Release Notes for Splunk Enterprise Security
This version of Splunk Enterprise Security is compatible only with specific versions of the Splunk platform. See Splunk Enterprise system requirements in the Installation and Upgrade Manual.
Because the navigation now respects your local changes, you might need to make changes to the navigation menu bar after upgrading. See Configure > General > Navigation to see which views are upgraded, new, or deprecated.
What's New
Typically new enhancements or features are carried over from previous releases (for both on-prem and Cloud versions), unless mentioned otherwise in the list of deprecated or removed features. For information on features introduced in the earlier releases, refer to the corresponding version of the release notes.
Splunk Enterprise Security version 6.3.0 includes the following enhancements.
New Feature or Enhancement | Description |
---|---|
Cloud only | Not available on Splunkbase for on-premises environments. |
Secure Sockets Layer (SSL) is not enabled by default | You have the choice to enable SSL or not enable SSL during the installation set up process. See Set up Splunk Enterprise Security. |
Use your cloud provider to onboard data in Asset and Identity Manager | Use existing cloud service provider data or custom event type to register your assets, create a lookup, and schedule a search to run on a regular basis. See Create an asset lookup from your current cloud service provider data in Splunk Enterprise Security and Create an identity lookup from your current cloud service provider data in Splunk Enterprise Security in Administer Splunk Enterprise Security. |
Enable entity zones for Assets or Identities | Specify which zone an asset or identity is coming from, so that the Asset and Identity framework does not merge on key fields if the zone is different. For use when you have mergers or acquisitions with other companies, for example, and you have similar IP address spaces that you need to keep separate. Also configure clauses that assign a specified zone when certain conditions are met. See Enable entity zones for Assets or Identities and Format an asset or identity list as a lookup in Splunk Enterprise Security and Asset and identity fields after processing in Splunk Enterprise Security in Administer Splunk Enterprise Security. |
Enable entity zones for correlation | When correlation and entity zones are both enabled, the new cim_entity_zone field is used in automatic lookups to find the correct asset in the correct zone, enabling you to more accurately enrich your search results and notable events fields. See Correlation and entity zones in Administer Splunk Enterprise Security.
|
Enable correlation selectively by sourcetype | When asset and identity correlation is enabled, Splunk Enterprise Security compares indexed events with asset and identity data in the asset and identity lists to provide data enrichment and context. You can choose which sourcetypes to use for comparison. See Enable correlation selectively by sourcetype in Administer Splunk Enterprise Security. |
Enable overlay CIDR to include CIDR field values within the asset_lookup_by_str output results | When an event comes in that matches both an asset by string and also an asset by CIDR, you see the exact match data for the IP and the most specific CIDR block data. See Add additional context to string lookups based on CIDR blocks in Administer Splunk Enterprise Security. |
Choose your own Asset or Identity foreign key | Rather than keys of ip,mac,dns,nt_host for assets and identity for identities, choose which keys to use for the Asset and Identity framework merge process. See Add or edit and asset field and Add or edit and identity field in Administer Splunk Enterprise Security.
|
Behavior change in ignored values for Assets or Identities | The ignored values for Assets or Identities support case-sensitivity rather than only lowercase. See Ignored values for Assets or Identities in Administer Splunk Enterprise Security. |
Create multiple risk modifiers | You can modify adaptive response risk scores based on multiple unique objects to address risk limitations. See Modify a risk score with a risk modifier in Administer Splunk Enterprise Security. |
Behavior change in risk scores for threat activity | Threat Intelligence Downloads now have a default weight of 60. For Threat List Activity, a download weight of 1 will be interpreted at the new default of 60. Also for Threat List Activity, multiple risk modifiers are now created based on the sources, destinations, and users involved in the threat match. For example if a match is made on registry_path, and the events have a src, dest, and user then 4 risk events will be created:
This is an improvement to the accuracy of risk scores. Previous behavior was one risk event on the |
New security framework annotations in correlation searches | Use annotations to enrich your correlation search results with security framework mappings, such as MITRE ATT&CK technique IDs. See Use security framework annotations in correlation searches in Administer Splunk Enterprise Security. |
New telemetry for security framework annotation usage | Report the number of users that enable and start using annotations in correlation searches for the risk framework. See What data is collected in the Installation and Upgrade Manual. |
Clone existing correlation searches in the Splunk Web UI | See Clone a correlation search in Administer Splunk Enterprise Security. |
New workflow actions for cloud network traffic data model fields | When you encounter a cloud-specific field in Investigations or in Incident Review or in a notable event or in the search results, you can use a workflow action to get more context about that value. See Add new tabs and profiles to the workbench in Use Splunk Enterprise Security. |
Changes to retention settings for search driven lookups | There is a new element in the Splunk Web UI for the retention settings of search driven lookups. The retention for search driven lookups is no longer handled in the custom search builder specification of the savedsearches.conf file. It is now managed by the lookup_retention.py modular input using managed_configurations settings. Default retention settings are also revised. See Modify retention settings for a search-driven lookup in Administer Splunk Enterprise Security.
|
Migration of retention settings for threat intelligence | The retention for threat intelligence is no longer handled within saved searches. It is now handled in the lookup_retention.py modular input. The configuration of retention settings remains the same. See Download a threat intelligence feed from the Internet in Splunk Enterprise Security in Administer Splunk Enterprise Security. |
Support for STIX 2.0 and 2.1 threat intelligence | See Upload a STIX or OpenIOC structured threat intelligence file in Splunk Enterprise Security in Administer Splunk Enterprise Security. |
MLTK upgrade to 5.2.0 | MLTK app version 5.2.0 is included in the ES installer. The previously generated models from MLTK 5.0 are compatible as-is. The previously generated models MLTK 4.x are not compatible and have to be regenerated. See Machine Learning Toolkit Overview in Splunk Enterprise Security for general information about models in MLTK 5.2.0. |
Splunk_TA_ueba upgrade to 3.1.0 | Splunk Technology Add-on for UEBA version 3.1.0 is included in the ES installer. This is mainly a UI refactor, so nothing overtly new in terms of features or functionality. |
Deprecated or removed features
In Enterprise Security 6.3.0, the master_host
setting for Identity Manager and Intelligence Downloads in search head pooling is deprecated and scheduled for removal in a future release. As of five years ago, search head clustering replaces search head pooling, therefore the setting is obsolete.
Enterprise Security 6.2.0 no longer includes many bundled Technology Add-ons in the ES installer. See Add-ons.
Enterprise Security 6.1.x is the last major release to bundle many of the Technology Add-ons in the ES installer. See Add-ons.
Enterprise Security 6.0.x is the last major release that is compatible with Python 2 and with Machine Learning Toolkit 4.0. The 6.1.x release of ES is compatible with Python 3 only. The 6.1.x release is compatible with versions of Splunk Enterprise that ship with the Python 3 interpreter only, and MLTK 5.0 and above only.
The end-of-life'd technology add-on called Splunk Add-on for Tenable, or Splunk_TA_nessus, is removed from the ES installer.
The following threat intelligence sample files are removed from DA-ESS-ThreatIntelligence/default/data/threat_intel/
: Appendix_D_FQDNs.xml
, Appendix_F_SSLCertificates.xml
, Appendix_G_IOCs_No_OpenIOC.xml
, fireeye-pivy-report-with-indicators.xml
, and Mandiant_APT1_Report.xml
.
In a future release, Enterprise Security is no longer shipping with the setting that enables SSL for Splunk Web. This is a system setting that should not be enabled and disabled by the ES app. When this setting is removed, in-product adjustments will make the transition as seamless as possible.
With the Extreme Search app (Splunk_SA_ExtremeSearch) removed from the Splunk Enterprise Security package, there are replacements and deprecations for some of the XS components that ship with Enterprise Security. The following Extreme Search macros are deprecated and will be removed in the future: [xs_default_direction_concepts]
, [xs_default_magnitude_concepts]
, [xs_default_change_concepts]
The luhn_lookup
custom lookup script for detecting personally identifiable credit card information is deprecated in favor of the luhn_lite_lookup
, and will be removed in a future release. No features are being removed or modified, only the legacy implementation of this algorithm.
The getcron
search command is removed. Instead, use | join my_saved_search_name [| rest splunk_server=local count=0 /services/saved/searches | table title,cron_schedule | rename title as my_saved_search_name, cron_schedule as cron]
rather than | getcron inputField=my_saved_search_name outputField=cron
.
The audit dashboard for Content Profile is removed in favor of the Content Management data model row expansion. See Expand Content Management searches to view dependency and usage information in Splunk Enterprise Security.
The deprecated lookup generating search for Traffic Volume Tracker is now removed, resolving an issue with exporting all objects in Content Management.
The deprecated automatic (continuous) creation and deployment of the "indexer package" (Splunk_TA_ForIndexers) to the Indexer tier via deployment server proxy feature is now removed. See Deploy add-ons to indexers.
The notable_adhoc_invocations
macro in the SA-ThreatIntelligence app is deprecated in favor of the incident review saved search to fix ad-hoc alerts on sequenced events. This macro will be removed in a future release.
Alexa Top 1 Million Sites is deprecated. See Included generic intelligence sources for alternatives.
End of support schedule
Use the following to verify the end of support date for your Enterprise Security version.
Add-ons
Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. See Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.
Add-on deprecation or removal
Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.
The following technology add-ons are removed from the installer, but still supported:
- Splunk Add-on for Blue Coat ProxySG
- Splunk Add-on for Bro IDS
- Splunk Add-on for McAfee
- Splunk Add-on for Juniper
- Splunk Add-on for Microsoft Windows
- Splunk Add-on for Oracle Database
- Splunk Add-on for OSSEC
- Splunk Add-on for RSA SecurID
- Splunk Add-on for Sophos
- Splunk Add-on for FireSIGHT
- Splunk Add-on for Symantec Endpoint Protection
- Splunk Add-on for Unix and Linux
- Splunk Add-on for Websense Content Gateway
The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:
- TA-airdefense
- TA-alcatel
- TA-cef
- TA-fortinet
- TA-ftp
- TA-nmap
- TA-tippingpoint
- TA-trendmicro
End of Life
- Splunk Add-on for NetFlow announced: March 18, 2019 | Ends: June 16, 2019
- Splunk Add-on for Tenable announced: April 8, 2019 | Ends: July 7, 2019
Updated add-ons
The Common Information Model Add-on is updated to version 4.17.0.
Fixed Issues for Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 6.3.0 Cloud only
Feedback submitted, thanks!