Splunk Enterprise Security Release Notes

What's new

What's new in 8.2.3

Splunk Enterprise Security version 8.2.3 was released on October 7, 2025 and includes patch fixes. For more information, see Splunk Enterprise Security 8.2.3 fixed issues.

What's new in 8.2.2

Splunk Enterprise Security version 8.2.2 was released on September 24, 2025 and includes a patch fix. See Splunk Enterprise Security 8.2.2 fixed issues.

What's new in 8.2.1

Splunk Enterprise Security version 8.2.1 was released on September 17, 2025 and includes the following new enhancements:

• AI Assistant improvements: You can now use the AI Assistant to summarize individual findings in the analyst queue. For details, see Summarize findings with the AI Assistant. You can also choose between Frontier or Splunk-hosted models for the AI Assistant to use based on your organization's compliance requirements. See Choose which models the AI Assistant uses.
• Hybrid pairing with Splunk SOAR: You can now pair Enterprise Security (Cloud) with a single Splunk SOAR (On-premises) instance. For details, see Splunk SOAR compatibility later in the release notes and Pair Splunk Enterprise Security with Splunk SOAR.

What's new in 8.2.0

Splunk Enterprise Security version 8.2.0 was released on September 9, 2025 and includes the following new enhancements:

• AI Assistant for investigations: Summarize findings, get an SPL search, and generate an investigation report with the AI Assistant. See Scenario: Jordan uses the AI Assistant to summarize an investigation and generate SPL. Note: The AI Assistant for Splunk Enterprise Security is not automatically available by default. An administrator must reach out to their account management team to get started.
• Version activity for detections: Ability to view the version activity of a detection. For more information, see Use detection versioning in Splunk Enterprise Security.
• Detection audit trail: Monitor when detections are turned on or off, modified, or deployed, including who made changes and when. This is essential for compliance and change management of security rules.
• Testing detections in the detection editor: Ability to evaluate detection performance and efficiency within your SOC workflow by testing detections and reviewing search results. For more information, see Validate detections in Splunk Enterprise Security.
• Validate the SPL of a custom finding-based detection: Ability to validate the SPL query conditions for a custom finding-based detection in the detection editor. For more information, see Guidelines to create a custom finding-based detection.
• Viewing notes on the findings or finding groups included in an investigation: Ability to view notes on the findings or finding groups that are included in an investigation to get the complete context of linked findings when reviewing investigations. For more information, see Create and share notes on an investigation.
• Option to keep finding groups closed: Ability to configure in the detection editor whether closed finding groups are reopened or not if additional findings or intermediate findings are added to the finding group. For more information, see Configure conditions to create finding groups in Splunk Enterprise Security.
• Lookback finding groups: Ability to create lookback finding groups to group historical findings based on the first time the detection runs. For more information, see Configure conditions to create finding groups in Splunk Enterprise Security.
• Overlap finding groups: Ability to create overlap finding groups to prevent overlooking edge cases that might represent risk. For more information, see Configure conditions to create finding groups in Splunk Enterprise Security.
• Button options for filtering the analyst queue by type: Findings, Investigations, Finding groups, or All types. Quickly filter the analyst queue by type using the buttons above the queue. See Filter the findings and investigations.
• Making notes optional or required: Enforce notes or make them optional when an analyst updates a finding or investigation. See Make notes required or optional.
• Making note titles optional or required: Change the note title requirement setting to make note titles required or optional when analysts update a finding or investigation. See Make note titles required or optional.
• ESSID-I-426: Hiding duplicate findings that have been added to an investigation. A finding that is part of an investigation can appear both nested under the investigation and also as a separate listing in the analyst queue. You can opt to show the finding in both locations, or you can hide the finding so that it only appears nested under an investigation. See Hide or show duplicate findings that have been added to an investigation.
• Redesigned quick actions in the analyst queue: Refresh the analyst queue manually or with auto-refresh, now in the quick actions menu at the top of the analyst queue. See Refresh the analyst queue.
• ESSID-I-425, ESSID-I-457: Syncing changes with included findings. Apply changes made in an investigation or finding group to all of its included findings. See Sync changes with included findings.
• Optimizing storage with KV Store retention policy: Turn on the KV Store retention policy to automatically remove old records from KV Store collections based on a configured time-based or size-based policy. See Optimizing storage with KV Store retention policy.
• ESSID-I-465: Expanded API capabilities: To create Findings, Add findings to investigations, Create, read, update, and delete notes.
• Adding a TAXII 2 threat intelligence feed: Splunk Enterprise Security versions 8.2 and later now support TAXII version 2.0 and TAXII version 2.1. Add threat intelligence from a TAXII 2 feed to Splunk Enterprise Security. See Add a TAXII 2 feed.
• Other key highlights: Your preferences for viewing charts, timelines, filters, and the count on the analyst queue count persists throughout your session. Findings that are part of an investigation are hidden from the top-level of the Analyst Queue by default so that you can focus on actionable alerts. New Splunk Enterprise Security APIs are now searchable using SPL REST command. Performance-based enhancements: The search ID reuse improves load times across the Analyst Queue and investigations by reusing the results of cached search jobs. SAML user tokens support is no longer required for native SOAR functionality.

Upgrade notice for 8.x

Upgrading Splunk Enterprise Security to version 8.x is a one-way operation. The upgrade process doesn't automatically back up the app, its content, or its data. Perform a full backup of the search head, including the KV Store, before initiating the Splunk Enterprise Security upgrade process.
When you upgrade to Splunk Enterprise Security version 8.x, you can no longer access any investigations created prior to the upgrade. To save archives of your investigation data, back up and restore your existing Splunk Enterprise Security instance.
If you need to revert back to the version that previously existed on your search head, you must restore the previous version of Splunk Enterprise Security from a backup.
See Upgrade Splunk Enterprise Security.
Note: Upgrades to Splunk Enterprise Security version 8.x from versions 6.x and earlier are not supported. If you are using on-premises version 6.x or earlier, you must first upgrade to version 7.3.2 before upgrading to version 8.x.
Other important notes for upgrading include the following:

• You cannot upload Splunk Enterprise Security 8.x on an on-premises deployment of Splunk Enterprise 10.x using the UI. You must install Splunk Enterprise Security 8.x using the command line. See Install Splunk Enterprise Security from the command line.
• Splunk Enterprise Security in a search head cluster environment uses an installer that creates tokens and turns on token authorization if it is not available. Post-installation, the installer deletes the tokens. If an error occurs, contact Splunk Support to delete any residual tokens.
• The Splunk Enterprise Security Health app is installed but is turned off for all Splunk Cloud customers. This app is turned on by the Splunk Cloud Platform only during upgrades to ensure that the stacks get upgraded faster. Do not turn on the Splunk Enterprise Security Health app.

Share threat data in Splunk Enterprise Security

Sharing telemetry usage data is different from sharing threat data. Sharing of threat data in Splunk Enterprise Security is only introduced for Splunk Enterprise Security Hosted Service Offering (cloud) customers with a standard terms contract renewed or created after January 10, 2025. For more information, see Share threat data in Splunk Enterprise Security.

Compatibility and support

• Splunk Enterprise Security version 8.x is compatible only with specific versions of the Splunk platform. See Splunk products version compatibility matrix for details.
• Current versions of Splunk Enterprise Security only support TAXII version 1.0 and TAXII version 1.1.

Deprecated or removed features

The following features have been deprecated from Splunk Enterprise Security 8.x:

• Configuring the investigation type macro is no longer available.
• Incident Review row expansion is no longer available.
• Enhanced workflows are no longer available.
• Sequence templates are no longer available.
• The Investigation bar, Investigation Workbench, and Investigation dashboard from the Splunk Enterprise Security user interface (UI) are replaced by the Mission Control UI.
• Service level agreements (SLAs) and role-based incident type filtering are not available.
• The Content management page was updated to remove the following types of content: Workbench Profile, Workbench Panel, and Workbench Tab.
• Workbench and workbench related views such as ess_investigation_list, ess_investigation_overview, and ess_investigation have been removed.
• Capabilities such as edit_timeline and manage_all_investigations have been removed.
• The Comments feature is replaced by an enhanced capability to add notes.
• In Splunk Enterprise Security version 7.3, admins can turn on a setting to require analysts to leave a comment with a minimum character length after updating a notable event. In Splunk Enterprise Security version 8.x, you can no longer require a note when an analyst updates a finding in the analyst queue.

Add-ons

Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. For more information on the support provided for add-ons, see Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.
Note: Some new features might not work for on-prem Splunk Enterprise Security deployments 8.x and higher, unless you upgrade the Splunk_TA_ForIndexers add-on for every release.
Note: Do not uninstall the Mission Control app since the app is part of Splunk Enterprise Security.
To ensure that the Splunk Enterprise Security app works correctly, turn on the following add-ons. If any of the following add-ons aren't turned on, Splunk Support gets automatically notified and ensures that all the required add-ons are turned on automatically.

• DA-ESS-AccessProtection
• DA-ESS-EndpointProtection
• DA-ESS-IdentityManagement
• DA-ESS-NetworkProtection
• DA-ESS-ThreatIntelligence
• SA-AccessProtection
• SA-AuditAndDataProtection
• SA-EndpointProtection
• SA-IdentityManagement
• SA-NetworkProtection
• SA-ThreatIntelligence
• Splunk_SA_CIM
• Splunk_SA_Scientific_Python_linux_x86_64
• SplunkEnterpriseSecuritySuite
• Splunk_ML_Toolkit

Deprecated or removed add-ons

Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.
The following technology add-ons are removed from the installer, but still supported:

• Splunk Add-on for Blue Coat ProxySG
• Splunk Add-on for McAfee
• Splunk Add-on for Juniper
• Splunk Add-on for Microsoft Windows
• Splunk Add-on for Oracle Database
• Splunk Add-on for OSSEC
• Splunk Add-on for RSA SecurID
• Splunk Add-on for Sophos
• Splunk Add-on for FireSIGHT
• Splunk Add-on for Symantec Endpoint Protection
• Splunk Add-on for Unix and Linux
• Splunk Add-on for Websense Content Gateway
  The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:
• TA-airdefense
• TA-alcatel
• TA-cef
• TA-fortinet
• TA-ftp
• TA-nmap
• TA-tippingpoint
• TA-trendmicro

Updated add-ons

The Common Information Model Add-on is updated to version 6.2.0.

Libraries

The following libraries are included in this release:

• Splunk_ML_Toolkit-5.3.0-1631633293630.tgz
• Splunk_SA_Scientific_Python_linux_x86_64-3.0.2-0
• Splunk_SA_Scientific_Python_windows_x86_64-3.0.0

Original source Report a problem

What's new in 8.x

What's new in 8.1.1

Splunk Enterprise Security 8.1.1 was released on July 17, 2025. It resolves the issues described in Fixed issues.

What's new in 8.1.0

Splunk Enterprise Security version 8.1.0 was released on June 10, 2025 and includes the following new enhancements:

• New feature: Comparison between versions of detections
  Description: Ability to compare the differences between detection versions to determine if an outdated version is turned on or to troubleshoot a detection that is generating false positive alerts. For more information, see Reviewing differences between detection versions.

• New feature: UI improvements to the Intermediate findings timeline visualization
  Description: Enhanced ability to interact with the visualization to analyze the relationship between intermediate findings and their associated risk scores. The Intermediate findings timeline visualization was previously referred to as the Risk timeline visualization in Splunk Enterprise Security versions 8.0.x. For more information on this visualization, see Reviewing findings using the intermediate findings timeline in Splunk Enterprise Security Access the intermediate findings timeline to review findings in Splunk Enterprise Security.

• New feature: Pairing with Splunk SOAR (On-premises)
  Description: You can now pair Splunk SOAR (On-premises), in addition to pairing with Splunk SOAR (Cloud) to run actions, run playbooks, and review automation history in Splunk Enterprise Security. For more information, see Pair Splunk Enterprise Security with Splunk SOAR. For compatibility information, see Splunk SOAR compatibility in the Splunk Enterprise Security Compatibility matrix article.

• New feature: Enhancements to the detection editor
  Description: Following improvements have been included for the detection editor in this release:

  • Use only event-based detections to create finding groups
  • Select security annotations from various cyber-security frameworks using the drop-down menu in the detection editor
  • Multiple drill-down searches associated with a detection can no longer have the same name
  • Ability to delete a drill-down search with the same name if it is not the first drill down search
  • Ability to view, delete, add, or modify the pre-populated suppressed fields in the finding-based detection editor
  • Improve search experience by automatically expanding the tokens in the titles and descriptions of findings and detections prior to storing the findings and finding groups in the notable index.
  • Preview the search and test the search results for the finding-based detection in the detection editor to ensure that the detection fits your use case.
  • PCI governance controls added as annotation to monitor PCI DSS 4.0 requirements
    For more information on improvements to the user interface for creating detections, see Create finding groups in Splunk Enterprise Security, Add annotations to detections in Splunk Enterprise Security, Modify drill-down searches to use uniquely identifiable keys, Troubleshoot drill-down searches in Splunk Enterprise Security, Suppress and modify specific fields within finding-based detections, Expand tokens in findings and detections to improve the search experience, Create finding-based detections in Splunk Enterprise Security.

• New feature: Reduced alert noise on the analyst queue since event-based detections can generate both findings and intermediate findings
  Description: Event-based detections can be configured to generate both findings and intermediate findings with assigned risk scores that can be modified to reflect accurate risk levels. For more information, see Event-based detections, Assign risk using risk modifiers in Splunk Enterprise Security.

• New feature: Support for Splunk API
  Description: The Splunk Enterprise Security API allows you to use and modify findings, investigations, risk scores, assets, and identities in Splunk Enterprise Security. Additionally, Splunk Enterprise Security offers a set of REST API endpoints that you can use to interact with the Splunk Enterprise Security frameworks programmatically or from Splunk search and build integration applications for use with Splunk Enterprise Security. For more information, see Splunk Enterprise Security API reference.

• New feature: Intelligence summary for findings in the analyst queue
  Description: Review threat intelligence attributes associated with a finding in the side panel of the analyst queue. Use threat intelligence attributes to help you determine whether you need to start an investigation based on that finding. Threat intelligence attributes include threat actors, MITRE tactics, CVEs, and malware associated with one or more observables present in the finding. For more information, see Review threat intelligence attributes for a finding in Splunk Enterprise Security, Fields containing observables in Splunk Enterprise Security.

• New feature: New default views in a collapsible side panel for filtering the analyst queue
  Description: Filter the analyst queue by new default views such as Owned by me or Risk score. In a new collapsible side panel, you can select from different saved views to make the triage process easier. For more information, see Filter by a default view in the analyst queue, Manage saved views.

Upgrade notice for 8.x

Upgrading Splunk Enterprise Security to version 8.x is a one-way operation. The upgrade process doesn't automatically back up the app, its content, or its data. Perform a full backup of the search head, including the KV Store, before initiating the Splunk Enterprise Security upgrade process.

• When you upgrade to Splunk Enterprise Security version 8.x, you can no longer access any investigations created prior to the upgrade. To save archives of your investigation data, back up and restore your existing Splunk Enterprise Security instance.
• If you need to revert back to the version that previously existed on your search head, you must restore the previous version of Splunk Enterprise Security from a backup.
• See Upgrade Splunk Enterprise Security.
• Note: Upgrades to Splunk Enterprise Security version 8.x from versions 6.x and earlier are not supported. If you are using on-premises version 6.x or earlier, you must first upgrade to version 7.3.2 before upgrading to version 8.x.

Other important notes for upgrading include the following:

• Splunk Enterprise Security in a search head cluster environment uses an installer that creates tokens and turns on token authorization if it is not available. Post-installation, the installer deletes the tokens. If an error occurs, contact Splunk Support to delete any residual tokens.
• The Splunk Enterprise Security Health app is installed but is turned off for all Splunk Cloud customers. This app is turned on by the Splunk Cloud Platform only during upgrades to ensure that the stacks get upgraded faster. Do not turn on the Splunk Enterprise Security Health app.

Share threat data in Splunk Enterprise Security
Sharing telemetry usage data is different from sharing threat data. Sharing of threat data in Splunk Enterprise Security is only introduced for Splunk Enterprise Security Hosted Service Offering (cloud) customers with a standard terms contract renewed or created after January 10, 2025. For more information, see Share threat data in Splunk Enterprise Security.

Compatibility and support

• Splunk Enterprise Security version 8.x is compatible only with specific versions of the Splunk platform. See Splunk products version compatibility matrix for details.
• Current versions of Splunk Enterprise Security only support TAXII version 1.0 and TAXII version 1.1.

Deprecated or removed features

The following features have been deprecated from Splunk Enterprise Security 8.x:

• Configuring the investigation type macro is no longer available.
• Incident Review row expansion is no longer available.
• Enhanced workflows are no longer available.
• Sequence templates are no longer available.
• The Investigation bar, Investigation Workbench, and Investigation dashboard from the Splunk Enterprise Security user interface (UI) are replaced by the Mission Control UI.
• Service level agreements (SLAs) and role-based incident type filtering are not available.
• The Content management page was updated to remove the following types of content: Workbench Profile, Workbench Panel, and Workbench Tab.
• Workbench and workbench related views such as ess_investigation_list, ess_investigation_overview, and ess_investigation have been removed.
• Capabilities such as edit_timeline and manage_all_investigations have been removed.
• The Comments feature is replaced by an enhanced capability to add notes.
• In Splunk Enterprise Security version 7.3, admins can turn on a setting to require analysts to leave a comment with a minimum character length after updating a notable event. In Splunk Enterprise Security version 8.x, you can no longer require a note when an analyst updates a finding in the analyst queue.

Add-ons

• Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. For more information on the support provided for add-ons, see Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.
• Note: Do not uninstall the Mission Control app since the app is part of Splunk Enterprise Security.
• Some new features might not work for on-prem Splunk Enterprise Security deployments 8.x and higher, unless you upgrade the Splunk_TA_ForIndexers add-on for every release.
• To ensure that the Splunk Enterprise Security app works correctly, turn on the following add-ons. If any of the following add-ons aren't turned on, Splunk Support gets automatically notified and ensures that all the required add-ons are turned on automatically.
  • DA-ESS-AccessProtection
  • DA-ESS-EndpointProtection
  • DA-ESS-IdentityManagement
  • DA-ESS-NetworkProtection
  • DA-ESS-ThreatIntelligence
  • SA-AccessProtection
  • SA-AuditAndDataProtection
  • SA-EndpointProtection
  • SA-IdentityManagement
  • SA-NetworkProtection
  • SA-ThreatIntelligence
  • Splunk_SA_CIM
  • Splunk_SA_Scientific_Python_linux_x86_64
  • SplunkEnterpriseSecuritySuite
  • Splunk_ML_Toolkit

Deprecated or removed add-ons

Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.
The following technology add-ons are removed from the installer, but still supported:

• Splunk Add-on for Blue Coat ProxySG
• Splunk Add-on for McAfee
• Splunk Add-on for Juniper
• Splunk Add-on for Microsoft Windows
• Splunk Add-on for Oracle Database
• Splunk Add-on for OSSEC
• Splunk Add-on for RSA SecurID
• Splunk Add-on for Sophos
• Splunk Add-on for FireSIGHT
• Splunk Add-on for Symantec Endpoint Protection
• Splunk Add-on for Unix and Linux
• Splunk Add-on for Websense Content Gateway
  The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:
• TA-airdefense
• TA-alcatel
• TA-cef
• TA-fortinet
• TA-ftp
• TA-nmap
• TA-tippingpoint
• TA-trendmicro

Updated add-ons

• The Common Information Model Add-on is updated to version 6.1.0.

Libraries

The following libraries are included in this release:

• Splunk_ML_Toolkit-5.3.0-1631633293630.tgz
• Splunk_SA_Scientific_Python_linux_x86_64-3.0.2-0
• Splunk_SA_Scientific_Python_windows_x86_64-3.0.0

Original source Report a problem