Programmatically upload, create, read, update, or delete threat intelligence using the threat intelligence REST APIs. See Threat Intelligence API reference in REST API Reference.
• Better manage investigations into potential security incidents with more granular role-based access control for investigations and a new capability to view all investigations in your environment. See Investigations in Splunk Enterprise Security in Use Splunk Enterprise Security and Manage investigations in Splunk Enterprise Security in Administer Splunk Enterprise Security.
• More easily make changes to the organization of the Enterprise Security menu bar. See Customize the menu bar in Splunk Enterprise Security.
• Experience improved load time and performance of the Identity Center, Session Center, Vulnerability Operations, and Access Anomalies dashboards.

Deprecated features

• Starting with version 4.6.0, the correlationsearches.conf file is no longer used to define correlation searches. Upgrade activity is required in some circumstances. See Upgrade correlation searches in Splunk Enterprise Security.
• The pushdown predicates setting is deprecated and removed from the General Settings page because the Splunk platform provides similar search optimization functionality.
• The `notable` macro is no longer used on the Incident Review dashboard to retrieve notable events. Instead, the dashboard uses the saved search "Incident Review - Main". If you made customizations to the macro to control custom fields on the Incident Review dashboard, make those customizations to the saved search instead.

Add-on deprecation

The automatic inclusion of add-ons listed in Technology-specific add-ons provided with Enterprise Security is deprecated. In a future release, Splunk Enterprise Security will no longer include all of these add-ons in the Splunk Enterprise Security package. Instead, you can download the add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.

Also in a future release, Splunk Enterprise Security will no longer selectively import apps and add-ons based on the name of the app or add-on. After this change, knowledge objects in apps and add-ons installed on the same search head as Splunk Enterprise Security and exported to other apps or globally will be visible in Splunk Enterprise Security.