Release Notes for Splunk Enterprise Security
This version of Splunk Enterprise Security is compatible only with specific versions of the Splunk platform. See Splunk Enterprise system requirements in the Installation and Upgrade Manual.
Because the navigation now respects your local changes, you might need to make changes to the navigation menu bar after upgrading. See Configure > General > Navigation to see which views are upgraded, new, or deprecated.
Splunk Enterprise Security version 6.2.0 includes the following enhancements.
|New Feature or Enhancement||Description|
|Many bundled technology add-ons (TAs) are removed from the ES installer, and some are deprecated.||Splunk Add-on for UBA is still included. Though the installer no longer includes many technology add-ons in the Splunk Enterprise Security package, any technology add-ons already in your environment are not removed. See Deploy add-ons to Splunk Enterprise Security for further information about deploying add-ons. See Add-on deprecation or removal for further information about the specific add-ons that are deprecated.|
|Behavior change for capability check during install/setup.||The install_apps capability check is now at the beginning of the installation process. If the setting is incorrect, you will be informed ahead of time. See Splunk Enterprise platform considerations in the Installation and Upgrade Manual.|
|Behavior change when upgrading from the command line in a search head cluster.||You no longer need to run additional steps before every upgrade from the command line in a search head cluster environment to preserve CSV lookups in the domain add-ons (DAs) and supporting add-ons (SAs) that are bundled in Splunk Enterprise Security. The default for the deployer's |
|Behavior change in enforcements used by the identity manager framework.||After upgrading to Enterprise Security 6.2.0, you need to enable the Enforce props toggle in the Global Settings of Asset and Identity Management if you want the identity manager to enforce settings on your behalf. This setting periodically checks your defined automatic lookup settings in props.conf, ensuring that they are consistent with the rest of your asset and identity settings, and it removes legacy settings. On a fresh installation, Enterprise Security 6.2.0 has Enforce props set to enabled by default and the setting is enforced continuously. However, prior versions only enforce once and then switch the setting to false right away. If you're already using a previous version of ES with assets and identities, the |
|New limits for unique number of foreign keys per asset and identity.||The identity manager has a configurable parameter that limits the number of multi-value keys allowed in a single row for assets and identities. See Revise multivalue field limits for assets and
Revise multivalue field limits for identities in Administer Splunk Enterprise Security.
|New configurable null values per asset and identity.||The identity manager has new global settings for configuring which values to treat as null, so that the framework does not merge on null fields. See Global Settings in Administer Splunk Enterprise Security.|
|New ability to disable merge per asset and identity.||The identity manager has new global settings for disabling the merge process, so that the framework does not merge duplicate fields. See Global Settings in Administer Splunk Enterprise Security.|
|The "enable selectively by sourcetype" enforcement is reverted for cloud deployments.||For Splunk Cloud deployments of Enterprise Security prior to ES 6.2.0, the "enable for all sourcetypes" option is not available. See Enable correlation setup to compare indexed events with asset and identity data in Administer Splunk Enterprise Security.|
|New configurable indexes for some adaptive response actions.||Indexes are now configurable for the adaptive response actions of ping, nbtstat, and nslookup. See Ping a host, Run nbtstat, and Run nslookup in Administer Splunk Enterprise Security.|
|New access in the manage_all_investigations capability.||You can now add incidents to investigations where you are not a collaborator or owner. See Add a Splunk event to an investigation in Use Splunk Enterprise Security.|
|New Authentication tab in the investigation workbench.||Import cloud-authentication-related notable events into an investigation and get context about what you are investigating. See Add new tabs and profiles to the workbench in Use Splunk Enterprise Security.|
|New embedded workbench.||Use an embedded workbench as workflow field action to get more context about specific values in Incident Review. See Create a workbench panel workflow action in Splunk Enterprise Security in Administer Splunk Enterprise Security.|
|MLTK upgrade to 5.1.0.||MLTK app version 5.1.0 is now included in the ES installer. The previously generated models from MLTK 5.0 are compatible as-is. The previously generated models MLTK 4.x are not compatible and have to be regenerated. See Machine Learning Toolkit Overview in Splunk Enterprise Security for general information about models in MLTK 5.1.0.|
|Behavior change for correlation searches.||When correlation searches produce a notable event, severity is now validated as one of "critical," "high," "medium," "low," or "informational." If it is not one of the aforementioned values, the severity is set to "unknown." See Create a notable event in the Administer Splunk Enterprise Security manual.|
|Behavior change for creating an identity lookup configuration.||An identity lookup can use email conventions to uniquely identify identities in your data. When the email convention check box is checked, the email address is used as an additional primary key for identity. The Email and Email Short conventions are now disabled by default. See Add an identity input stanza for the lookup source in the Administer Splunk Enterprise Security manual.|
|Behavior change for threat intelligence file retention.||The default behavior is now set to |
|Behavior change with Splunk Enterprise
||With the release of Splunk version 8.0.2004, KV Store backed lookups respect the max_memtable_bytes setting. See Revise asset and identity lookups memory usage behavior in the Administer Splunk Enterprise Security manual.|
|Telemetry update||Telemetry includes usage information on |
|UI refresh and doc update for general settings.||Change threshold values, macro definitions, search filters, and other commonly changed values on the General Settings page. See General settings.|
|Doc update for end of support.||The release notes are updated with a schedule so that you can verify the end of support date for your Enterprise Security version. See End of support schedule.|
Deprecated or removed features
Enterprise Security 6.2.0 no longer includes many bundled Technology Add-ons in the ES installer. See Add-ons.
Enterprise Security 6.1.x is the last major release to bundle many of the Technology Add-ons in the ES installer. See Add-ons.
Enterprise Security 6.0.x is the last major release that is compatible with Python 2 and with Machine Learning Toolkit 4.0. The 6.1.x release of ES is compatible with Python 3 only. The 6.1.x release is compatible with versions of Splunk Enterprise that ship with the Python 3 interpreter only, and MLTK 5.0 and above only.
The end-of-life'd technology add-on called Splunk Add-on for Tenable, or Splunk_TA_nessus, is removed from the ES installer.
The following threat intelligence sample files are removed from
In a future release, Enterprise Security is no longer shipping with the setting that enables SSL for Splunk Web. This is a system setting that should not be enabled and disabled by the ES app. When this setting is removed, in-product adjustments will make the transition as seamless as possible.
With the Extreme Search app (Splunk_SA_ExtremeSearch) removed from the Splunk Enterprise Security package, there are replacements and deprecations for some of the XS components that ship with Enterprise Security. The following Extreme Search macros are deprecated and will be removed in the future:
luhn_lookup custom lookup script for detecting personally identifiable credit card information is deprecated in favor of the
luhn_lite_lookup, and will be removed in a future release. No features are being removed or modified, only the legacy implementation of this algorithm.
getcron search command is removed. Instead, use
| join my_saved_search_name [| rest splunk_server=local count=0 /services/saved/searches | table title,cron_schedule | rename title as my_saved_search_name, cron_schedule as cron] rather than
| getcron inputField=my_saved_search_name outputField=cron.
The audit dashboard for Content Profile is removed in favor of the Content Management data model row expansion. See Expand Content Management searches to view dependency and usage information in Splunk Enterprise Security.
The deprecated lookup generating search for Traffic Volume Tracker is now removed, resolving an issue with exporting all objects in Content Management.
The deprecated automatic (continuous) creation and deployment of the "indexer package" (Splunk_TA_ForIndexers) to the Indexer tier via deployment server proxy feature is now removed. See Deploy add-ons to indexers.
notable_adhoc_invocations macro in the SA-ThreatIntelligence app is deprecated in favor of the incident review saved search to fix ad-hoc alerts on sequenced events. This macro will be removed in a future release.
Alexa Top 1 Million Sites is deprecated. See Included generic intelligence sources for alternatives.
End of support schedule
Use the following to verify the end of support date for your Enterprise Security version.
Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. See Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.
Add-on deprecation or removal
Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.
The following technology add-ons are removed from the installer, but still supported:
- Splunk Add-on for Blue Coat ProxySG
- Splunk Add-on for Bro IDS
- Splunk Add-on for McAfee
- Splunk Add-on for Juniper
- Splunk Add-on for Microsoft Windows
- Splunk Add-on for Oracle Database
- Splunk Add-on for OSSEC
- Splunk Add-on for RSA SecurID
- Splunk Add-on for Sophos
- Splunk Add-on for FireSIGHT
- Splunk Add-on for Symantec Endpoint Protection
- Splunk Add-on for Unix and Linux
- Splunk Add-on for Websense Content Gateway
The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:
End of Life
- Splunk Add-on for NetFlow announced: March 18, 2019 | Ends: June 16, 2019
- Splunk Add-on for Tenable announced: April 8, 2019 | Ends: July 7, 2019
The Common Information Model Add-on is updated to version 4.16.0.
Fixed Issues for Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 6.2.0