Splunk® Enterprise Security

Release Notes

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Release notes for Splunk Enterprise Security

This version of Splunk Enterprise Security is compatible only with specific versions of the Splunk platform. See Splunk Enterprise system requirements in the Installation and Upgrade Manual.

Because the navigation now respects your local changes, you might need to make changes to the navigation menu bar after upgrading. See Configure > General > Navigation to see which views are upgraded, new, or deprecated.

What's new

Splunk Enterprise Security version 6.5.0 includes the following enhancements:

Risk framework enhancements

New Feature or Enhancement Description
Changes to the workbench panels to include additional pie charts and additional fields (User, Source, and Destination), and human readable MITRE tactics and techniques for easier root cause analysis and targeted threat isolation. Use pie charts and other visual graphics on the workbench panels for more effective threat isolation. Use the User, Source, and Destination fields on the workbench panels to perform root cause analysis for more isolated threat isolation and investigation. Use the Workbench panels to identify the distribution of artifacts by human readable MITRE attack techniques and tactics for a clear visual insight insight into the severity of the events occurring in my system or network. For more information on targeted threat investigation using workbench panels, see Classify risk objects for targeted threat investigation.
Enrich risk events with analytic stories For more actionable guidance to detect, analyze and address security threats, risk events are automatically enriched with an analytic stories field if the correlation search is associated with an analytic story.
Changes to the Risk Factors Editor to associate risk objects with threat objects Associate threat object values to risk events in the Risk factors Editor to make threat investigation easier. For more information on adding threat objects to adhoc risk entries, see Create adhoc risk entry. For more information on adding a threat object to modify an adaptive response action, see Add a threat object to modify an adaptive response action.

Threat Intelligence enhancements

New Feature or Enhancement Description
Opt-in and opt-out feature for Google searches Use the opt-in and opt-out feature in Enterprise Security when you use Google searches to avoid the risk of letting third parties from accessing data. For more information on using Google searches, see Use Google searches to investigate threat risk.

Behavior changes

Following is a list of bug fixes and behavior changes:

New Feature or Enhancement Description
Modifying risk factors upon upgrade Upgrading to Enterprise Security 6.4.1 or higher does not allow you to remove existing fields using the Risk Factors Editor but only allows you to add fields to the risk data model. This prevents the mismatch between the default and local configuration of the risk data model. For more information on upgrade issues with the risk data model, see After upgrading from version 6.2.0 or lower to a version 6.3.0 or higher
No support for Malware Domains threatlist The Malware Domains threatlist is not supported in Enterprise security version 6.5.0 or higher.

Cloud security monitoring

Monitor and respond to threats in your cloud environment. The majority of changes for cloud security monitoring are in the Common Information Model Add-on Manual. See Release notes for the Splunk Common Information Model Add-on in the Administer Splunk Enterprise Security manual.

New Feature or Enhancement Description
Support for storage use case Support for Enterprise Security Content Update (ESCU) use case: "Detect S3 access from a new IP - Rule". Use this S3 access logging information from new IPs during security and access audits for greater insight into your environment.

Deprecated or removed features

Following is a list of deprecated or removed features in Enterprise Security:

Deprecated Feature Comments
Removal of Glass Tables functionality from Enterprise Security Glass Tables will no longer be available in Enterprise Security version 6.5.2 or higher. Do not upgrade to ES 6.5.2 or higher if you use Glass Tables. A comparable feature will be available in a future release of Splunk Enterprise.
Removal of browser support for Internet Explorer Browser support for Internet Explorer 11 will no longer be available in Enterprise Security version 6.6.0 or higher.
Domain Dossier is removed from Enterprise Security Domain Dossier is not available in Enterprise Security 6.5.0 or higher.
Option to search with Google within the ES application may pose inherent security risks as it may direct you to third party websites. Option to search with Google will not be available in Enterprise Security 6.5.0 or higher.
The master_host settings for Identity Manager and Intelligence Downloads in search head pooling Settings are obsolete for Enterprise Security 6.3.0 and higher.
Bundled technology add-ons in the ES installer. See Add-ons. Bundled technology add-ons are not included in Enterprise Security 6.2.0 and higher.
Compatibility with Python 2 and Machine Learning Toolkit 4.0. Enterprise Security 6.1.x is compatible with Python 3 only.

Enterprise Security 6.1.x release is compatible with Splunk Enterprise versions that ship with only Python 3 interpreter and MLTK 5.0 and higher.

Splunk Add-on for Tenable and Splunk_TA_nessus These add-ons are removed from the ES installer.
Threat intelligence sample files These threat intelligence sample files are removed from DA-ESS-ThreatIntelligence/default/data/threat_intel/: Appendix_D_FQDNs.xml, Appendix_F_SSLCertificates.xml, Appendix_G_IOCs_No_OpenIOC.xml, fireeye-pivy-report-with-indicators.xml, and Mandiant_APT1_Report.xml
Setting that enables SSL for Splunk Web A system setting that is not enabled and disabled by the Enterprise Security app.
Extreme Search app (Splunk_SA_ExtremeSearch) from the Splunk Enterprise Security package The following Extreme Search macros are deprecated: [xs_default_direction_concepts], [xs_default_magnitude_concepts], and [xs_default_change_concepts]
The luhn_lookup custom lookup script for detecting personally identifiable credit card information Enterprise Security uses luhn_lite_lookup instead of luhn_lookup.
The getcron search command join my_saved_search_name [| rest splunk_server=local count=0 /services/saved/searches | table title,cron_schedule | rename title as my_saved_search_name, cron_schedule as cron] instead of the search command:
| getcron inputField=my_saved_search_name outputField=cron.
Audit dashboard for content profile Use Content Management data model row expansion instead of using Audit dashboard for content profile. See Expand Content Management searches to view dependency and usage information in Splunk Enterprise Security.
Lookup generating search for Traffic Volume Tracker Removing this search resolves issues with exporting all objects in Content Management.
Automatic (continuous) creation and deployment of the "indexer package" (Splunk_TA_ForIndexers) to the Indexer tier via deployment server proxy feature See Deploy add-ons to indexers.
The notable_adhoc_invocations macro in the SA-ThreatIntelligence app Use the incident review saved search to fix ad-hoc alerts on sequenced events instead.
Alexa Top 1 Million Sites See Included generic intelligence sources for alternatives.

End of support schedule

Refer to Splunk Support Policy to verify the end of support date for your Enterprise Security version.


Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. For more information on the support provided for add-ons, see Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.

Deprecated or removed add-ons

Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.

The following technology add-ons are removed from the installer, but still supported:

The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:

  • TA-airdefense
  • TA-alcatel
  • TA-cef
  • TA-fortinet
  • TA-ftp
  • TA-nmap
  • TA-tippingpoint
  • TA-trendmicro

End of Life

  • Splunk Add-on for NetFlow announced: March 18, 2019 | Ends: June 16, 2019
  • Splunk Add-on for Tenable announced: April 8, 2019 | Ends: July 7, 2019

Updated add-ons

The Common Information Model Add-on is updated to version 4.19.0.


The following libraries are included in this release:

  • Splunk_ML_Toolkit-5.2.0-1588985117706
  • Splunk_SA_Scientific_Python_linux_x86_64-2.0.1-0
  • Splunk_SA_Scientific_Python_windows_x86_64-2.0.1-0
Last modified on 23 March, 2021
Fixed issues for Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.5.0 Cloud only

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters