Splunk® Enterprise Security

Release Notes

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Release Notes for Splunk Enterprise Security

This version of Splunk Enterprise Security is compatible only with specific versions of the Splunk platform. See Splunk Enterprise system requirements in the Installation and Upgrade Manual.

Because the navigation now respects your local changes, you might need to make changes to the navigation menu bar after upgrading. See Configure > General > Navigation to see which views are upgraded, new, or deprecated.

What's New

Splunk Enterprise Security version 6.1.1 includes the following enhancements.

New Feature or Enhancement Description
New limits for unique number of foreign keys per asset and identity The identity manager has a configurable parameter that limits the number of multi-value keys allowed in a single row for assets and identities. See Revise multivalue field limits for assets and

Revise multivalue field limits for identities in Administer Splunk Enterprise Security.

New configurable null values per asset and identity The identity manager has new global settings for configuring which values to treat as null, so that the framework does not merge on null fields. See Global Settings in Administer Splunk Enterprise Security.
Behavior change for correlation searches When correlation searches produce a notable event, severity is now validated as one of "critical," "high," "medium," "low," or "informational." If it is not one of the aforementioned values, the severity is set to "unknown." See Create a notable event in Administer Splunk Enterprise Security.
Behavior change for threat intelligence file retention The default behavior is now set to sinkhole=True for all Intelligence Downloads and shipped Threat Intelligence pickup directories. See Download a threat intelligence feed from the Internet in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual.
Doc update for indexes See Indexes by app in the Installation and Upgrade Manual.
Doc update for end of support The release notes are updated with a schedule so that you can verify the end of support date for your Enterprise Security version. See End of support schedule.

Splunk Enterprise Security version 6.1.0 includes the following enhancements.

New Feature or Enhancement Description
Python 3 support This release is compatible with Python 3 only. Configuration files are set to python.version = python3 on purpose. Do not change these flags back to 2.
Rebuild models for MLTK 5 and Python 3 MLTK app version 5 is now included in the ES installer. The previously generated models from MLTK 4.x are not compatible and have to be regenerated. See Machine Learning Toolkit Overview in Splunk Enterprise Security for general information about models in MLTK 5. See Update Splunk MLTK models for Python 3 in the Splunk Enterprise Python 3 Migration manual for information about rebuilding models.
Enterprise Security installer package size The ES installer package size is still >500MB, which is larger than the default upload limit for installing ES from the SplunkWeb UI. See Install Splunk Enterprise Security for installation instructions.
UBA integration authentication Integration revised from Splunk-based authentication to UBA authentication. See Add a new credential for UBA input.
Identity lookup email conventions The Email and Email Short conventions are now disabled by default. See Add an identity input stanza for the lookup source.
Threat intelligence downloads The threat intelligence downloads included in ES now use HTTPS. See Included threat intelligence sources.
Debug mode logging Documentation update for debug logging methods. See Enable Debug Logging in Splunk Enterprise Security.
Log files Documentation update for ES log files such as whois_manager.log. See Log files in Splunk Enterprise Security.

Deprecated or removed features

Enterprise Security 6.1.x is the last major release to bundle many of the Technology Add-ons in the ES installer. See Add-on deprecation.

Enterprise Security 6.0.x is the last major release that is compatible with Python 2 and with Machine Learning Toolkit 4.0. The 6.1.x release of ES is compatible with Python 3 only. The 6.1.x release is compatible with versions of Splunk Enterprise that ship with the Python 3 interpreter only, and MLTK 5.0 and above only.

The end-of-life'd technology add-on called Splunk Add-on for Tenable, or Splunk_TA_nessus, is removed from the ES installer.

The following threat intelligence sample files are removed from DA-ESS-ThreatIntelligence/default/data/threat_intel/: Appendix_D_FQDNs.xml, Appendix_F_SSLCertificates.xml, Appendix_G_IOCs_No_OpenIOC.xml, fireeye-pivy-report-with-indicators.xml, and Mandiant_APT1_Report.xml.

In a future release, Enterprise Security is no longer shipping with the setting that enables SSL for Splunk Web. This is a system setting that should not be enabled and disabled by the ES app. When this setting is removed, in-product adjustments will make the transition as seamless as possible.

With the Extreme Search app (Splunk_SA_ExtremeSearch) removed from the Splunk Enterprise Security package, there are replacements and deprecations for some of the XS components that ship with Enterprise Security. The following Extreme Search macros are deprecated and will be removed in the future: [xs_default_direction_concepts], [xs_default_magnitude_concepts], [xs_default_change_concepts]

The luhn_lookup custom lookup script for detecting personally identifiable credit card information is deprecated in favor of the luhn_lite_lookup, and will be removed in a future release. No features are being removed or modified, only the legacy implementation of this algorithm.

The getcron search command is removed. Instead, use | join my_saved_search_name [| rest splunk_server=local count=0 /services/saved/searches | table title,cron_schedule | rename title as my_saved_search_name, cron_schedule as cron] rather than | getcron inputField=my_saved_search_name outputField=cron.

The audit dashboard for Content Profile is removed in favor of the Content Management data model row expansion. See Expand Content Management searches to view dependency and usage information in Splunk Enterprise Security.

The deprecated lookup generating search for Traffic Volume Tracker is now removed, resolving an issue with exporting all objects in Content Management.

The deprecated automatic (continuous) creation and deployment of the "indexer package" (Splunk_TA_ForIndexers) to the Indexer tier via deployment server proxy feature is now removed. See Deploy add-ons to indexers.

The notable_adhoc_invocations macro in the SA-ThreatIntelligence app is deprecated in favor of the incident review saved search to fix ad-hoc alerts on sequenced events. This macro will be removed in a future release.

Alexa Top 1 Million Sites is deprecated. See Included generic intelligence sources for alternatives.

End of support schedule

Use the following table to verify the end of support date for your Enterprise Security version.

Release Version Release Date Supported Until End of Support Criteria
4.5.x 10/12/2016 6.0 Release
4.6.x 01/12/2017 6.0 Release
4.7.x 05/30/2017 6.0 Release
5.0.x 02/20/2018 02/20/2020
5.1.x 05/14/2018 05/14/2020
5.2.x 10/17/2018 10/17/2020
5.3.x 04/03/2019 04/03/2021
6.0.x 11/04/2019 11/04/2021
6.1.x 01/24/2020 01/24/2022

Add-ons

Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. See Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.

Add-on deprecation

The automatic inclusion of add-ons listed in Technology-specific add-ons provided with Enterprise Security is deprecated. In a future release, Splunk Enterprise Security will no longer include all of these add-ons in the Splunk Enterprise Security package. Instead, you can download the add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.

End of Life

  • Splunk Add-on for NetFlow announced: March 18, 2019 | Ends: June 16, 2019
  • Splunk Add-on for Tenable announced: April 8, 2019 | Ends: July 7, 2019

Updated add-ons

The Common Information Model Add-on is updated to version 4.15.0.

Last modified on 05 June, 2020
  NEXT
Fixed Issues for Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.1.1


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters