Upgrading to Enterprise Security 8.x - Configuration and customization

Required: Validate necessary supporting add-ons (On-Prem and CMP)

1. In the Splunk platform, navigate to Manage Apps and ensure the Splunk Enterprise Security (ES) application and all supporting add-ons (SA-*, DA-*, Mission Control) are on the appropriate versions (8.x).
2. If you upgraded via the Web UI and supporting apps have not been upgraded or installed along with the ES application, you might need to manually extract them to apps from the ‘install’ directory inside the ES directory.
3. Review the status of the Mission Control application. If it is not already enabled, enable it.
4. Restart the Splunk platform.

Required: Create and deploy new required indexes for Enterprise Security 8 (On-premises and CMP)

1. Download Splunk_TA_ForIndexers and check Include index definitions only. For instructions on downloading this add-on, click here.
2. From the downloaded app, extract indexes.conf and copy and append it to your existing base app that defines indexes.
3. Modify the coldPath, homePath and thawedPath settings to reflect the correct volume definitions.
4. Deploy the indexes app to indexers using the cluster manager or using your normal process.

The new default index definitions that need to be added are:

## missioncontrol

###### MC aux incidents ######

[mc_aux_incidents]

repFactor = auto

coldPath = $SPLUNK_DB/mc_aux_incidents/colddb

homePath = $SPLUNK_DB/mc_aux_incidents/db

thawedPath = $SPLUNK_DB/mc_aux_incidents/thaweddb

###### MC artifacts ######

[mc_artifacts]

repFactor = auto

coldPath = $SPLUNK_DB/mc_artifacts/colddb

homePath = $SPLUNK_DB/mc_artifacts/db

thawedPath = $SPLUNK_DB/mc_artifacts/thaweddb

###### MC investigations ######

[mc_investigations]

repFactor = auto

coldPath = $SPLUNK_DB/mc_investigations/colddb

homePath = $SPLUNK_DB/mc_investigations/db

thawedPath = $SPLUNK_DB/mc_investigations/thaweddb

###### MC events ######

[mc_events]

repFactor = auto

coldPath = $SPLUNK_DB/mc_events/colddb

homePath = $SPLUNK_DB/mc_events/db

thawedPath = $SPLUNK_DB/mc_events/thaweddb

###### MC old incidents ######

[mc_incidents_backup]

repFactor = auto

coldPath = $SPLUNK_DB/mc_incidents_backup/colddb

homePath = $SPLUNK_DB/mc_incidents_backup/db

thawedPath = $SPLUNK_DB/mc_incidents_backup/thaweddb

## SA-ContentVersioning

[cms_main]

homePath   = $SPLUNK_DB/cms_main/db

coldPath   = $SPLUNK_DB/cms_main/colddb

thawedPath = $SPLUNK_DB/cms_main/thaweddb

Required: Correlation search migration - CS to EBD/FBD (On-premises and CMP)

During the upgrade process, all correlation searches that were previously configured should be converted to event-based detections (EBDs). In Splunk Enterprise Security, navigate to Security Content > Content Management, and then filter to show only enabled EBDs. On the right of the screen, all enabled correlation searches should now be labeled as Event-Based Detections.

• By default, any of these detections that previously had a notable adaptive response action assigned will still create notables, now known as findings. You can spot check these by opening up the EBD in the detection editor, and ensuring the Finding Output Type is set to ‘Finding'.
• If your correlation search was previously configured only to assign risk, it will be set as an Intermediate Finding in the detection editor.
• After you modify a correlation search that was migrated, you cannot edit and save it until you specify a risk object (risk annotations are required now). As part of the upgrade process, a good practice is to validate that risk objects and annotations are assigned to each correlation search. Use the following search to identify correlation searches that do not currently have a risk object assigned:

