Splunk® Enterprise Security

Administer Splunk Enterprise Security

Create multiple versions of a detection in Splunk Enterprise Security

Versioning a detection lets you view the history of changes to any detection and identify when a specific change occurred and who made the change.

The detection version history of any detections that were imported into Splunk Enterprise Security using the Enterprise Security Content Update (ESCU) app from the Splunk Threat Research Team are also maintained and displayed. If you are using an ESCU detection version 3.2 and a new version 4.1 is published for that detection and updated into your Slunk Enterprise Security installation, the detection with version 3.2 is the version that is turned on. To use version 4.1 of the detection, you can either select and turn that detection version or you can customize it to your needs by saving it as version 4.2 and then turn on version 4.2.

Any existing detections that are packaged with the app have two versions created. One version is the default version such as 1.1, and the other is a local version such as 1.2. This implies that the local version such as 1.2 contains the latest changes, and version 1.1 is the base detection.

Save a new version of a detection

Save a version of a detection available in Splunk Enterprise Security so that you can customize it for your specific use case while maintaining a clear relationship to the original detection.

Follow these steps to edit and save a new version of a detection:

  1. In Splunk Enterprise security, go to the Security content tab.
  2. Select Content Management to display the list of detections.
  3. Select a detection to edit in the detection editor.
  4. Make any necessary changes to the detection.
  5. (Optional) Enter a version note.
  6. Select Save as new version to save the changes you have made to the detection as the new version.


Clone a detection

You can clone a detection from the Security content page or using the detection editor.

Follow these steps to clone a detection using the Security content page:

  1. In Splunk Enterprise security, go to the Security content tab.
  2. Select Detections to display the list of detections.
  3. Select ... from the Actions menu to display the drop-down menu.
  4. Select Clone from the drop-down to open the Clone detection dialog box.
  5. In New detection label, enter a new title or label for the cloned detection.
  6. Select the app context such as Splunk Enterprise Security from the App dropdown menu.

    Only the deletions that exist in the Splunk Enterprise Security or ESCU app are versioned.

  7. After the detection is cloned successfully, select Edit detection to open the cloned detection in the detection editor and make edits as required.

View the version history of a detection

View existing versions of a detection to view the version that is currently turned on, if it is not the latest version. You can view versions of both available detections in Splunk Enterprise Security and customized detections.

Follow these steps to view the version history of a detection:

  1. In Splunk Enterprise security, go to the Security content tab.
  2. Select Detections to display the list of detections.
  3. Select ... from the Actions menu to display the drop-down menu.
  4. Select Version history from the drop-down menu to view detailed information on the available versions.
  5. Select View to view all the information for the specific version of the detection in the detection editor.


Turn on a detection

You can turn on a detection from the Security content page or using the detection editor. You must view existing versions of a detection to turn on a selected version of the detection.

Follow these steps to view existing versions of a detection and turn on a selected version:

  1. In Splunk Enterprise security, go to the Security content tab.
  2. Select Detections to display the list of detections.
  3. Select the triple dot under the Actions drop-down menu to see the version history and select the specific detection to turn it on from the detection editor page. Alternatively, you can go to the detection editor page and select the preferred detection version to turn on.
  4. In the Status drop-down menu, select On for the detection that you want to turn on. Alternatively, you can select Off from the Status drop-down menu to turn a specific detection.

View the details of a specific detection version

Follow these steps to view information on a detection:

  1. In Splunk Enterprise security app, go to the Security content tab.
  2. Select Detections to display the list of detections.
  3. Select ... from the Actions menu to display the drop-down menu.
  4. Select Version history from the drop-down to view detailed information on the available versions.
  5. Select View to view all the information for the specific version of the detection.
  6. In the detection editor, go to the Details panel.

The following information is available for the detection:

Field Information
Type Content type such as detection
ID Numerical ID of the detection
Cloned from Displays if the detection was cloned. Otherwise, the field is empty.
Title Name of the detection such as Abnormally High Number Off Endpoint Changes By User
Description Information on the detection
Author Names of the detection writers
Automation rule Field available when SOAR is paired to Splunk Enterprise Security
Version ID Numerical identifier of the detection version
Parent version id Numerical identifier for the parent version of the detcetion
Date or time The date or time when the detection version was saved
Who saved Splunk id for whoever saved the detection version
Version note (optional) Additional information on the detection version that you can save.

Update a detection version

Add a note to any version of a detection to update the detection. You can also add a note to an older version of the detection and include important information about its usage, warnings, and so on. Adding notes to the versions of a detection allows other team members to view information about its usage, efficacy, and warnings, which might have been discovered during testing or use.

Follow these steps to add a note to a version of a detection:

  1. In Splunk Enterprise security, go to the Security content tab.
  2. Select Detections to display the list of detections.
  3. Select the ... from the Actions menu to display the drop-down menu.
  4. Select Version history from the drop-down menu to view detailed information on the available versions.
  5. Select View to view all the information for the specific version of the detection.
  6. In the detection editor, scroll down to enter a note for the specific version of the detection.


See also

For more information on using versioning for detections in Splunk Enterprise Security, see the product documentation:

Use detection versioning in Splunk Enterprise Security

Last modified on 23 October, 2024
Use detection versioning in Splunk Enterprise Security   Suppress specific fields for detections in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters