Release notes for Splunk Enterprise Security
Splunk Enterprise Security version 8.0 is compatible only with specific versions of the Splunk platform. See Splunk products version compatibility matrix for details.
When you upgrade to Splunk Enterprise Security version 8.0, you can no longer access any investigations created prior to the upgrade. To save archives of your investigation data, back up and restore your existing Splunk Enterprise Security instance. See Upgrade notice for 8.0.
You must have Splunk SOAR to use playbooks. Otherwise, the option to use playbooks is hidden.
Splunk Enterprise Security version 8.0 is not compatible with the Splunk app for PCI compliance. if your Splunk Enterprise Security installation relies on the PCI app, do not upgrade to Splunk Enterprise Security version 8.0.
Splunk Enterprise Security in a search head cluster environment uses an installer that creates tokens and turns on token authorization if it is not available. Post-installation, the installer deletes the tokens. If an error occurs, contact Splunk Support to delete any residual tokens.
The Splunk Enterprise Security Health app is installed but is disabled for all Splunk Cloud customers. This app is enabled by the Splunk Cloud Platform only during upgrades to ensure that the stacks get upgraded faster. Do not turn on the Splunk Enterprise Security Health app.
Current versions of Splunk Enterprise Security only support TAXII version 1.0 and TAXII version 1.1.
What's new
Splunk Enterprise Security version 8.0.0 was released on October 30, 2024 and includes the following new enhancements:
New feature | Description |
---|---|
Unified UI for threat detection, investigation, and response (TDIR) workflows | Ability to pair Splunk SOAR playbooks and actions with the case management features of Splunk Enterprise Security and Splunk Mission Control to collaborate and run investigations effectively. For more information on using Splunk Enterprise Security with Splunk SOAR, see Integration of Splunk SOAR with Splunk Enterprise Security. |
New analyst queue to manage analyst workflows | Ability to use the analyst queue on the Mission Control page for a centralized view of all findings, intermediate findings, and investigations for a faster and easier triage. The analyst queue offers a new layout with restyled and reorganized columns, new actions such as Run playbook, Assign to me, Add to investigation, nested findings, ability to create and edit findings, and so on. For more information on the analyst queue, see Manage analyst workflows using the analyst queue in Splunk Enterprise Security. |
Side panel with the analyst queue to interact with findings | Ability to interact with findings and investigations without leaving the analyst queue. Use the side-panel to:
|
Improved detection authoring capability with risk-based alerting | Ability to build high-confidence groups of findings using two newly designed editors for event-based and finding-based detections. You can author detections based on risk and common security techniques to improve aggregation and triage capabilities without a complex knowledge of the search processing language (SPL). For more information on event-based and finding-based detections, see Use detections to search for behavioral patterns in Splunk Enterprise Security. |
Detection versioning | Ability to save new versions and back-up old versions of detections. For more information on detection versioning, see Use detection versioning in Splunk Enterprise Security and Create multiple versions of a detection in Splunk Enterprise Security. |
Reorganized navigation and configuration menus | Navigation and configuration menus are reorganized into easy-to-understand categories and streamlined workflows. |
Simplified terminology | New terminology for detections, findings, and investigation workflows that aligns to the Open Cybersecurity Schema Framework (OCSF) for a seamless experience. For more information on the changed terms, see Glossary and Splunk Enterprise Security terminology. |
Investigation overview panel | Ability to review details of the investigation, view and manage findings within the investigation, and integrate with Splunk SOAR. |
Analytics dashboards | Reorganized all Splunk Enterprise Security dashboards under the Analytics tab for easy review and accessibility. |
Enhanced capability to add notes | Improvements to the Comments feature available in prior versions of Splunk Enterprise Security. For more information on the new Notes feature, see Collaborate on investigations in Splunk Enterprise Security. |
Support for IPv6 | Splunk Enterprise Security supports IPv6 from version Splunk Enterprise Security version 8.0 and higher as part of an Early Access release. The support for IPv6 is offered as Dual Stack networking with IPv6 fallback to IPv4 addresses. During Early Access releases, Splunk products might have limitations on customer access, features, maturity, and regional availability. For additional information on Early Access, contact Splunk Support. For more information on how to implement the IPv6 early access feature, see Enable IPv6 dual-stack functionality in the Splunk Enterprise Admin manual. |
Splunk SOAR (Cloud) enhancements | For more information on the new features added to Splunk SOAR (Cloud) for integrating with Splunk Enterprise Security, see Enhancements in the What's new in Splunk SOAR (Cloud) topic. |
Splunk Enterprise Security is FedRAMP compliant | Splunk Enterprise Security FedRAMP Moderate meets Federal Information Processing Standard (FIPS) 199 Moderate Impact Level standards.
For current compliance information, see Compliance at Splunk. |
Upgrade notice for 8.0
Upgrading Splunk Enterprise Security from version 6.x or 7.x to version 8.0 is a one-way operation. The upgrade process doesn't automatically back up the app, its content, or its data. Perform a full backup of the search head, including the KV Store, before initiating the Splunk Enterprise Security upgrade process.
If you need to revert back to the version that previously existed on your search head, you must restore the previous version of Splunk Enterprise Security from a backup.
See Upgrade Splunk Enterprise Security.
Deprecated or removed features
The following features have been deprecated from Splunk Enterprise Security 8.0:
- Incident Review row expansion is no longer available.
- Enhanced workflows are no longer available.
- Sequence templates are no longer available.
- The Investigation bar, Investigation Workbench, and Investigation dashboard from the Splunk Enterprise Security user interface (UI) are replaced by the Mission Control UI.
- Service level agreements (SLAs) and role-based incident type filtering are not available.
- The Content management page was updated to remove the following types of content: Workbench Profile, Workbench Panel, and Workbench Tab.
- Workbench and workbench related views such as
ess_investigation_list
,ess_investigation_overview
, andess_investigation
have been removed. - Capabilities such as
edit_timeline
andmanage_all_investigations
have been removed. - The Comments feature is replaced by an enhanced capability to add notes.
- In Splunk Enterprise Security version 7.3, admins can turn on a setting to require analysts to leave a comment with a minimum character length after updating a notable event. In Splunk Enterprise Security version 8.0, you can no longer require a note when an analyst updates a finding in the analyst queue.
Add-ons
Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. For more information on the support provided for add-ons, see Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.
Deprecated or removed add-ons
Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.
The following technology add-ons are removed from the installer, but still supported:
- Splunk Add-on for Blue Coat ProxySG
- Splunk Add-on for McAfee
- Splunk Add-on for Juniper
- Splunk Add-on for Microsoft Windows
- Splunk Add-on for Oracle Database
- Splunk Add-on for OSSEC
- Splunk Add-on for RSA SecurID
- Splunk Add-on for Sophos
- Splunk Add-on for FireSIGHT
- Splunk Add-on for Symantec Endpoint Protection
- Splunk Add-on for Unix and Linux
- Splunk Add-on for Websense Content Gateway
The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:
- TA-airdefense
- TA-alcatel
- TA-cef
- TA-fortinet
- TA-ftp
- TA-nmap
- TA-tippingpoint
- TA-trendmicro
End of Life
- Splunk Add-on for NetFlow announced: March 18, 2019 | Ends: June 16, 2019
- Splunk Add-on for Tenable announced: April 8, 2019 | Ends: July 7, 2019
Updated add-ons
The Common Information Model Add-on is updated to version 6.0.0.
Libraries
The following libraries are included in this release:
- Splunk_ML_Toolkit-5.3.0-1631633293630.tgz
- Splunk_SA_Scientific_Python_linux_x86_64-3.0.2-0
- Splunk_SA_Scientific_Python_windows_x86_64-3.0.0
Fixed Issues |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0
Feedback submitted, thanks!