Related Answers
This documentation does not apply to the most recent version of Splunk® Security Essentials.
For documentation on the most recent version, go to the latest release.
Download topic as PDF
What's new in Splunk Security Essentials
The security content delivery endpoint for Splunk Enterprise Security Content Update (ESCU) has been updated to comply with Splunk guidance. If you are using Splunk Security Essentials version 3.7.1 or lower, the last supported ESCU version is 4.22.0. In order to get the latest ESCU version, upgrade Splunk Security Essentials to version 3.8.0. For more information, see What's new in 3.8.0.
What's new in 3.3.0
This release of Splunk Security Essentials includes the following enhancements:
| New Feature or Enhancement | Description |
|---|---|
| All new visualization for ESCU/Splunk Security Research content. | The visualization has a new look and there are added options to easily deploy all necessary lookups, macros, and schedule searches. |
| Custom bookmark statuses | All bookmarks are now stored in the kvstore and you can set custom bookmark statuses from the Manage Bookmarks dashboard. For more information, see Track your content with the Manage Bookmarks dashboard. |
| New location for Splunk Security Essentials documentation | The Splunk Security Essentials documentation has been moved to the Splunk documentation site at https://docs.splunk.com/Documentation/SSE . |
| Additional documentation in Splunk Security Essentials | Offline docs have been added under the Documentation menu as well as links back to the security research Github release notes under the Configuration tab. |
| Added the Zero Trust category | The Zero Trust category was added to the Security Content page. |
| Added new data source auto detections | Added Aruba, Carbon Black, Cisco Meraki, Cylance Protect, Darktrace, F5 BigIP, FireEye, Google (new sourcetypes), Infoblox IDS, Menlo Security, Proofpoint, Varonis IDS/DLP, and Zscaler. |
| Added new detections for privilege user monitoring | These detections included multiple account deletion by an administrator, multiple accounts disabled by an administrator, multiple account passwords changed by an administrator, and a new detection to detect credit card numbers using the Luhn algorithm. |
| Search MITRE ATT&CK techniques on the Security Content page | You can now search for a list of MITRE ATT&CK techniques on the Security Content page. This allows you to copy lists directly from external Threat Reports into Splunk Security Essentials to find detections that align with a specific threat. |
| ES Use Case Library updates | The ES Use Case Library is now populated by installing the app. Any future content updates added from the Security Content API are added to the ES Use Case Library automatically. |
What's new in 3.2.2
This release of Splunk Security Essentials includes the following enhancements:
| New Feature or Enhancement | Description |
|---|---|
| New software object added to the Security Content and Analytics Advisor pages | This field helps you find techniques and associated detections linked to hacker tools. |
| MITRE framework pre-attack information | Added the updates released in ATT&CK v8. The PRE-ATT&CK matrix has been deprecated and merged into the standard Enterprise matrix. The existing detections mapped to PRE-ATT&CK are reassigned techniques in the new "PRE" tactics. |
| Network matrix | Browse and filter detections in the new network matrix. |
| New data types supported | Added support for Zoom, Bluecat DNS, and DHCP data types. |
| Security Content updates | Added a new filter on the security content page to filter for available Splunk Phantom playbooks. The MITRE ATT&CK Technique menu on the Security Content page includes the ID for the technique. |
| MITRE ATT&CK Matrix updates | Added a new filter to the MITRE ATT&CK Matrix to filter for MITRE ATT&CK software. The MITRE ATT&CK Matrix is now backwards compatible with Splunk v7 but the sub-techniques aren't rendered. The sub-techniques are not nested as they are on v8. |
| Content update | You can force a content update using the Configuration menu. For more information, see Customize Splunk Security Essentials in the Use Splunk Security Essentials manual. |
What's new in 3.2.1
This release of Splunk Security Essentials includes the following enhancements:
| New Feature or Enhancement | Description |
|---|---|
| Automatic updates for Security Research Content | Security Content from the Splunk Research team is now automatically downloaded into Splunk Security Essentials using the Splunk Security Content API. |
| Support for ES 6.3+ Annotations Framework | Enabling detections through Splunk Security Essentials populates the Annotations Framework with MITRE ATT&CK, Killchain, NIST, CIS and some Splunk Security Essentials fields. |
| UI Improvements for Content Mapping | These UI improvements help maintain your content in Splunk Security Essentials and map it to your environment. You can also map multiple saved searches to a single piece of content and still have enrichment for Notables and Risk Objects. |
| Bug Fixes | Many bug fixes made it into this release. |
What's new in 3.0
This release of Splunk Security Essentials includes the following enhancements:
| New Feature or Enhancement | Description |
|---|---|
| New Home Page | The app has a revamped home page that details how to use Splunk Security Essentials, including pre-requisites or other recommended features. |
| Functionality Tours | There are in-app tours available for all of the app's features. You can access these tours by navigating to the new homepage (link). |
| UBA Content | The UBA content shown in the app is revamped and now includes all the rules, models, and relationships in UBA for both anomalies and threats. |
| Better ESCU Viz and Auto-Update | When a new ESCU release comes out, you'll see the configuration menu item go green, and on your next page load the new content appears. |
| Websites | You can access Splunk Security essentials through the website: splunksecurityessentials.com and the documentation at docs.splunksecurityessentials.com. |
| Content Recommendation Dashboards for MITRE ATT&CK and RBA | The MITRE ATT&CK Content Recommendation dashboard looks at the techniques that MITRE has shown to be popular among many threat groups. It filters for detections you have the data to support and that can address the problems you're trying to solve. The Risk-based Alerting dashboard uses a similar method but is catered to the needs of users just getting started with Risk-based Alerting. |
| Azure and GCP Friendly | GCP and Azure versions were added to our ten core AWS searches. |
| CIM Compliance Check | This release includes CIM compliance checks on the key fields most commonly used by security detections. |
| Demo Mode | From the new home page, you can toggle demo mode on or off . This setting is configured globally for all users on the system, and is off by default. |
| UX Overhaul | Improved UX based on feedback from Splunk Security Essential's users. |
| Promotion from Beta for Analytics Advisor, Data Inventory, and Data Availability | We promoted the Analytics Advisor, Data Inventory, and Data Availability dashboards to general availability. |
| Bug Fixes | Many bug fixes made it into this release. |
Last modified on 26 March, 2024
|
NEXT Known issues for Splunk Security Essentials |
This documentation applies to the following versions of Splunk® Security Essentials: 3.3.0
Feedback submitted, thanks!