Splunk® Enterprise Security

Release Notes

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

Release Notes for Splunk Enterprise Security

This version of Splunk Enterprise Security is compatible only with specific versions of the Splunk platform. See Splunk Enterprise system requirements in the Installation and Upgrade Manual.

Because the navigation now respects your local changes, you might need to make changes to the navigation menu bar after upgrading. See Configure > General > Navigation to see which views are upgraded, new, or deprecated.

What's New

Splunk Enterprise Security version 5.0.1 includes the following enhancements.

Analyst workflow improvements

Admin and auditing improvements

Threat intelligence improvements

Performance enhancements

  • Updated the search on the Threat Artifacts dashboard to return a maximum of 10000 results.
  • Updated the correlation search and the search used by the Geographically Improbable Access panel on the Access Anomalies dashboard to rely on a new summary index, gia_summary. The searches calculate the speed and distance for all combinations of the source of the authentication event by user, where speed is computed using the earliest time that the source was observed in the authentication logs over the last 16 hours and 40 minutes. You must enable the Access - Geographically Improbable Access - Summary Gen search to see results on the panel and from the correlation search.

Changes to installation and upgrade defaults

  • Starting with this release, included threat intelligence sources are disabled by default at installation time. Local overrides are respected at upgrade, so if included threat intelligence sources are enabled at upgrade time, the sources stay enabled.
  • Starting with this release, asset and identity sources are disabled by default at installation time. Local settings are respected at upgrade, so disabled asset and identity sources such as the Demo Assets and Demo Identities lists will remain disabled after upgrade.
  • Installing Splunk Enterprise Security no longer requires the admin_all_objects capability.
  • The Edit Lookups permission now includes the edit_managed_configurations capability. Because of this change, after upgrading to this version you will need to reassign this permission to roles that were previously assigned this permission. Roles will still have the edit_lookups capability. See Configure users and roles in the Installation and Upgrade Manual.

Enhancements for app developers

Deprecated features

  • Removed the testessinstall install command after it was previously marked for deprecation. Use essinstall instead. See Install Splunk Enterprise Security from the command line in the Installation and Upgrade Manual.
  • Deprecated and removed the action_history KV Store collection used to store action history items before they were added to an investigation. See Manage investigations in Splunk Enterprise Security in Administer Splunk Enterprise Security for more details.
  • Replaced the following configuration check modular input scripts with saved searches that produce messages in Splunk Web. Local overrides to suppress messages from the scripts are not retained in the upgrade and must be replicated at the search level.
    Script Saved search replacement
    Audit - Failed Threatlist Downloads
    Audit - Default Admin Search All Non-Internal
    Audit - Default Admin Search Indexes
    Audit - Script Errors
    Audit - ES System Requirements
  • Deprecated and replaced the internal search command outputmvcsv with outputlookup output_format=splunk_mv_csv. The macros using that command, `output_assets` and `output_identities` are deprecated and will be removed in a future release.
  • Deprecated the app-ess/package/bin/install/deploy_contexts.py script used by Extreme Search as it assists migration from a no-longer-supported version of Splunk Enterprise Security. This script will be removed from a future version of Splunk Enterprise Security.
  • Deprecated settags macros. The `settags_governance` macro, `filtertags(1)` macro, `filtertags(2)` macro, and the `settags(1)` macro. Due to the deprecation, filtering tags no longer happens, but a rename from tag to orig_tag still occurs. If you are using one of these macros, whitelist tags in CIM data models instead. See the section on tags whitelist in Enable data model acceleration in the Common Information Model Add-on Manual.


Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. See Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.

Add-on deprecation

The automatic inclusion of add-ons listed in Technology-specific add-ons provided with Enterprise Security is deprecated. In a future release, Splunk Enterprise Security will no longer include all of these add-ons in the Splunk Enterprise Security package. Instead, you can download the add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.

Also in a future release, Splunk Enterprise Security will no longer selectively import apps and add-ons based on the name of the app or add-on. After this change, knowledge objects in apps and add-ons installed on the same search head as Splunk Enterprise Security and exported to other apps or globally will be visible in Splunk Enterprise Security.

Updated add-ons

Last modified on 08 February, 2020
Fixed Issues for Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.0.0, 5.0.1

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters