Use detection versioning in Splunk Enterprise Security

Create and maintain multiple versions of any detection and track the relationships between the detections that exist in Splunk Enterprise Security and the ESCU app. You can also track the customized detections created for specific use cases and identify the detections that are relevant for your use case. Additionally, versioning makes troubleshooting detections easier.

You can turn on or turn off any version of any detections without the findings corrupting the analyst queues of investigations. You can clone, delete, or archive a specific version of a detection. When you make a change to a detection, saving the detection always saves it as a new version. If you make a change to a detection version that is currently turned on, the new version is not turned on by default. You must turn on the new version of the detection once you are ready to do so.

Additionally, you can save a new version or create a clone of any version of a detection, which need not be the latest version. Lastly, you can optionally add a version note to a new version of a detection at the time of saving it, which can assist during investigations.

While versioning is initialized, do not make any changes to detections or create new detections.

Turn on versioning for detections

Follow these steps to turn on the ability to create multiple versions for detections:

1. In Splunk Enterprise Security, go to the Configure tab.
2. Select General settings.
3. Go to Detection versions panel and select Turn on to turn on versioning for detections.

A confirmation message displays when turning on versioning for detections is completed. Turning on detections can take approximately 10 minutes.

To turn off versioning for detections, you must contact Splunk Support.

See also

For more information on creating versions for detections in Splunk Enterprise Security, see the product documentation:

Create multiple versions of a detection in Splunk Enterprise Security