Splunk® Enterprise Security

Release Notes

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Release notes for Splunk Enterprise Security

This version of Splunk Enterprise Security is compatible only with specific versions of the Splunk platform. See Splunk Enterprise system requirements in the Installation and Upgrade Manual.

Because the navigation now respects your local changes, you might need to make changes to the navigation menu bar after upgrading. See Configure > General > Navigation to see which views are upgraded, new, or deprecated.

The ES Health app is installed and will be disabled for all Splunk Cloud customers. This app is enabled by the Splunk Cloud Platform only during upgrades to ensure that the stacks get upgraded faster. Do not turn on the ES Health app.

Current versions of Splunk Enterprise Security only support TAXII version 1.0 and TAXII version 1.1.

What's new

Splunk Enterprise Security version 7.2.0 includes the following enhancements based on suggestions provided in the Splunk Ideas portal:

Splunk idea New feature Description
ESSID-I-67 Ability to configure multiple drill-down searches for notables Configure multiple searches as drill-downs to investigate different scenarios during investigations or notable analysis. You can access these drill-down searches easily from the notable.
For more information on configuring multiple drill-down searches, see Configure multiple drill-down searches for a notable.
ESSID-I-189 Add dispositions prior to closing a notable Administrators can configure if analysts need to add a disposition prior to closing a notable. For more information on assigning dispositions to close notables, see
ESSID-I-19 Specify clickable URLs as Next Steps to the Notable adaptive response action Specify clickable URLs such as links to a wiki page, runbook, a Splunk dashboard, or a third-party website as Next Steps to the Notable adaptive response action and build custom workflows during investigations.

For more information on specifying clickable URLs for customized workflows, see Add a clickable URL to the adaptive response action.

ESSID-I-7 Auto-refresh the Incident review page Configure auto-refresh for the Incident review page. For more information, see Configure auto-refresh to update notables.
ESSID-I-215
ESSID-I-212
Analyst workflow improvements on the Incident Review page such as the ability to create, manage, and share saved views or table filters Manage and share saved views and filters. For more information, see:
ESSID-I-157 Timeline visualization is reintroduced on the Incident Review page Focus on specific time periods during which notables were generated and view related events that might be of interest for more targeted threat investigations. For more information on visualizations available on Incident Review, see Visualizations and charts on the Incident Review page.
ESSID-I-210 Customize table settings Customize table settings on the Incident Review page. For more information, see Customize table settings to display notable fields.

Splunk Enterprise Security version 7.2.0 includes the following features and improvements in this release:

New feature Description
Improvements to the Risk Analysis dashboard Panel changes and additional investigation options on the Risk Analysis dashboard to review behavioral analytics detections and correlate risk-related information on assets and identities. Changes include:
  • Select the test index for behavioral analytics detections. For more information, see Use behavioral analytics detections on test index.
  • Display the activated behavioral analytics detections and the available detections in Splunk Enterprise Security. For more information, see Review activated detections.
  • Access the Risk Event Timeline visualization from the Risk Analysis dashboard to review historical events during an investigation. For more information on the Risk Event timeline visualizations, see View the Risk Event Timeline visualization.
  • Access the Threat activity dashboard to access information related to a specific threat object. For more information on accessing threat object activity, see Access threat object activity.
Ability to sort and filter notables by disposition Sort and filter notables based on disposition values. For more information, see:
Support for PCI control fields on the Incident Review page Ability to display the PCI control field such as 1.2.2 or 8.3, and so on for notables on the Incident Review page. For more information, see Release Notes for the Splunk App for PCI Compliance.
Removal of biased language in code, UI, and documentation. Removed most instances of biased language from the code, UI, and documentation. For example:
  • "master" was replaced by "primary";
  • "slave" was replaced by "secondary";
  • "blacklist" was replaced by "denylist";
  • "whitelist" was replaced by "allowlist";
New RBA tutorial A new guided tutorial for security analysts and detection engineers to learn how to assign risk for specific users or systems, triage incidents, and identify threat levels using risk-based alerting in Splunk Enterprise Security. For more information, see About the risk-based alerting tutorial.

Limitations

When you upgrade to Splunk Enterprise Security version 7.1.x, contributing risk events for risk notables might not be visible in the Risk Event Timeline if the risk notables are created before the upgrade and any one of the following conditions are met:

  • CIM entity zones are enabled
  • Changes are made to the CIM entity zones that apply to existing risk notables
  • Asset and identity framework is disabled

For more information, see After upgrading to Splunk Enterprise Security Version 7.1.0.

Additionally, if you make changes to the CIM entity zones or the assets and identity framework, you might cause a change to the risk object normalization, which might result in contributing risk events not being visible in the Risk Event Timeline visualization. This pertains to risk notables that were created prior to making the changes to the CIM entity zones and assets and identity framework.

Deprecated or removed features

Following is a list of deprecated or removed features in Enterprise Security:

Deprecated Feature Comments
No support for sending notable events from Splunk Enterprise Security to Splunk UBA Support for sending notable events from Splunk ES to Splunk UBA will be removed in a future release. Configure a Splunk ES Notables data source or use Splunk Direct to pull notable events from Splunk ES to Splunk UBA. See Pull notable events from Splunk ES to Splunk UBA.
No browser support for Internet Explorer Browser support for Internet Explorer 11 is no longer available in Enterprise Security version 6.6.0 or higher.
No support for glass tables Glass tables are no longer available in Enterprise Security version 6.6.0 or higher. A comparable feature called Dashboard Studio is available in the Splunk platform. See What is the Splunk Dashboard Studio? in the Splunk Cloud Platform Splunk Dashboard Studio manual and What is the Splunk Dashboard Studio? in the Splunk Enterprise Splunk Dashboard Studio manual. Do not upgrade to ES 6.6.0 or higher if you need to continue using Glass Tables.
Extreme Search (Splunk_SA_ExtremeSearch) macros removed The following Extreme Search macros that were previously deprecated are removed as of Enterprise Security version 6.6.0: [xs_default_direction_concepts], [xs_default_magnitude_concepts], and [xs_default_change_concepts]
No support for Malware Domains threatlist The Malware Domains threatlist is not supported in Enterprise security version 6.5.0 or higher.
Domain Dossier is removed from Enterprise Security Domain Dossier is not available in Enterprise Security 6.5.0 or higher.
Option to search with Google within the ES application may pose inherent security risks as it may direct you to third party websites. Option to search with Google is not available in Enterprise Security 6.5.0 or higher.
The master_host settings for Identity Manager and Intelligence Downloads in search head pooling Settings are obsolete for Enterprise Security 6.3.0 and higher.
Bundled technology add-ons in the ES installer. See Add-ons. Bundled technology add-ons are not included in Enterprise Security 6.2.0 and higher.
Compatibility with Python 2 and Machine Learning Toolkit 4.0. Enterprise Security 6.1.x is compatible with Python 3 only.

Enterprise Security 6.1.x release is compatible with Splunk Enterprise versions that ship with only Python 3 interpreter and MLTK 5.0 and higher.

Splunk Add-on for Tenable and Splunk_TA_nessus These add-ons are removed from the ES installer.
Threat intelligence sample files These threat intelligence sample files are removed from DA-ESS-ThreatIntelligence/default/data/threat_intel/: Appendix_D_FQDNs.xml, Appendix_F_SSLCertificates.xml, Appendix_G_IOCs_No_OpenIOC.xml, fireeye-pivy-report-with-indicators.xml, and Mandiant_APT1_Report.xml
Setting that enables SSL for Splunk Web A system setting that is not enabled and disabled by the Enterprise Security app.
The luhn_lookup custom lookup script for detecting personally identifiable credit card information Enterprise Security uses luhn_lite_lookup instead of luhn_lookup.
The getcron search command join my_saved_search_name [| rest splunk_server=local count=0 /services/saved/searches | table title,cron_schedule | rename title as my_saved_search_name, cron_schedule as cron] instead of the search command:
| getcron inputField=my_saved_search_name outputField=cron.
Audit dashboard for content profile Use Content Management data model row expansion instead of using Audit dashboard for content profile. See Expand Content Management searches to view dependency and usage information in Splunk Enterprise Security.
Lookup generating search for Traffic Volume Tracker Removing this search resolves issues with exporting all objects in Content Management.
Automatic (continuous) creation and deployment of the "indexer package" (Splunk_TA_ForIndexers) to the Indexer tier via deployment server proxy feature See Deploy add-ons to indexers.
The notable_adhoc_invocations macro in the SA-ThreatIntelligence app Use the incident review saved search to fix ad-hoc alerts on sequenced events instead.
Alexa Top 1 Million Sites See Included generic intelligence sources for alternatives.

End of support schedule

Refer to Splunk Support Policy to verify the end of support date for your Enterprise Security version.

Add-ons

Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. For more information on the support provided for add-ons, see Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.

Deprecated or removed add-ons

Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.

The following technology add-ons are removed from the installer, but still supported:

The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:

  • TA-airdefense
  • TA-alcatel
  • TA-cef
  • TA-fortinet
  • TA-ftp
  • TA-nmap
  • TA-tippingpoint
  • TA-trendmicro

End of Life

  • Splunk Add-on for NetFlow announced: March 18, 2019 | Ends: June 16, 2019
  • Splunk Add-on for Tenable announced: April 8, 2019 | Ends: July 7, 2019

Updated add-ons

The Common Information Model Add-on is updated to version 5.2.0.

Libraries

The following libraries are included in this release:

  • Splunk_ML_Toolkit-5.4.0-1677171559342
  • Splunk_SA_Scientific_Python_linux_x86_64-3.1.0-0
  • Splunk_SA_Scientific_Python_windows_x86_64-3.1.0-0
Last modified on 27 October, 2023
  Fixed issues for Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.2.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters