Splunk® Enterprise Security

Release Notes

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Release Notes for Splunk Enterprise Security

This version of Splunk Enterprise Security is compatible only with specific versions of the Splunk platform. See Splunk Enterprise system requirements in the Installation and Upgrade Manual.

Because the navigation now respects your local changes, you might need to make changes to the navigation menu bar after upgrading. See Configure > General > Navigation to see which views are upgraded, new, or deprecated.

What's New

Splunk Enterprise Security version 6.0 includes the following enhancements.

New Feature or Enhancement Description
Enterprise Security installer package size increase The ES installer package size is now >500MB, which is larger than the default upload limit for installing ES from the SplunkWeb UI. See Install Splunk Enterprise Security for installation instructions.
End of support for Splunk Enterprise Security 4.x With the release of ES 6.0 and the passage of 24 months from the major release, ES 4.x has reached the end of support. The 6.0 version of ES supports upgrading from version 4.7.6 or later. See Splunk software support policy.
Behavior change when upgrading Splunk Enterprise Security in a search head cluster environment Set the deployer push mode to full to overwrite the /default directory contents and merge the /local directory contents of cluster members. See Deploy the changes to the cluster members.
Asset & Identity framework improvements for manageability and scalability Leverage KV store as a new interface for Assets and Identities. Allow for extensible fields in the Assets and Identities table definition, as well as enhance scalability/performance so that customers with very large, csv-based lookup files can easily administer their ES environments with fewer bundle replication related issues.

See Add asset and identity data to Splunk Enterprise Security for the whole process. See also Manage assets and identities in Splunk Enterprise Security for the newly consolidated management page with custom fields.

Use LDAP to register data in Asset and Identity Manger. See Create a lookup from your current LDAP data in Splunk Enterprise Security.
The following CSV-based trackers have now been migrated to the KV Store to improve performance in large deployments:
  • assets_by_cidr.csv
  • assets_by_str.csv
  • identities_expanded.csv

See Configure CSV lookups and Configure KV Store lookups in the Splunk Enterprise Knowledge Manager Manual.

The "new" and "old" asset identity systems in apps/SA-EndpointProtection/package/default/savedsearches.conf:
  • In the old system, the foreign keys were stored in a field named key for assets. In the new system, the foreign keys are stored in a field named asset for assets. This provides consistency with the identity foreign key for identities which remains the same in both new and old systems.
  • In the old system, the asset/identity identifier were calculated by concatenating and hashing foreign key values and stored as asset_id and identity_id respectively. In the new system, we use kvstore's auto-generated primary key for the identifiers which is stored in _key. We do however alias back to asset_id and identity_id respectively.
The phone2 field is removed from Identity lookup in favor of a multi-value field for phone. See Identity lookup header.
The capability for editing asset and identity lookup configurations has changed from edit_identitylookup to edit_modinput_identity_manager. See Capabilities specific to Splunk Enterprise Security.
The expandiprange custom search command is updated to support IPv6. Assets and identities framework supports only exact-matching of IPv6 addresses.
The key field is renamed to asset field and identity field after processing. If you are using key for custom content in 5.3.0 and lower versions, update your custom content. See Asset and identity fields after processing in Splunk Enterprise Security.
Python 2 and Python 3 support The following flag is available in the ES specification files:
 python.version = {default|python|python2|python3}

However, this release is not completely dual Python 2 and Python 3 compatible. In Splunk Enterprise 8.0, it requires the Python 2 interpreter that ships with 8.0. Various configuration files are set python.version = python2 on purpose. If using Splunk Enterprise 8.0, do not set the python.version flags to python3 or run in strict python3 mode at this time. See Upcoming changes to Splunk Enterprise.

Investigation Overview The Investigation Overview dashboard gives insight into investigations, including monitoring open investigations, time to completion, and number of collaborators. See Investigation Overview.
Machine Learning Toolkit (MLTK) replacing Extreme Search The Splunk MLTK is better suited to lead our customers into the future of threat detection and predictive analytics within ES. See Machine Learning Toolkit Overview.
MLTK app version 4.4 and Python for Scientific Computing apps for Linux 64-bit and Windows 64-bit are now included in the ES installer.
New Machine Learning Audit Dashboard. See Machine Learning Audit.
Distributed Configuration Management download is moved to general settings. The download settings are moved from Configure > General > Distributed Configuration Management to Configure > General > General Settings. See Create the Splunk_TA_ForIndexers and manage deployment manually.
Incident Review behavior change Any value that is not one of the six filtered urgencies now also defaults to "unknown". See How urgency is assigned to notable events in Splunk Enterprise Security.
New saved search: Audit - Identity Manager Usage - Telemetry Gen Data collection for asset and identity lookup table size and number of entries. See What data is collected.
New general setting: Threat Intelligence Wildcard Minimum Length Threat intelligence would previously allow matching based on any wildcard, regardless of length. This macro filters out wildcard intelligence that doesn't meet a minimum requirement. See Configure general settings for Splunk Enterprise Security.
New general setting: Threat Artifacts Max The maximum number of unfiltered results on the Threat Artifacts dashboard was previously embedded in the XML. This is now a macro so the value can be adjusted without locally overriding the view. See Configure general settings for Splunk Enterprise Security.

Deprecated or removed features

Enterprise Security 6.0 is the last major release that is compatible with Python 2 and with Machine Learning Toolkit 4.0. The next major release of ES is planned for compatibility with Python 3 only. The next major release is also planned for compatibility with future versions of Splunk Enterprise that ship with the Python 3 interpreter only, and MLTK 5.0 and above only.

The end-of-life'd technology add-on called Splunk Add-on for Tenable, or Splunk_TA_nessus, is removed from the ES installer.

The following threat intelligence sample files are removed from DA-ESS-ThreatIntelligence/default/data/threat_intel/: Appendix_D_FQDNs.xml, Appendix_F_SSLCertificates.xml, Appendix_G_IOCs_No_OpenIOC.xml, fireeye-pivy-report-with-indicators.xml, and Mandiant_APT1_Report.xml.

In a future release, Enterprise Security is no longer shipping with the setting that enables SSL for Splunk Web. This is a system setting that should not be enabled and disabled by the ES app. When this setting is removed, in-product adjustments will make the transition as seamless as possible.

With the Extreme Search app (Splunk_SA_ExtremeSearch) removed from the Splunk Enterprise Security package, there are replacements and deprecations for some of the XS components that ship with Enterprise Security. The following Extreme Search macros are deprecated and will be removed in the future: [xs_default_direction_concepts], [xs_default_magnitude_concepts], [xs_default_change_concepts]

The luhn_lookup custom lookup script for detecting personally identifiable credit card information is deprecated in favor of the luhn_lite_lookup, and will be removed in a future release. No features are being removed or modified, only the legacy implementation of this algorithm.

The getcron search command is removed. Instead, use | join my_saved_search_name [| rest splunk_server=local count=0 /services/saved/searches | table title,cron_schedule | rename title as my_saved_search_name, cron_schedule as cron] rather than | getcron inputField=my_saved_search_name outputField=cron.

The audit dashboard for Content Profile is removed in favor of the Content Management data model row expansion. See Expand Content Management searches to view dependency and usage information in Splunk Enterprise Security.

The deprecated lookup generating search for Traffic Volume Tracker is now removed, resolving an issue with exporting all objects in Content Management.

The deprecated automatic (continuous) creation and deployment of the "indexer package" (Splunk_TA_ForIndexers) to the Indexer tier via deployment server proxy feature is now removed. See Deploy add-ons to indexers.

The notable_adhoc_invocations macro in the SA-ThreatIntelligence app is deprecated in favor of the incident review saved search to fix ad-hoc alerts on sequenced events. This macro will be removed in a future release.

Alexa Top 1 Million Sites is deprecated. See Included generic intelligence sources for alternatives.


Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. See Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.

Add-on deprecation

The automatic inclusion of add-ons listed in Technology-specific add-ons provided with Enterprise Security that was previously deprecated is no longer deprecated. The add-ons are still included. The current change is that they are no longer automatically installed as part of the post-install configuration in a search head cluster environment. See Install Splunk Enterprise Security in a search head cluster environment and Upgrade Splunk Enterprise Security in a search head cluster environment.

End of Life

  • Splunk Add-on for NetFlow announced: March 18, 2019 | Ends: June 16, 2019
  • Splunk Add-on for Tenable announced: April 8, 2019 | Ends: July 7, 2019

Updated add-ons

The Common Information Model Add-on is updated to version 4.14.0.

Last modified on 20 October, 2020
Fixed Issues for Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.0.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters