Upgrading to Enterprise Security 8.x - Compatibility checks

Mothership

Mothership’s core functionality (sending SPL to remote environments) remains compatible with ES 8.x. Dashboards such as Multi-ES Incident Review, Multi-ES Security Posture, and Multi-ES Incident Review Dashboard Studio continue to work out of the box. There are some issues, however, that break in ES 8.x, and will require updates to the Mothership app:

• ES 8.x taxonomy changes: Notable references (for example, multi_es_security_posture_view) require updates to align with the ES 8.x taxonomy
• Finding groups & roll-up findings: In ES 8.x, AQ FBD findings can be grouped and expanded. However, in Mothership, child findings do not appear when pulling in parent findings, which breaks the grouping relationship.

These limitations apply to both the ES Mothership App for Splunk and the Mothership App for Splunk.

Splunk SOAR

The following SOAR configurations are not supported in ES 8.x:

• Container labels to segregate roles/access to incidents and investigations

Risk Notable Playbook Pack (SOAR RNPP)

The SOAR RNPP was designed to work with Splunk Enterprise Security 7.x. The preferred integration with ES 8.x and SOAR is to configure the ES/SOAR  pairing process. Having ES and SOAR paired will give you access to all the newest features from the integration. However, you can continue to use SOAR RNPP it with ES 8.x.

Security operational model architectures (Centralized SOC/RBAC/multitenancy)

If you use any of the configuration states defined here, do NOT upgrade to Splunk Enterprise Security 8.x.

• Segregation of data where multiple business units (customers) send data into a single Splunk/ES stack.
• The SOC differentiates notable events by business units (customer) where multiple customers are sending data into a single Splunk/ES stack.
• You use role-based access control (RBAC), allowing users access to dedicated indexes and/or dashboards.