Splunk® Enterprise Security

Release Notes

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Release Notes for Splunk Enterprise Security

This version of Splunk Enterprise Security is compatible only with specific versions of the Splunk platform. See Splunk Enterprise system requirements in the Installation and Upgrade Manual.

Because the navigation now respects your local changes, you might need to make changes to the navigation menu bar after upgrading. See Configure > General > Navigation to see which views are upgraded, new, or deprecated.

What's New

Splunk Enterprise Security version 5.2.2 includes the following enhancements.

New Feature or Enhancement Description
Use Case Library (improvement) Additional analytic stories are available by default:
  • Access Protection
  • Network Protection

Splunk Enterprise Security version 5.2.1 includes the following enhancements.

New Feature or Enhancement Description
Extreme Search (improvement) Included version is upgraded from 6.0.7 to 6.0.9. Fixes include the following:
  • fixed dispatch path discovery for XS commands running as a subsearch
  • fixed problem with dispatch directory path being truncated

Splunk Enterprise Security version 5.2.0 includes the following enhancements.

New Feature or Enhancement Description
Event Sequencing (new) Expands threat detection by allowing you to group correlation searches into batches of events. The events can be grouped in a specific sequence, by specific attributes, or both. See Create sequence templates in Splunk Enterprise Security.
Use Case Library (new) Automatically discover new security use cases and determine which can be used within your environment, based on the data currently being ingested. Splunk Enterprise Security Content Update (ESCU) delivers security analysis guides called analytic stories directly to the Use Case Library. See Map data to use cases.
Adaptive Response Relay (new) The adaptive response actions that ship out of the box for ping, nbtstat, and nslookup are modified to support Splunk Cloud. Additional setup is required before configuring adaptive response actions from Splunk Cloud to on-premises infrastructure and services. See Set up an adaptive response relay from Splunk Cloud to an on-premises device.
Investigation Workbench (improvement) Additional artifact types of File and URL are available. You can get notifications about incoming notable events. Token summary view and preview mode are available in the workbench panel editor. The investigation notes window is revised. See Add artifacts to the scope of your investigation.
Content Management (improvement) Contains a new event information column that can be expanded to verify dependency and usage information. See Expand Content Management searches to view dependency and usage information in Splunk Enterprise Security.
Threat Intelligence (improvement) Generic intelligence sources available from third parties to enrich your data, such as Cisco Umbrella 1 Million Sites. See Included generic intelligence sources.

Deprecated features

The notable_adhoc_invocations macro in the SA-ThreatIntelligence app is deprecated in favor of the incident review saved search to fix ad-hoc alerts on sequenced events. This macro will be removed in a future release.

The automatic (continuous) creation and deployment of the "indexer package" (Splunk_TA_ForIndexers) to the Indexer tier via deployment server proxy feature is deprecated. See Deploy add-ons to indexers.

Alexa Top 1 Million Sites is deprecated. See Included generic intelligence sources for alternatives.


Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. See Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.

Add-on deprecation

The automatic inclusion of add-ons listed in Technology-specific add-ons provided with Enterprise Security is deprecated. In a future release, Splunk Enterprise Security will no longer include all of these add-ons in the Splunk Enterprise Security package. Instead, you can download the add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.

Also in a future release, Splunk Enterprise Security will no longer selectively import apps and add-ons based on the name of the app or add-on. After this change, knowledge objects in apps and add-ons installed on the same search head as Splunk Enterprise Security and exported to other apps or globally will be visible in Splunk Enterprise Security.

Updated add-ons

The Common Information Model Add-on is updated to version 4.12.0.

  • New data models: Change and Endpoint
  • Deprecated data models: Application State and Change Analysis
Last modified on 08 February, 2020
Fixed Issues for Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 5.2.2

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters