Release notes for Splunk Enterprise Security
This version of Splunk Enterprise Security is compatible only with specific versions of the Splunk platform. See Splunk Enterprise system requirements in the Installation and Upgrade Manual.
Because the navigation now respects your local changes, you might need to make changes to the navigation menu bar after upgrading. See Configure > General > Navigation to see which views are upgraded, new, or deprecated.
Current versions of Splunk Enterprise Security only support TAXII version 1.0 and TAXII version 1.1.
What's new
Splunk Enterprise Security version 6.6.0 includes the following enhancements:
Behavior changes
Following is a list of new features and behavior changes:
| New Feature or Enhancement | Description |
|---|---|
| UX update for Incident Review | The Incident Review interface includes updates such as the following:
Risk factors are not set by default after an upgrade. |
| Content management filters to triage notables | Support for filtering notable events on multiple values. Accelerate the triage of your notable event through the investigation workflow by using multiple filters on the Incident Review page. For more information on filters, see: |
| Dispositions on notables to identify false positives | Support for adding dispositions to a notable to identify its threat level accurately and separate the false positives. For more information, see Add dispositions to notables to accelerate triage. |
| Visualizations for improved analysis of risk notables | Timeline visualizations for deeper analysis of risk events that create notables to better identify threats to your security environment. For more information on analyzing risk notables, see Analyze risk notables to identify threat. |
| Splunk Machine Learning Toolkit user interface | The Splunk Machine Learning Toolkit user interface is removed from the ES installer as of 6.6.0, but the backend functionality remains for MLTK searches. If you need the UI for other purposes, you can install Splunk Machine Learning Toolkit app version 5.2.1 or later from Splunkbase without any impact. See https://splunkbase.splunk.com/app/2890/. |
| CIM Data Access data model | The Data Access data model is for monitoring shared data access user activity. It helps you detect a user's unauthorized data access, misuse, exfiltration, and more. See Data Access in the Splunk Common Information Model Add-on Manual. |
| Ability to modify risk factors upon upgrade | Upgrading to Enterprise Security 6.4.1 or higher does not allow you to remove existing fields using the Risk Factors Editor but only allows you to add fields to the risk data model. This prevents the mismatch between the default and local configuration of the risk data model. For more information on upgrade issues with the risk data model, see After upgrading from version 6.2.0 or lower to a version 6.3.0 or higher. |
Deprecated or removed features
Following is a list of deprecated or removed features in Enterprise Security:
| Deprecated Feature | Comments |
|---|---|
| No support for sending notable events from Splunk Enterprise Security to Splunk UBA | Support for sending notable events from Splunk ES to Splunk UBA will be removed in a future release. Configure a Splunk ES Notables data source or use Splunk Direct to pull notable events from Splunk ES to Splunk UBA. See Pull notable events from Splunk ES to Splunk UBA. |
| No browser support for Internet Explorer | Browser support for Internet Explorer 11 is no longer available in Enterprise Security version 6.6.0 or higher. |
| No support for glass tables | Glass tables are no longer available in Enterprise Security version 6.6.0 or higher. A comparable feature called Dashboard Studio is available in the Splunk platform. See What is the Splunk Dashboard Studio? in the Splunk Cloud Platform Splunk Dashboard Studio manual and What is the Splunk Dashboard Studio? in the Splunk Enterprise Splunk Dashboard Studio manual. Do not upgrade to ES 6.6.0 or higher if you need to continue using Glass Tables. |
| Extreme Search (Splunk_SA_ExtremeSearch) macros removed | The following Extreme Search macros that were previously deprecated are removed as of Enterprise Security version 6.6.0: [xs_default_direction_concepts], [xs_default_magnitude_concepts], and [xs_default_change_concepts]
|
| No support for Malware Domains threatlist | The Malware Domains threatlist is not supported in Enterprise security version 6.5.0 or higher. |
| Domain Dossier is removed from Enterprise Security | Domain Dossier is not available in Enterprise Security 6.5.0 or higher. |
| Option to search with Google within the ES application may pose inherent security risks as it may direct you to third party websites. | Option to search with Google is not available in Enterprise Security 6.5.0 or higher. |
The master_host settings for Identity Manager and Intelligence Downloads in search head pooling
|
Settings are obsolete for Enterprise Security 6.3.0 and higher. |
| Bundled technology add-ons in the ES installer. See Add-ons. | Bundled technology add-ons are not included in Enterprise Security 6.2.0 and higher. |
| Compatibility with Python 2 and Machine Learning Toolkit 4.0. | Enterprise Security 6.1.x is compatible with Python 3 only. Enterprise Security 6.1.x release is compatible with Splunk Enterprise versions that ship with only Python 3 interpreter and MLTK 5.0 and higher. |
| Splunk Add-on for Tenable and Splunk_TA_nessus | These add-ons are removed from the ES installer. |
| Threat intelligence sample files | These threat intelligence sample files are removed from DA-ESS-ThreatIntelligence/default/data/threat_intel/: Appendix_D_FQDNs.xml, Appendix_F_SSLCertificates.xml, Appendix_G_IOCs_No_OpenIOC.xml, fireeye-pivy-report-with-indicators.xml, and Mandiant_APT1_Report.xml
|
| Setting that enables SSL for Splunk Web | A system setting that is not enabled and disabled by the Enterprise Security app. |
The luhn_lookup custom lookup script for detecting personally identifiable credit card information
|
Enterprise Security uses luhn_lite_lookup instead of luhn_lookup.
|
The getcron search command
|
join my_saved_search_name [| rest splunk_server=local count=0 /services/saved/searches | table title,cron_schedule | rename title as my_saved_search_name, cron_schedule as cron] instead of the search command:| getcron inputField=my_saved_search_name outputField=cron.
|
| Audit dashboard for content profile | Use Content Management data model row expansion instead of using Audit dashboard for content profile. See Expand Content Management searches to view dependency and usage information in Splunk Enterprise Security. |
| Lookup generating search for Traffic Volume Tracker | Removing this search resolves issues with exporting all objects in Content Management. |
| Automatic (continuous) creation and deployment of the "indexer package" (Splunk_TA_ForIndexers) to the Indexer tier via deployment server proxy feature. | See Deploy add-ons to indexers. The procedure to automatically create the indexer package (Splunk_TA_ForIndexers) is deprecated. However, the deployment server is still available. |
The notable_adhoc_invocations macro in the SA-ThreatIntelligence app
|
Use the incident review saved search to fix ad-hoc alerts on sequenced events instead. |
| Alexa Top 1 Million Sites | See Included generic intelligence sources for alternatives. |
End of support schedule
Refer to Splunk Support Policy to verify the end of support date for your Enterprise Security version.
Add-ons
Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. For more information on the support provided for add-ons, see Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.
Deprecated or removed add-ons
Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.
The following technology add-ons are removed from the installer, but still supported:
- Splunk Add-on for Blue Coat ProxySG
- Splunk Add-on for Bro IDS
- Splunk Add-on for McAfee
- Splunk Add-on for Juniper
- Splunk Add-on for Microsoft Windows
- Splunk Add-on for Oracle Database
- Splunk Add-on for OSSEC
- Splunk Add-on for RSA SecurID
- Splunk Add-on for Sophos
- Splunk Add-on for FireSIGHT
- Splunk Add-on for Symantec Endpoint Protection
- Splunk Add-on for Unix and Linux
- Splunk Add-on for Websense Content Gateway
The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:
- TA-airdefense
- TA-alcatel
- TA-cef
- TA-fortinet
- TA-ftp
- TA-nmap
- TA-tippingpoint
- TA-trendmicro
Splunk Enterprise Security 6.6.0 was released on June 30, 2021. For more information on release dates for the major versions of Splunk Enterprise Security, see Software Support Policy page.
End of Life
- Splunk Add-on for NetFlow announced: March 18, 2019 | Ends: June 16, 2019
- Splunk Add-on for Tenable announced: April 8, 2019 | Ends: July 7, 2019
Updated add-ons
The Common Information Model Add-on is updated to version 4.20.0.
Libraries
The following libraries are included in this release:
- Splunk_ML_Toolkit-5.2.0-1588985117706
- Splunk_SA_Scientific_Python_linux_x86_64-2.0.1-0
- Splunk_SA_Scientific_Python_windows_x86_64-2.0.1-0
| Fixed issues for Splunk Enterprise Security |
This documentation applies to the following versions of Splunk® Enterprise Security: 6.6.0
Download manual
Feedback submitted, thanks!