Release notes for Splunk Enterprise Security
Find the following information on the Splunk Enterprise Security version 8.1.0 release:
- What's new
- Upgrade notice for 8.x
- Compatibility and support
- Deprecated or removed features
- Add-ons
- Included libraries
What's new
Splunk Enterprise Security version 8.1.0 was released on June 10, 2025 and includes the following new enhancements:
| New feature | Description |
|---|---|
| Comparison between versions of detections | Ability to compare the differences between detection versions to determine if an outdated version is turned on or to troubleshoot a detection that is generating false positive alerts. For more information, see Reviewing differences between detection versions. |
| UI improvements to the Intermediate findings timeline visualization | Enhanced ability to interact with the visualization to analyze the relationship between intermediate findings and their associated risk scores. The Intermediate findings timeline visualization was previously referred to as the Risk timeline visualization in Splunk Enterprise Security versions 8.0.x. For more information on this visualization, see |
| Pairing with Splunk SOAR (On-premises) | You can now pair Splunk SOAR (On-premises), in addition to pairing with Splunk SOAR (Cloud) to run actions, run playbooks, and review automation history in Splunk Enterprise Security. For more information, see Pair Splunk Enterprise Security with Splunk SOAR. For compatibility information, see Splunk SOAR compatibility in the Splunk Enterprise Security Compatibility matrix article. |
| Enhancements to the detection editor | Following improvements have been included for the detection editor in this release:
For more information on improvements to the user interface for creating detections, see
|
| Reduced alert noise on the analyst queue since event-based detections can generate both findings and intermediate findings | Event-based detections can be configured to generate both findings and intermediate findings with assigned risk scores that can be modified to reflect accurate risk levels.
For more information, see |
| Support for Splunk API | The Splunk Enterprise Security API allows you to use and modify findings, investigations, risk scores, assets, and identities in Splunk Enterprise Security. Additionally, Splunk Enterprise Security offers a set of REST API endpoints that you can use to interact with the Splunk Enterprise Security frameworks programmatically or from Splunk search and build integration applications for use with Splunk Enterprise Security. |
| Intelligence summary for findings in the analyst queue | Review threat intelligence attributes associated with a finding in the side panel of the analyst queue. Use threat intelligence attributes to help you determine whether you need to start an investigation based on that finding. Threat intelligence attributes include threat actors, MITRE tactics, CVEs, and malware associated with one or more observables present in the finding.
For more information, see |
| New default views in a collapsible side panel for filtering the analyst queue | Filter the analyst queue by new default views such as Owned by me or Risk score. In a new collapsible side panel, you can select from different saved views to make the triage process easier.
For more information, see |
Upgrade notice for 8.x
Upgrading Splunk Enterprise Security to version 8.x is a one-way operation. The upgrade process doesn't automatically back up the app, its content, or its data. Perform a full backup of the search head, including the KV Store, before initiating the Splunk Enterprise Security upgrade process.
When you upgrade to Splunk Enterprise Security version 8.x, you can no longer access any investigations created prior to the upgrade. To save archives of your investigation data, back up and restore your existing Splunk Enterprise Security instance.
If you need to revert back to the version that previously existed on your search head, you must restore the previous version of Splunk Enterprise Security from a backup.
See Upgrade Splunk Enterprise Security.
Upgrades to Splunk Enterprise Security version 8.x from versions 6.x and earlier are not supported. If you are using on-premises version 6.x or earlier, you must first upgrade to version 7.3.2 before upgrading to version 8.x.
Other important notes for upgrading include the following:
- Splunk Enterprise Security in a search head cluster environment uses an installer that creates tokens and turns on token authorization if it is not available. Post-installation, the installer deletes the tokens. If an error occurs, contact Splunk Support to delete any residual tokens.
- The Splunk Enterprise Security Health app is installed but is turned off for all Splunk Cloud customers. This app is turned on by the Splunk Cloud Platform only during upgrades to ensure that the stacks get upgraded faster. Do not turn on the Splunk Enterprise Security Health app.
Sharing telemetry usage data is different from sharing threat data. Sharing of threat data in Splunk Enterprise Security is only introduced for Splunk Enterprise Security Hosted Service Offering (cloud) customers with a standard terms contract renewed or created after January 10, 2025. For more information, see Share threat data in Splunk Enterprise Security
Compatibility and support
- Splunk Enterprise Security version 8.x is compatible only with specific versions of the Splunk platform. See Splunk products version compatibility matrix for details.
- Current versions of Splunk Enterprise Security only support TAXII version 1.0 and TAXII version 1.1.
Deprecated or removed features
The following features have been deprecated from Splunk Enterprise Security 8.x:
- Configuring the investigation type macro is no longer available.
- Incident Review row expansion is no longer available.
- Enhanced workflows are no longer available.
- Sequence templates are no longer available.
- The Investigation bar, Investigation Workbench, and Investigation dashboard from the Splunk Enterprise Security user interface (UI) are replaced by the Mission Control UI.
- Service level agreements (SLAs) and role-based incident type filtering are not available.
- The Content management page was updated to remove the following types of content: Workbench Profile, Workbench Panel, and Workbench Tab.
- Workbench and workbench related views such as
ess_investigation_list,ess_investigation_overview, andess_investigationhave been removed. - Capabilities such as
edit_timelineandmanage_all_investigationshave been removed. - The Comments feature is replaced by an enhanced capability to add notes.
- In Splunk Enterprise Security version 7.3, admins can turn on a setting to require analysts to leave a comment with a minimum character length after updating a notable event. In Splunk Enterprise Security version 8.x, you can no longer require a note when an analyst updates a finding in the analyst queue.
Add-ons
Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. For more information on the support provided for add-ons, see Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.
Some new features might not work for on-prem Splunk Enterprise Security deployments 8.x and higher, unless you upgrade the Splunk_TA_ForIndexers add-on for every release.
To ensure that the Splunk Enterprise Security app works correctly, turn on the following add-ons. If any of the following add-ons aren't turned on, Splunk Support gets automatically notified and ensures that all the required add-ons are turned on automatically.
- DA-ESS-AccessProtection
- DA-ESS-EndpointProtection
- DA-ESS-IdentityManagement
- DA-ESS-NetworkProtection
- DA-ESS-ThreatIntelligence
- SA-AccessProtection
- SA-AuditAndDataProtection
- SA-EndpointProtection
- SA-IdentityManagement
- SA-NetworkProtection
- SA-ThreatIntelligence
- Splunk_SA_CIM
- Splunk_SA_Scientific_Python_linux_x86_64
- SplunkEnterpriseSecuritySuite
- Splunk_ML_Toolkit
Deprecated or removed add-ons
Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.
The following technology add-ons are removed from the installer, but still supported:
- Splunk Add-on for Blue Coat ProxySG
- Splunk Add-on for McAfee
- Splunk Add-on for Juniper
- Splunk Add-on for Microsoft Windows
- Splunk Add-on for Oracle Database
- Splunk Add-on for OSSEC
- Splunk Add-on for RSA SecurID
- Splunk Add-on for Sophos
- Splunk Add-on for FireSIGHT
- Splunk Add-on for Symantec Endpoint Protection
- Splunk Add-on for Unix and Linux
- Splunk Add-on for Websense Content Gateway
The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:
- TA-airdefense
- TA-alcatel
- TA-cef
- TA-fortinet
- TA-ftp
- TA-nmap
- TA-tippingpoint
- TA-trendmicro
Updated add-ons
The Common Information Model Add-on is updated to version 6.1.0.
Libraries
The following libraries are included in this release:
- Splunk_ML_Toolkit-5.3.0-1631633293630.tgz
- Splunk_SA_Scientific_Python_linux_x86_64-3.0.2-0
- Splunk_SA_Scientific_Python_windows_x86_64-3.0.0
| Fixed issues |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.1.0
Download manual
Feedback submitted, thanks!