Release notes for Splunk Enterprise Security
This version of Splunk Enterprise Security is compatible only with specific versions of the Splunk platform. See Splunk Enterprise system requirements in the Installation and Upgrade Manual.
Because the navigation now respects your local changes, you might need to make changes to the navigation menu bar after upgrading. See Configure > General > Navigation to see which views are upgraded, new, or deprecated.
Current versions of Splunk Enterprise Security only support TAXII version 1.0 and TAXII version 1.1.
Splunk Enterprise Security version 7.1.0 includes the following new features or enhancements:
|Ability to enable behavioral analytics service from Splunk Enterprise Security app UI||Option to enable specific detections in Splunk behavioral analytics service to enhance and extend threat hunting in your existing Splunk SIEM environment. |
For more information on enabling the behavioral analytics service, see
|Visualizations for the behavioral analytics service||Use the Risk Analysis dashboard in Splunk Enterprise Security to view the distribution of Behavioral Analytics Detections by Type. For more information, see Risk Analysis dashboard.|
|Use test index to reduce alert volume||Option to manage Splunk behavioral analytics detections by forwarding notables to a test index without impacting the risk environment. For more information on using test index for behavioral analytics service detections, see Manage behavioral analytics service detections in Splunk Enterprise Security.|
|Upgraded dashboards to Splunk Dashboard Studio||Use Splunk Enterprise Security dashboards that are upgraded from simple XML to Splunk Dashboard Studio for improved performance and to get better insights from your data visualizations. Additionally, you can also upgrade your custom dashboards to Splunk Dashboard Studio.
For more information on using upgraded dashboards, see Upgrade to Splunk Dashboard Studio to improve performance.
|Guidance on risk-based alerting in a new standalone manual||See Use Splunk Enterprise Security Risk-based Alerting to learn about how risk-based alerting works in Splunk Enterprise Security.|
|View risk notables from the same risk object (asset or identity)||Use Splunk Enterprise Security to surface risk notables that are generated from the same risk object but might represent a higher risk so that connected behaviors and threats can be investigated. For more information, see View risk notables generated from the same risk object.|
|View the MITRE ATT&CK posture for a risk notable||View the MITRE ATT&CK tactics and techniques in the context of a risk notable to enhance the situational awareness of your security operations center (SOC). For more information, see View the MITRE ATT&CK posture for a risk notable.|
|View risk notables with enrichment from entity zones||Use Splunk Enterprise Security to surface risk notables based on the additional enrichment provided by entity zones to investigate threats effectively. For more information, see View risk notables with enrichment from entity zones.|
|Visualizations to map risk notables against known security frameworks such as MITRE ATT&CK||Mapping risk notables to known security frameworks through visualizations helps to classify attacks, understand adversary behavior, and assess an organization's risk. For more information on investigating a risk notable based on known security frameworks, see Investigate a risk notable based on known security frameworks.|
|Visualization to map Threat Topology||Use the Threat Topology visualization to identify how the different risk objects that generate a risk notable are related to each other. For more information on using the Threat Topology visualization to identify risk during an investigation, see Use the Threat Topology visualization to analyze risk notables.|
|Visualizations and charts to review notables||Use the pie charts on the Incident Review page for greater insight into the notables and isolate specific time periods of interest during an investigation. For more information on the available visualizations, see Visualizations and charts in Incident Review.|
|Improve performance by troubleshooting large KV Store collections||Troubleshoot search head crashes or slow downs when you exceed storage limits for KV Store collections. For more information, see Troubleshoot performance issues due to large KV Store collections.|
|Wider panels for configuration||Commonly used configuration panels in Splunk Enterprise Security such as the correlation search editor are now wider to provide an easier workflow and to optimize screen real-estate. A wider correlation search editor makes it easy to view and customize Splunk security detections.|
|New telemetry information||Additional usage data is collected by Splunk Enterprise Security to improve the product in future releases. For more information on what new data is collected, see Share data in Splunk Enterprise Security.|
When you upgrade to Splunk Enterprise Security version 7.1.0, contributing risk events for risk notables might not be visible in the Risk Event Timeline if the risk notables are created before the upgrade and any one of the following conditions are met:
- CIM entity zones are enabled
- Changes are made to the CIM entity zones that apply to existing risk notables
- Asset and identity framework is disabled
For more information, see After upgrading to Splunk Enterprise Security Version 7.1.0.
Additionally, if you make changes to the CIM entity zones or the assets and identity framework, you might cause a change to the risk object normalization, which might result in contributing risk events not being visible in the Risk Event Timeline visualization. This pertains to risk notables that were created prior to making the changes to the CIM entity zones and assets and identity framework.
Deprecated or removed features
Following is a list of deprecated or removed features in Enterprise Security:
|No support for sending notable events from Splunk Enterprise Security to Splunk UBA||Support for sending notable events from Splunk ES to Splunk UBA will be removed in a future release. Configure a Splunk ES Notables data source or use Splunk Direct to pull notable events from Splunk ES to Splunk UBA. See Pull notable events from Splunk ES to Splunk UBA.|
|No browser support for Internet Explorer||Browser support for Internet Explorer 11 is no longer available in Enterprise Security version 6.6.0 or higher.|
|No support for glass tables||Glass tables are no longer available in Enterprise Security version 6.6.0 or higher. A comparable feature called Dashboard Studio is available in the Splunk platform. See What is the Splunk Dashboard Studio? in the Splunk Cloud Platform Splunk Dashboard Studio manual and What is the Splunk Dashboard Studio? in the Splunk Enterprise Splunk Dashboard Studio manual. Do not upgrade to ES 6.6.0 or higher if you need to continue using Glass Tables.|
|Extreme Search (Splunk_SA_ExtremeSearch) macros removed||The following Extreme Search macros that were previously deprecated are removed as of Enterprise Security version 6.6.0: |
|No support for Malware Domains threatlist||The Malware Domains threatlist is not supported in Enterprise security version 6.5.0 or higher.|
|Domain Dossier is removed from Enterprise Security||Domain Dossier is not available in Enterprise Security 6.5.0 or higher.|
|Option to search with Google within the ES application may pose inherent security risks as it may direct you to third party websites.||Option to search with Google is not available in Enterprise Security 6.5.0 or higher.|
||Settings are obsolete for Enterprise Security 6.3.0 and higher.|
|Bundled technology add-ons in the ES installer. See Add-ons.||Bundled technology add-ons are not included in Enterprise Security 6.2.0 and higher.|
|Compatibility with Python 2 and Machine Learning Toolkit 4.0.||Enterprise Security 6.1.x is compatible with Python 3 only.|
Enterprise Security 6.1.x release is compatible with Splunk Enterprise versions that ship with only Python 3 interpreter and MLTK 5.0 and higher.
|Splunk Add-on for Tenable and Splunk_TA_nessus||These add-ons are removed from the ES installer.|
|Threat intelligence sample files||These threat intelligence sample files are removed from |
|Setting that enables SSL for Splunk Web||A system setting that is not enabled and disabled by the Enterprise Security app.|
||Enterprise Security uses |
||join my_saved_search_name [| rest splunk_server=local count=0 /services/saved/searches | table title,cron_schedule | rename title as my_saved_search_name, cron_schedule as cron] instead of the search command:|
|Audit dashboard for content profile||Use Content Management data model row expansion instead of using Audit dashboard for content profile. See Expand Content Management searches to view dependency and usage information in Splunk Enterprise Security.|
|Lookup generating search for Traffic Volume Tracker||Removing this search resolves issues with exporting all objects in Content Management.|
|Automatic (continuous) creation and deployment of the "indexer package" (Splunk_TA_ForIndexers) to the Indexer tier via deployment server proxy feature||See Deploy add-ons to indexers.|
||Use the incident review saved search to fix ad-hoc alerts on sequenced events instead.|
|Alexa Top 1 Million Sites||See Included generic intelligence sources for alternatives.|
End of support schedule
Refer to Splunk Support Policy to verify the end of support date for your Enterprise Security version.
Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. For more information on the support provided for add-ons, see Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.
Deprecated or removed add-ons
Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.
The following technology add-ons are removed from the installer, but still supported:
- Splunk Add-on for Blue Coat ProxySG
- Splunk Add-on for McAfee
- Splunk Add-on for Juniper
- Splunk Add-on for Microsoft Windows
- Splunk Add-on for Oracle Database
- Splunk Add-on for OSSEC
- Splunk Add-on for RSA SecurID
- Splunk Add-on for Sophos
- Splunk Add-on for FireSIGHT
- Splunk Add-on for Symantec Endpoint Protection
- Splunk Add-on for Unix and Linux
- Splunk Add-on for Websense Content Gateway
The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:
End of Life
- Splunk Add-on for NetFlow announced: March 18, 2019 | Ends: June 16, 2019
- Splunk Add-on for Tenable announced: April 8, 2019 | Ends: July 7, 2019
The Common Information Model Add-on is updated to version 5.1.0.
The following libraries are included in this release:
Fixed issues for Splunk Enterprise Security
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0
Feedback submitted, thanks!