Splunk® Enterprise Security

Release Notes

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Release notes for Splunk Enterprise Security

Splunk Enterprise Security version 8.0 is compatible only with specific versions of the Splunk platform. See Splunk products version compatibility matrix for details.

When you upgrade to Splunk Enterprise Security version 8.0, you can no longer access any investigations created prior to the upgrade. To save archives of your investigation data, back up and restore your existing Splunk Enterprise Security instance. See Upgrade notice for 8.0.

You must have Splunk SOAR to use playbooks. Otherwise, the option to use playbooks is hidden.

Splunk Enterprise Security version 8.0 is not compatible with the Splunk app for PCI compliance. if your Splunk Enterprise Security installation relies on the PCI app, do not upgrade to Splunk Enterprise Security version 8.0.

Splunk Enterprise Security in a search head cluster environment uses an installer that creates tokens and turns on token authorization if it is not available. Post-installation, the installer deletes the tokens. If an error occurs, contact Splunk Support to delete any residual tokens.

The Splunk Enterprise Security Health app is installed but is disabled for all Splunk Cloud customers. This app is enabled by the Splunk Cloud Platform only during upgrades to ensure that the stacks get upgraded faster. Do not turn on the Splunk Enterprise Security Health app.

Current versions of Splunk Enterprise Security only support TAXII version 1.0 and TAXII version 1.1.

What's new

Splunk Enterprise Security version 8.0.0 was released on October 30, 2024 and includes the following new enhancements:

New feature Description
Unified UI for threat detection, investigation, and response (TDIR) workflows Ability to pair Splunk SOAR playbooks and actions with the case management features of Splunk Enterprise Security and Splunk Mission Control to collaborate and run investigations effectively. For more information on using Splunk Enterprise Security with Splunk SOAR, see Integration of Splunk SOAR with Splunk Enterprise Security.
New analyst queue to manage analyst workflows Ability to use the analyst queue on the Mission Control page for a centralized view of all findings, intermediate findings, and investigations for a faster and easier triage. The analyst queue offers a new layout with restyled and reorganized columns, new actions such as Run playbook, Assign to me, Add to investigation, nested findings, ability to create and edit findings, and so on. For more information on the analyst queue, see Manage analyst workflows using the analyst queue in Splunk Enterprise Security.
Side panel with the analyst queue to interact with findings Ability to interact with findings and investigations without leaving the analyst queue. Use the side-panel to:
  • View the details of a findings or an investigation such as fields, notes, and so on.
  • Edit findings by changing the status or re-assign the finding.
  • Run actions on findings such as workflow actions, adaptive response actions, and so on.
  • Start an investigation from a finding.
  • See any related investigations and included findings
  • Add notes to findings.
Improved detection authoring capability with risk-based alerting Ability to build high-confidence groups of findings using two newly designed editors for event-based and finding-based detections. You can author detections based on risk and common security techniques to improve aggregation and triage capabilities without a complex knowledge of the search processing language (SPL). For more information on event-based and finding-based detections, see Use detections to search for behavioral patterns in Splunk Enterprise Security.
Detection versioning Ability to save new versions and back-up old versions of detections. For more information on detection versioning, see Use detection versioning in Splunk Enterprise Security and Create multiple versions of a detection in Splunk Enterprise Security.
Reorganized navigation and configuration menus Navigation and configuration menus are reorganized into easy-to-understand categories and streamlined workflows.
Simplified terminology New terminology for detections, findings, and investigation workflows that aligns to the Open Cybersecurity Schema Framework (OCSF) for a seamless experience. For more information on the changed terms, see Glossary and Splunk Enterprise Security terminology.
Investigation overview panel Ability to review details of the investigation, view and manage findings within the investigation, and integrate with Splunk SOAR.
Analytics dashboards Reorganized all Splunk Enterprise Security dashboards under the Analytics tab for easy review and accessibility.
Enhanced capability to add notes Improvements to the Comments feature available in prior versions of Splunk Enterprise Security. For more information on the new Notes feature, see Collaborate on investigations in Splunk Enterprise Security.
Support for IPv6 Splunk Enterprise Security supports IPv6 from version Splunk Enterprise Security version 8.0 and higher as part of an Early Access release. The support for IPv6 is offered as Dual Stack networking with IPv6 fallback to IPv4 addresses. During Early Access releases, Splunk products might have limitations on customer access, features, maturity, and regional availability. For additional information on Early Access, contact Splunk Support. For more information on how to implement the IPv6 early access feature, see Enable IPv6 dual-stack functionality in the Splunk Enterprise Admin manual.
Splunk SOAR (Cloud) enhancements For more information on the new features added to Splunk SOAR (Cloud) for integrating with Splunk Enterprise Security, see Enhancements in the What's new in Splunk SOAR (Cloud) topic.
Splunk Enterprise Security is FedRAMP compliant Splunk Enterprise Security FedRAMP Moderate meets Federal Information Processing Standard (FIPS) 199 Moderate Impact Level standards.

For current compliance information, see Compliance at Splunk.

Upgrade notice for 8.0

Upgrading Splunk Enterprise Security from version 6.x or 7.x to version 8.0 is a one-way operation. The upgrade process doesn't automatically back up the app, its content, or its data. Perform a full backup of the search head, including the KV Store, before initiating the Splunk Enterprise Security upgrade process.

If you need to revert back to the version that previously existed on your search head, you must restore the previous version of Splunk Enterprise Security from a backup.

See Upgrade Splunk Enterprise Security.

Deprecated or removed features

The following features have been deprecated from Splunk Enterprise Security 8.0:

  • Incident Review row expansion is no longer available.
  • Enhanced workflows are no longer available.
  • Sequence templates are no longer available.
  • The Investigation bar, Investigation Workbench, and Investigation dashboard from the Splunk Enterprise Security user interface (UI) are replaced by the Mission Control UI.
  • Service level agreements (SLAs) and role-based incident type filtering are not available.
  • The Content management page was updated to remove the following types of content: Workbench Profile, Workbench Panel, and Workbench Tab.
  • Workbench and workbench related views such as ess_investigation_list, ess_investigation_overview, and ess_investigation have been removed.
  • Capabilities such as edit_timeline and manage_all_investigations have been removed.
  • The Comments feature is replaced by an enhanced capability to add notes.
  • In Splunk Enterprise Security version 7.3, admins can turn on a setting to require analysts to leave a comment with a minimum character length after updating a notable event. In Splunk Enterprise Security version 8.0, you can no longer require a note when an analyst updates a finding in the analyst queue.

Add-ons

Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. For more information on the support provided for add-ons, see Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.

Deprecated or removed add-ons

Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.

The following technology add-ons are removed from the installer, but still supported:

The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:

  • TA-airdefense
  • TA-alcatel
  • TA-cef
  • TA-fortinet
  • TA-ftp
  • TA-nmap
  • TA-tippingpoint
  • TA-trendmicro

End of Life

  • Splunk Add-on for NetFlow announced: March 18, 2019 | Ends: June 16, 2019
  • Splunk Add-on for Tenable announced: April 8, 2019 | Ends: July 7, 2019

Updated add-ons

The Common Information Model Add-on is updated to version 6.0.0.

Libraries

The following libraries are included in this release:

  • Splunk_ML_Toolkit-5.3.0-1631633293630.tgz
  • Splunk_SA_Scientific_Python_linux_x86_64-3.0.2-0
  • Splunk_SA_Scientific_Python_windows_x86_64-3.0.0
Last modified on 20 December, 2024
  Fixed Issues

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters