Release Notes for Splunk Enterprise Security

This version of Splunk Enterprise Security is compatible only with specific versions of the Splunk platform. See Splunk Enterprise system requirements in the Installation and Upgrade Manual.

Because the navigation now respects your local changes, you might need to make changes to the navigation menu bar after upgrading. See Configure > General > Navigation to see which views are upgraded, new, or deprecated.

What's New

Splunk Enterprise Security version 5.0.1 includes the following enhancements.

Analyst workflow improvements

• Use the investigation workbench to analyze and investigate security incidents at your organization. See Investigate a potential security incident on the investigation workbench in Splunk Enterprise Security in Use Splunk Enterprise Security.
• Assign a status to investigations to keep track of your investigation progress. After upgrading to this version, all investigations will be assigned the "New" status. See Make changes to an investigation in Splunk Enterprise Security in Use Splunk Enterprise Security.

Admin and auditing improvements

• Add generic intelligence to Splunk Enterprise Security to correlate with events or create reports. See Add generic intelligence to Splunk Enterprise Security in Administer Splunk Enterprise Security.
• Use an alert action to create a message in Splunk Web. See Create a Splunk Web message in Splunk Enterprise Security in Administer Splunk Enterprise Security.
• Create lookups and panels from Content Management. In addition, more flexible filtering on Content Management allows you to filter by the file name or stanza name of a knowledge object, such as the lookup definition, rule name, or file name. See Create and manage lookups in Splunk Enterprise Security in Administer Splunk Enterprise Security.
• Create panels, tabs, and profiles for the investigation workbench. See Administer and customize the investigation workbench in Administer Splunk Enterprise Security.
• Add certificates used for third-party authentication to Splunk Enterprise Security on the Credential Management page. See Manage credentials in Splunk Enterprise Security in Administer Splunk Enterprise Security.

Threat intelligence improvements

• Simplified custom CSV parsing so that you can include multiple types of threat intelligence in one custom CSV file. See Upload a custom CSV file of threat intelligence in Splunk Enterprise Security in Administer Splunk Enterprise Security.
• Delete threat intelligence files on a per-source basis. See Configure threat intelligence file retention in Administer Splunk Enterprise Security.
• Support for parsing version 2.0 ISAMarkings in STIX files.

Performance enhancements

• Updated the search on the Threat Artifacts dashboard to return a maximum of 10000 results.
• Updated the correlation search and the search used by the Geographically Improbable Access panel on the Access Anomalies dashboard to rely on a new summary index, gia_summary. The searches calculate the speed and distance for all combinations of the source of the authentication event by user, where speed is computed using the earliest time that the source was observed in the authentication logs over the last 16 hours and 40 minutes. You must enable the Access - Geographically Improbable Access - Summary Gen search to see results on the panel and from the correlation search.

Changes to installation and upgrade defaults

• Starting with this release, included threat intelligence sources are disabled by default at installation time. Local overrides are respected at upgrade, so if included threat intelligence sources are enabled at upgrade time, the sources stay enabled.
• Starting with this release, asset and identity sources are disabled by default at installation time. Local settings are respected at upgrade, so disabled asset and identity sources such as the Demo Assets and Demo Identities lists will remain disabled after upgrade.
• Installing Splunk Enterprise Security no longer requires the admin_all_objects capability.
• The Edit Lookups permission now includes the edit_managed_configurations capability. Because of this change, after upgrading to this version you will need to reassign this permission to roles that were previously assigned this permission. Roles will still have the edit_lookups capability. See Configure users and roles in the Installation and Upgrade Manual.

Enhancements for app developers

• Added a new search command, expandtoken, that you can use to expand the tokens in a notable event. See Expand tokens in notable events using the expandtoken command in Administer Splunk Enterprise Security.

Deprecated features

• Removed the testessinstall install command after it was previously marked for deprecation. Use essinstall instead. See Install Splunk Enterprise Security from the command line in the Installation and Upgrade Manual.
• Deprecated and removed the action_history KV Store collection used to store action history items before they were added to an investigation. See Manage investigations in Splunk Enterprise Security in Administer Splunk Enterprise Security for more details.
• Replaced the following configuration check modular input scripts with saved searches that produce messages in Splunk Web. Local overrides to suppress messages from the scripts are not retained in the upgrade and must be replicated at the search level.

  Script	Saved search replacement
  confcheck_failed_threat_download.py	Audit - Failed Threatlist Downloads
  confcheck_default_search_all_non_internal_indexes	Audit - Default Admin Search All Non-Internal
  confcheck_default_search_indexes	Audit - Default Admin Search Indexes
  confcheck_script_errors	Audit - Script Errors
  confcheck_es_system_requirements.py	Audit - ES System Requirements

• Deprecated and replaced the internal search command outputmvcsv with outputlookup output_format=splunk_mv_csv. The macros using that command, `output_assets` and `output_identities` are deprecated and will be removed in a future release.
• Deprecated the app-ess/package/bin/install/deploy_contexts.py script used by Extreme Search as it assists migration from a no-longer-supported version of Splunk Enterprise Security. This script will be removed from a future version of Splunk Enterprise Security.
• Deprecated settags macros. The `settags_governance` macro, `filtertags(1)` macro, `filtertags(2)` macro, and the `settags(1)` macro. Due to the deprecation, filtering tags no longer happens, but a rename from tag to orig_tag still occurs. If you are using one of these macros, whitelist tags in CIM data models instead. See the section on tags whitelist in Enable data model acceleration in the Common Information Model Add-on Manual.

Add-ons

Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. See Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.

Add-on deprecation

The automatic inclusion of add-ons listed in Technology-specific add-ons provided with Enterprise Security is deprecated. In a future release, Splunk Enterprise Security will no longer include all of these add-ons in the Splunk Enterprise Security package. Instead, you can download the add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.

Also in a future release, Splunk Enterprise Security will no longer selectively import apps and add-ons based on the name of the app or add-on. After this change, knowledge objects in apps and add-ons installed on the same search head as Splunk Enterprise Security and exported to other apps or globally will be visible in Splunk Enterprise Security.

Updated add-ons

• The Common Information Model Add-on is updated to version 4.10.0.