  | rest /servicesNS/-/-/saved/searches splunk_server=local
  
  ``` Determine what Correlation search changes are required to pass ES8 Content Management validation checks after migration - run on ES7.x system ```
  
  | search disabled=0 is_scheduled=1 action.correlationsearch.enabled=1
  
  | rename "eai:acl.app" as app
  
  | eval actions=split(actions,",")
  
  | eval will_create_a_new_risk_event=if(actions in ("risk","notable"," notable"),0,1)
  
  | eval needs_risk_object=if(isnull('action.risk.param._risk_message'),1,0)
  
  | eval needs_description=if(isnull(description) OR description="",1,0)
  
  | eval needs_notable_title=if (isnull('action.notable.param.rule_title'),1,0)
  
  | eval needs_notable_description=if(isnull('action.notable.param.rule_description') OR 'action.notable.param.rule_description'="" ,1,0)
  
  | eval score=will_create_a_new_risk_event+needs_risk_object+needs_description+needs_notable_title+needs_notable_description
  
  | eval actions=split(actions,",")
  
  | sort - score 
  
  | where score > 0
  
  | table app, title, description, score, will_create_a_new_risk_event, needs_description, needs_risk_object, needs_notable_title, needs_notable_description, actions, action.notable.param.rule_title, action.notable.param.security_domain, action.risk.param._risk action.risk.param._risk_message, action.notable.param.rule_description, description

Important: Risk analysis in ES detections and risk notables (now known as findings)

The default event-based detection (not the findings-based detection version) “ATT&CK Tactic Threshold Exceeded for Object over Previous 7 Days” has the Risk Analysis section in the detection editor configured with entities of ‘risk_object_user’ and ‘risk_object_system’. These fields do not exist in the risk index or data model. Because it is configured (although incorrectly), it will allow you to save and run this detection. However, it will error out when trying to create the corresponding finding in the notable index.

There are two possible workarounds for this issue. You can either change the risk analysis configuration to assign risk to the ‘risk_object’ field, or you can add evals to account for these fields in the detection SPL. See the screenshots below:

Figure 1. Risk Analysis configuration


Figure 2. Notable creation error in cim_modactions index

Figure 3. Workaround with evals

Recommended: Custom navigation configuration (On-premises, CMP, and Cloud)

If you have a customized ES navigation bar, that will override the new navigation bar included in ES 8.x. You need to reset it back to default in order to see the new navigation bar pages for version 8.x.

1. Before the upgrade, document or snapshot the menu customizations and back up any custom views. They should not get lost in the upgrade, but this is a best practice.
2. After the upgrade, navigate to Configure > All Configurations > Navigation, and then click Restore Default Navigation.
3. To acknowledge the changes, click OK.
4. After the navigation is set back to default, verify you now see the new ES 8.x navigation with “Mission Control”, “Security Content”, etc.
5. Manually recreate any required custom navigation.

Recommended: Enable detection versioning (On-premises, CMP, and Cloud)

By default, detection versioning is disabled in Splunk Enterprise Security 8.x. If you want this functionality, you need to enable it.

1. To enable this function, navigate to General Settings > Detection Versions, and then click Turn on.
2. Wait 10 minutes. Versioning should then be enabled successfully.

Recommended: Migrate Investigations Content (On-premises, CMP, and Cloud)

If you previously created investigations in Splunk Enterprise Security 7.x, you can still review and complete them after upgrading to version Splunk Enterprise Security 8.x. With the legacy Investigations interface, you can finish your existing work, export data for reports, and maintain visibility into past findings so that you don't lose context after upgrading.

The legacy investigation interface is supported for a limited time. Start a new investigation in the analyst queue for the updated experience. For more information see:

Review and finish existing legacy investigations in Splunk Enterprise Security | Splunk Docs

Required (SOAR customers only): Pair Splunk SOAR to Enterprise Security (Cloud)

Pairing with Splunk SOAR in hybrid scenarios are now supported for on-premises or CMP deployments of Splunk Enterprise Security (ES) in version(s) 8.x. 

Official guidance for pairing with Splunk SOAR can be found at Pair Splunk SOAR (Cloud) with Splunk Enterprise Security.