Splunk® Enterprise Security

Release Notes

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

New features for Splunk Enterprise Security

Splunk Add-on for Microsoft Windows

Splunk Enterprise Security version 4.7.6 requires version 4.8.4 of the Splunk Add-on for Microsoft Windows. If you are upgrading to Splunk Enterprise Security version 4.7.6 from version 4.7.5, the upgrade does not automatically resolve this for you. You may need to:

  1. Manually uninstall Splunk Add-on for Microsoft Windows version 4.9.0 that was included with Splunk Enterprise Security 4.7.5.
  2. Manually install Splunk Add-on for Microsoft Windows version 4.8.4.

What's new

Splunk Enterprise Security version 4.7.x includes the following enhancements.

Analyst workflow improvements

Admin and auditing improvements

param._cam = {"supports_adhoc": true}
command    = $action.email.preprocess_results{default="noop"}$ | sendemail "results_link=$results.url$" "ssname=$name$" "graceful=$graceful{default=True}$" "trigger_time=$trigger_time$" maxinputs="$action.email.maxresults{default=10000}$" maxtime="$action.email.maxtime{default=5m}$" results_file="$results.file$" from="$action.email.from$" to="$action.email.to{default=""}$" cc="$action.email.cc{default=""}$" priority="$action.email.priority$" subject="$action.email.subject$" message="$action.email.message.alert$" inline="$action.email.inline$" format="$action.email.format$" sendresults="$action.email.sendresults$" sendcsv="$action.email.sendcsv$" sendpdf="$action.email.sendpdf$" content_type="$action.email.content_type$"

Performance enhancements

  • Asset and identity lookup source files are now excluded from bundle replication to improve indexer cluster performance. See Include or exclude asset or identity lookups from bundle replication in Administer Splunk Enterprise Security.
  • Improved load times for the Vulnerability Operations, Vulnerability Center, and Asset Center dashboards.
  • Correlation searches included with Splunk Enterprise Security now use search schedule windows.
  • Improved performance of the `notable` macro.

Documentation improvements

  • Access reorganized documentation that improves usability for both analysts and admins. Admin-focused content now appears in its own manual, Administer Splunk Enterprise Security, that collects administrative procedures and reference material in topics that are easier to find. Analyst-focused content in Use Splunk Enterprise Security is also reorganized to make analyst workflows easier to find and use.

Enhancements for app developers

  • Include additional information about views in your app to show Splunk admins which views are new, and create a collection of views to more easily add views to the menu navigation from your app. See Planning your integration for ES in the developer portal.
  • Create and use adaptive response actions with default values, drop-down menus, and other dynamic functionality. See Custom HTML component reference in the Developer Guide on the Developer Portal. .

Updates to included add-ons

  • The Common Information Model Add-on is updated to version 4.8.0. Version 4.7.3 and 4.7.4 of Enterprise Security includes version 4.9.1 of this add-on.
  • The Splunk Add-on for Splunk UBA is updated to version 1.1.0. Version 4.7.2 of Enterprise Security includes version 1.2.0 of this add-on. Version 4.7.3 and 4.7.4 of Enterprise Security includes version 1.3.0 of this add-on.
  • The Splunk Add-on for RSA SecurID is updated to version 1.0.2.
  • In version 4.7.3 and 4.7.4, SA-ExtremeSearch is updated to version 2.4.2.

Localization updates

Version 4.7.5 of Enterprise Security includes localization in the following languages:

  • Korean
  • Chinese
  • Japanese
  • French

Changes in the cloud-only version 4.6.0 of Splunk Enterprise Security that you might have missed

Deprecated features

  • Starting with version 4.6.0, the correlationsearches.conf file is no longer used to define correlation searches. Upgrade activity is required in some circumstances. See Upgrade correlation searches in Splunk Enterprise Security.
  • The pushdown predicates setting is deprecated and removed from the General Settings page because the Splunk platform provides similar search optimization functionality.
  • The `notable` macro is no longer used on the Incident Review dashboard to retrieve notable events. Instead, the dashboard uses the saved search "Incident Review - Main". If you made customizations to the macro to control custom fields on the Incident Review dashboard, make those customizations to the saved search instead.

Add-on deprecation

The automatic inclusion of add-ons listed in Technology-specific add-ons provided with Enterprise Security is deprecated. In a future release, Splunk Enterprise Security will no longer include all of these add-ons in the Splunk Enterprise Security package. Instead, you can download the add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.

Also in a future release, Splunk Enterprise Security will no longer selectively import apps and add-ons based on the name of the app or add-on. After this change, knowledge objects in apps and add-ons installed on the same search head as Splunk Enterprise Security and exported to other apps or globally will be visible in Splunk Enterprise Security.

Last modified on 14 March, 2023
  Fixed issues for Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 4.7.6


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters