Splunk® Enterprise Security

Release Notes

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Release notes for Splunk Enterprise Security

This version of Splunk Enterprise Security is compatible only with specific versions of the Splunk platform. See Splunk Enterprise system requirements in the Installation and Upgrade Manual.

Because the navigation now respects your local changes, you might need to make changes to the navigation menu bar after upgrading. See Configure > General > Navigation to see which views are upgraded, new, or deprecated.

What's new

Typically new enhancements or features are carried over from previous releases (for both on-prem and Cloud versions), unless mentioned otherwise in the list of deprecated or removed features. For information on features introduced in the earlier releases, refer to the corresponding version of the release notes.

Splunk Enterprise Security version 6.4.0 introduces the following enhancements:

Risk framework enhancements

New Feature or Enhancement Description
New Risk Factor Editor to create risk factors Create risk factors to adjust risk scores for risk objects and effectively isolate threats based on the specific risks in your environment. For more information on creating new risk factors based on specific conditions, see Create risk factors in Splunk Enterprise Securityin the Administer Splunk Enterprise Security manual.
Ability to specify conditions for risk factors Specify single or multiple conditions to dynamically adjust risk scores for risk objects and create more targeted risk factors. For more information on specifying simple conditions for risk factors, see Set basic conditions to assign risk scores. For more information on specifying advanced conditions for risk factors, see Set advanced conditions to assign risk scores n the Administer Splunk Enterprise Security manual.
Ability to preview risk factor conditions Verify how the conditions and comparators apply to a risk factor and confirm whether the risk factor displays the events accurately. For more information on previewing risk factor conditions, see Use preview to verify risk factor conditions in the Administer Splunk Enterprise Security manual.
Ability to manage risk factors Perform the following actions and manage risk factors:
  • Identify, search, sort, or clone existing risk factors.
  • Ability to display disabled risk factors.
  • Ability to enable, disable, or delete risk factors.
  • Ability to match risk events based on specific conditions.
  • Identify risk factors similar to the risk factor being edited.

For more information on managing risk factors, see Manage risk factors in the Administer Splunk Enterprise Security manual.

Default risk factors Use default risk factors or customize them to create your own risk factors based on your environment. For more information on using default risk factors, see Use default risk factors in the Administer Splunk Enterprise Security manual.
Default risk incident rules to run correlation searches Use default risk incident rules to customize and run correlation searches that create adaptive response actions or generate notable events. For more information on using default risk incident rules, see Use default risk incident rules in the Administer Splunk Enterprise Security manual.
New investigative content for risk based alerting Use the Embedded Workbench - Risk panels or the Risk tab in Workbench to visually classify the risk objects based on risk modifiers, risk scores, MITRE ATT&CK techniques, and tactics for specific investigations. For more information on classifying risk objects for targeted threat investigation, see Identify annotations based risk objects in the Administer Splunk Enterprise Security manual.
New mitre_platform field in the MITRE security framework annotations See which platforms a MITRE ATT&CK-pattern applies to, such as Windows, Azure, and others. You can see this field in the search results for | inputintelligence mitre_attack, in ad-hoc risk entries, or in correlation searches (if you use security framework annotations in correlation searches). For more information on security framework annotations, see Use security framework annotations in correlation searches in the Administer Splunk Enterprise Security manual.
Notables disabled for some correlation searches Upgrading to Enterprise Security 6.4.0 may cause the notable actions for some correlation searches to be disabled. If you want these correlation searches to generate notables, you must re-enable the notable actions for the correlation searches. For more information on reenabling notables, see Enable notables for correlation searches in the Administer Splunk Enterprise Security manual.

Threat performance improvements

New Feature or Enhancement Description
Ability to select specific workload actions for intelligence documents Configure the workload settings to streamline the processing of intelligence documents. For more information on configuring workload settings for intelligence documents, see Configure intelligence documents in the Administer Splunk Enterprise Security manual.
Customize threat match searches Edit threat match settings or add new datasets to customize threat match searches. For more information on customizing threat match searches, see Customize threat match searches in the Administer Splunk Enterprise Security manual.
Configure threatlist settings Use the Splunk Enterprise Security UI to configure proxy server settings if you are using a proxy server in your deployment. Also, configure parse modifier settings to extract fields from the threat intelligence data. For more information on configuring threatlist settings, see Configure global threatlist settings in the Administer Splunk Enterprise Security manual.
Threat intelligence manager and upload changes The threat intelligence manager is no longer available from the Splunk Enterprise menu bar at Configure > Settings > Data inputs > Threat Intelligence Manager. The threat intelligence uploads are no longer available from the Enterprise Security menu bar at Configure > Data Enrichment > Threat Intelligence Uploads. They are replaced by one integrated interface from the Enterprise Security menu bar at Configure > Data Enrichment > Threat Intelligence Management. See Manage threat intelligence after upgrading Splunk Enterprise Security in the Administer Splunk Enterprise Security manual.

Cloud security monitoring

Monitor and respond to threats in your cloud environment. The majority of changes for cloud security monitoring are in the Common Information Model Add-on Manual. See Release notes for the Splunk Common Information Model Add-on in the Common Information Model Add-on Manual.

New Feature or Enhancement Description
New workflow actions for cloud Alerts data model fields Use a workflow action to create a workbench panel and get more context about that value when you encounter a cloud-specific field in Investigations or in Incident Review or in a notable event or in the search results . Fields include source, destination, user, signature id, severity, or MITRE technique ID. For more information on creating a workbench panel, aee Add new tabs and profiles to the workbench in Use Splunk Enterprise Security.

Behavior changes

Following is a list of bug fixes and behavior changes:

New Feature or Enhancement Description
Behavior change for consistency in case-sensitive matching Reverse lookups are now case insensitive, so that the behavior is consistent with | search logic in the search bar. The lookup stanzas in transforms.conf are revised to include the flag for reverse_lookup_honor_case_sensitive_match = false.
Drop-down menu is removed from enable correlation selectively by sourcetype The drop-down menu that was added to enable correlation selectively by sourcetype for assets and identities in 6.3.0 is removed. For more information on enabling correlation selectivity, see Enable correlation selectively by sourcetype in the Administer Splunk Enterprise Security manual.
The partial_fit=true parameter is added to model-generating searches The following Machine Learning Toolkit model-generating searches that use the fit DensityFunction are updated with partial_fit=true so that when the searches run, they update the existing models with new data rather than building completely new models.
  • Access - Authentication Failures By Source - Model Gen
  • Access - Authentication Failures By Source Per Day - Model Gen
  • Access - Authentication Volume Per Day - Model Gen
  • Change - Total Change Count By User By Change Type Per Day - Model Gen
  • Endpoint - Emails By Source - Model Gen
  • Endpoint - Emails By Destination Count - Model Gen
  • Endpoint - Malware Daily Count - Model Gen
  • Identity - Email Activity to Non-corporate Domains by Users Per 1d - Model Gen
  • Identity - Web Uploads to Non-corporate Domains by Users Per 1d - Model Gen
  • Network - Port Activity By Destination Port - Model Gen
  • Network - Traffic Source Count Per 30m - Model Gen
  • Network - Traffic Volume Per 30m - Model Gen
  • Network - Event Count By Signature Per Hour - Model Gen
  • Risk - Median Object Risk Per Day - Model Gen
  • Risk - Median Object Risk Per Day by Object Type - Model Gen
  • Risk - Total Risk Per Day - Model Gen
  • Risk - Total Risk By Risk Object Type Per Day - Model Gen
  • Web - Web Event Count By Src By HTTP Method Per 1d - Model Gen

Dispatch times are also revised to smaller timeframes. This change, along with partial_fit=true, allows for gathering smaller amounts of data and incrementally updating the models so that daily training, as a time example, of the models is faster.

See Machine Learning Toolkit Overview in Splunk Enterprise Security in the Administer Splunk Enterprise Security manual and DensityFunction in the Splunk Machine Learning Toolkit User Guide.

Deprecated features

Following is a list of deprecated features in Enterprise Security:

Deprecated Feature Comments
Domain Dossier is deprecated as of Enterprise Security 6.4.0 Domain Dossier is scheduled for removal in a future release.
Option to search with Google within the ES application may pose inherent security risks as it may direct you to third party websites. Option to search with Google will not be available in Enterprise Security 6.5.0 or higher.
The master_host settings for Identity Manager and Intelligence Downloads in search head pooling Settings are obsolete for Enterprise Security 6.3.0 and higher.
Bundled technology add-ons in the ES installer. See Add-ons. Bundled technology add-ons are not included in Enterprise Security 6.2.0 and higher.
Compatibility with Python 2 and Machine Learning Toolkit 4.0. Enterprise Security 6.1.x is compatible with Python 3 only.

Enterprise Security 6.1.x release is compatible with Splunk Enterprise versions that ship with only Python 3 interpreter and MLTK 5.0 and higher.

Splunk Add-on for Tenable and Splunk_TA_nessus These add-ons are removed from the ES installer.
Threat intelligence sample files These threat intelligence sample files are removed from DA-ESS-ThreatIntelligence/default/data/threat_intel/: Appendix_D_FQDNs.xml, Appendix_F_SSLCertificates.xml, Appendix_G_IOCs_No_OpenIOC.xml, fireeye-pivy-report-with-indicators.xml, and Mandiant_APT1_Report.xml
Setting that enables SSL for Splunk Web A system setting that is not enabled and disabled by the Enterprise Security app.
Extreme Search app (Splunk_SA_ExtremeSearch) from the Splunk Enterprise Security package The following Extreme Search macros are deprecated: [xs_default_direction_concepts], [xs_default_magnitude_concepts], and [xs_default_change_concepts]
The luhn_lookup custom lookup script for detecting personally identifiable credit card information Enterprise Security uses luhn_lite_lookup instead of luhn_lookup.
The getcron search command join my_saved_search_name [| rest splunk_server=local count=0 /services/saved/searches | table title,cron_schedule | rename title as my_saved_search_name, cron_schedule as cron] instead of the search command:
| getcron inputField=my_saved_search_name outputField=cron.
Audit dashboard for content profile Use Content Management data model row expansion instead of using Audit dashboard for content profile. See Expand Content Management searches to view dependency and usage information in Splunk Enterprise Security.
Lookup generating search for Traffic Volume Tracker Removing this search resolves issues with exporting all objects in Content Management.
Automatic (continuous) creation and deployment of the "indexer package" (Splunk_TA_ForIndexers) to the Indexer tier via deployment server proxy feature See Deploy add-ons to indexers.
The notable_adhoc_invocations macro in the SA-ThreatIntelligence app Use the incident review saved search to fix ad-hoc alerts on sequenced events instead.
Alexa Top 1 Million Sites See Included generic intelligence sources for alternatives.

End of support schedule

Refer to Splunk Support Policy to verify the end of support date for your Enterprise Security version.

Add-ons

Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. For more information on the support provided for add-ons, see Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.

Deprecated or removed add-ons

Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.

The following technology add-ons are removed from the installer, but still supported:

The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:

  • TA-airdefense
  • TA-alcatel
  • TA-cef
  • TA-fortinet
  • TA-ftp
  • TA-nmap
  • TA-tippingpoint
  • TA-trendmicro

End of Life

  • Splunk Add-on for NetFlow announced: March 18, 2019 | Ends: June 16, 2019
  • Splunk Add-on for Tenable announced: April 8, 2019 | Ends: July 7, 2019

Updated add-ons

The Common Information Model Add-on is updated to version 4.18.0.

Last modified on 15 January, 2021
  Fixed issues for Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters