Splunk® Enterprise Security

Release Notes

Release notes for Splunk Enterprise Security

Splunk Enterprise Security version 8.0.x is compatible only with specific versions of the Splunk platform. See Splunk products version compatibility matrix for details.

When you upgrade to Splunk Enterprise Security version 8.0.x, you can no longer access any investigations created prior to the upgrade. To save archives of your investigation data, back up and restore your existing Splunk Enterprise Security instance. See Upgrade notice for 8.0.x.

You must have Splunk SOAR to use playbooks. Otherwise, the option to use playbooks is hidden.

Splunk Enterprise Security version 8.0.x is not compatible with the Splunk app for PCI compliance. if your Splunk Enterprise Security installation relies on the PCI app, do not upgrade to Splunk Enterprise Security version 8.0.x.

Splunk Enterprise Security in a search head cluster environment uses an installer that creates tokens and turns on token authorization if it is not available. Post-installation, the installer deletes the tokens. If an error occurs, contact Splunk Support to delete any residual tokens.

The Splunk Enterprise Security Health app is installed but is disabled for all Splunk Cloud customers. This app is enabled by the Splunk Cloud Platform only during upgrades to ensure that the stacks get upgraded faster. Do not turn on the Splunk Enterprise Security Health app.

Current versions of Splunk Enterprise Security only support TAXII version 1.0 and TAXII version 1.1.

What's new

Splunk Enterprise Security version 8.0.1 was released on December 5, 2024 and includes no new enhancements.

Upgrade notice for 8.0.x

Upgrading Splunk Enterprise Security from version 6.x or 7.x to version 8.0.x is a one-way operation. The upgrade process doesn't automatically back up the app, its content, or its data. Perform a full backup of the search head, including the KV Store, before initiating the Splunk Enterprise Security upgrade process.

If you need to revert back to the version that previously existed on your search head, you must restore the previous version of Splunk Enterprise Security from a backup.

See Upgrade Splunk Enterprise Security.

Deprecated or removed features

The following features have been deprecated from Splunk Enterprise Security 8.0.x:

  • Incident Review row expansion is no longer available.
  • Enhanced workflows are no longer available.
  • Sequence templates are no longer available.
  • The Investigation bar, Investigation Workbench, and Investigation dashboard from the Splunk Enterprise Security user interface (UI) are replaced by the Mission Control UI.
  • Service level agreements (SLAs) and role-based incident type filtering are not available.
  • The Content management page was updated to remove the following types of content: Workbench Profile, Workbench Panel, and Workbench Tab.
  • Workbench and workbench related views such as ess_investigation_list, ess_investigation_overview, and ess_investigation have been removed.
  • Capabilities such as edit_timeline and manage_all_investigations have been removed.
  • The Comments feature is replaced by an enhanced capability to add notes.
  • In Splunk Enterprise Security version 7.3, admins can turn on a setting to require analysts to leave a comment with a minimum character length after updating a notable event. In Splunk Enterprise Security version 8.0, you can no longer require a note when an analyst updates a finding in the analyst queue.

Add-ons

Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. For more information on the support provided for add-ons, see Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.

Deprecated or removed add-ons

Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.

The following technology add-ons are removed from the installer, but still supported:

The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:

  • TA-airdefense
  • TA-alcatel
  • TA-cef
  • TA-fortinet
  • TA-ftp
  • TA-nmap
  • TA-tippingpoint
  • TA-trendmicro

End of Life

  • Splunk Add-on for NetFlow announced: March 18, 2019 | Ends: June 16, 2019
  • Splunk Add-on for Tenable announced: April 8, 2019 | Ends: July 7, 2019

Updated add-ons

The Common Information Model Add-on is updated to version 6.0.1.

Libraries

The following libraries are included in this release:

  • Splunk_ML_Toolkit-5.3.0-1631633293630.tgz
  • Splunk_SA_Scientific_Python_linux_x86_64-3.0.2-0
  • Splunk_SA_Scientific_Python_windows_x86_64-3.0.0
Last modified on 16 December, 2024
  Fixed issues

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters