Skip to main content
Lantern Home

 

Splunk Lantern

Installing and upgrading to Splunk Enterprise Security 8x

  1. Last updated
  2. Save as PDF

This guide provides key installation and upgrade considerations for Splunk Enterprise Security (ES) 8.x, updated to include the latest features and enhancements in version 8.3. While this guide offers supplementary information, always refer to the official Splunk documentation for detailed steps and configurations.

Introducing Splunk Enterprise Security 8.x

Splunk Enterprise Security 8.x offers a range of powerful new features designed to transform security operation center (SOC) workflows. With unified threat detection, incident response workflows (TDIR), modern triage capabilities, and enhanced detections, Splunk Enterprise Security 8.x empowers security analysts to detect what matters, investigate holistically, and respond rapidly. Key features include:

  • Splunk Mission Control integration: Natively integrated within ES, consolidating detection, investigation, and response in one interface. It includes direct integration with Splunk SOAR for seamless orchestration and automation, reducing mean time to detect (MTTD) and mean time to respond (MTTR). The familiar Incident Review page from ES 7.x is now the Analyst Queue under Splunk Mission Control.
  • Industry-standard taxonomy: Aligns with the Open Cybersecurity Schema Framework (OCSF), simplifying SOC workflows and terminology.
  • Enhanced detection and investigation: Over 1,700+ pre-built security detections are continuously updated, with refinements in event-based and finding-based detections to improve accuracy and reduce noise.
  • Improved case management: The case management lifecycle and Splunk Mission Control queue design provide scalable, efficient security incident management.
  • Splunk SOAR integration: Native integration with Splunk SOAR enables automation and orchestration directly within ES. Version 8.3 continues to enhance this integration, supporting both cloud and on-premises SOAR deployments with simplified setup and expanded automation capabilities.
  • Performance and scalability: Optimizations for large-scale, hybrid, and cloud deployments improve indexer resource utilization and support high concurrency detection rules.
  • Expanded regional availability: Splunk Mission Control and Splunk SOAR features are now available in more regions on supported cloud platforms.
  • New use cases and guided insights: Enhanced guided insights accelerate incident analysis, threat intelligence enrichment, and automated threat analysis workflows.
  • Cisco integrations: Enhanced integrations with Cisco security products such as Cisco XDR, Cisco Secure Network Analytics, and Cisco AI Defense provide enriched telemetry, threat intelligence, and AI-driven risk detection within ES 8.3.

What’s new in Splunk Enterprise Security 8.3?

While building on the foundation of 8.0 and 8.1, version 8.3 introduces:

  • On-premises Splunk SOAR integration: Splunk ES now supports pairing with Splunk SOAR (on-premises), in addition to its existing cloud-based SOAR integrations. This allows security teams using on-premises/customer managed platform (CMP) deployments to run playbooks, execute SOAR actions, and review automation history directly within Splunk ES.
  • Enhanced analyst queue performance: In version 8.3, the analyst queue has received performance improvements, including faster load times and enhanced filtering options for investigations. This ensures that security analysts can access and review cases more efficiently.
  • Improved Splunk Mission Control integration: Splunk ES 8.3 introduces refinements to Mission Control workflows, enabling smoother collaboration during cross-team investigations. Analysts can now manage cases with improved case management capabilities.
  • UI improvements for intermediate findings timeline: The intermediate findings timeline visualization (formerly called the risk timeline) has been updated with enhanced interactivity, making it easier for analysts to analyze the relationship between intermediate findings and their associated risk scores.
  • Expanded regional availability: Expanded regional availability for Mission Control features on Splunk Cloud Platform, although the converged Mission Control and SOAR experience remains exclusive to AWS at release.

These updates enhance security operations workflows and improve overall platform efficiency.

Updated Splunk Enterprise Security 8.x taxonomy and terminology

ES 8.x includes some changes to taxonomy and terminology in product interfaces, bringing language used more in line with industry standards. Key changes between <=7.3 to 8.x are:

<= ES 7.3 ES 8.x

Correlation search, correlation rule, risk rule

Event-based detection
Risk incident rule Finding-based detection
Notable event, risk notable Finding
Comment Note
MC incident, ES investigation Investigation
Risk event Intermediate finding
Splunk events Events
Alerts Third-party alerts
MC incident details page Investigation details page
Risk object Entity
Response Plan, response template Response Plan
Indicator, threat artifact Indicator
Threat-matching searches Threat-match detections
Threat match, threat activity Threat findings
Artifact, evidence Artifact

Implementation architecture

Hardware requirements for search heads and indexers

To run Splunk Enterprise Security 8.x, the minimum hardware specifications are:

  • CPUs: 16 physical cores, 32 vCPUs
  • Memory: 32 GB RAM for search heads and indexers

Scaling considerations

You might need to increase the hardware specifications of your Splunk Enterprise Security deployment beyond the minimum hardware requirements based on your environment.

Splunk ES 8.3 includes performance optimizations for large-scale deployments, especially in hybrid or cloud environments. The following are specific scaling considerations unique to ES 8.3:

  • Scaling in hybrid or cloud deployments: Splunk ES 8.3 is optimized for hybrid and cloud deployments, with better support for scaling in cloud-native environments. Customers using Splunk Cloud Platform can now take advantage of enhanced resource allocation for Mission Control and SOAR integrations in supported regions.
  • Enhanced indexer resource utilization: Splunk ES 8.3 includes optimizations for indexer resource utilization, particularly for deployments with high search concurrency or complex detection rules. While the base hardware requirements remain the same, users might notice improved performance with fewer additional indexers compared to version 8.0 in similar workloads.
  • IOPS testing for virtualized environments: If you are deploying Splunk ES 8.3 in a virtualized environment, ensure that storage IOPS are tested across all indexers simultaneously. Insufficient IOPS can cause bottlenecks in search performance, particularly under workloads introduced by enhanced detection and Mission Control workflows in 8.1.
  • Detection rule complexity: Splunk ES 8.3 continues to expand capabilities for event-based and finding-based detections. If your deployment relies heavily on complex detection rules or high volumes of risk-based alerts, you might need to scale your indexers to handle increased indexing and search demands.
  • Plan for burst workloads: For on-premises deployments handling large-scale security events (e.g., during incident response or threat hunting), ensure that your infrastructure includes sufficient buffer capacity to accommodate burst workloads generated by Mission Control and SOAR integrations in version 8.1.

Supported deployments

Splunk Enterprise Security 8.x can be deployed:

  • On-premises
  • In Splunk Cloud Platform: Available on GCP, AWS, and Azure.
  • In hybrid environments: On-premises search heads can query cloud-based indexers.

Splunk Enterprise Security is available as a service on Splunk Cloud Platform for GCP, AWS, and Azure. Splunk Cloud Platform customers will need to work with Splunk Support to set up, manage, and maintain their cloud infrastructure.

A hybrid search configuration with Splunk Enterprise Security is not supported with Splunk Cloud Platform. For a hybrid environment, set up an on-premises Splunk Enterprise Security search head to search indexers in another cloud environment. Any hybrid search deployment configuration must account for added latency, bandwidth concerns, and include adequate hardware to support the search load.

Splunk ES 8.3 also introduces support for on-premises Splunk SOAR integration, allowing on-premises deployments to pair with Splunk SOAR 6.4.1 for automation and orchestration workflows.

Virtualized environments

When deploying Splunk ES in a virtualized environment:

  • Ensure equal CPU and memory allocation as in a non-virtualized bare-metal setup.
  • Reserve all CPU and memory resources.
  • Do not oversubscribe hardware.
  • Test the storage IOPS across all Splunk platform indexer nodes simultaneously to ensure that the IOPS match the reference hardware specification used in your environment.
  • Note that insufficient storage performance is a common cause for poor search response and timeouts when scaling the Splunk platform in a virtualized environment.

What is the impact on existing customer managed platform (CMP) and Splunk Cloud Platform customers?

  • CMP: Follow the standard process to download the latest version from Splunkbase and upgrade ES to the latest version using the standard process. You should back up the pre-upgrade version.
  • Cloud: Splunk Enterprise Security 8.0 will be available on Splunk Cloud Platform (Classic and Victoria experience) for GCP, AWS, and Azure. You will be given the option to upgrade and opt-in to upgrade. Importantly, the converged experience of ES and SOAR integration will only be available to AWS customers. After ES customers upgrade to ES 8.0, Splunk TechOps will migrate and uninstall the Splunk Mission Control app from your ES cloud stacks.

Upgrade process

To upgrade Splunk ES to version 8.x:

  1. Back up your deployment:

    Back up your current Splunk ES configuration, including custom navigation content and index data.

  2. Verify system requirements:

    Confirm your deployment meets the hardware and software specifications for Splunk ES 8.3.

  3. Download and install the latest version:

    For customer managed platform (CMP) users, download the latest version from Splunkbase.

    For Splunk Cloud Platform users, coordinate with Splunk TechOps for the upgrade.

  4. Test key features post-upgrade:

    Validate that Splunk Mission Control, Splunk SOAR integrations, and the Analyst Queue function as expected.

Customers upgrading to 8.3 might notice improved performance in Analyst Queue load times and filtering capabilities.

Detection considerations

Splunk ES 8.x introduces a distinction between event-based detections and finding-based detections:

  • Event-based detections: Analyze raw events from the Splunk platform to generate findings or intermediate findings.
  • Finding-based detections: Group findings to escalate incidents with higher confidence.

While the core concepts for event-based and finding-based detections remain the same, Splunk ES 8.3 introduces the following updates to enhance detection workflows:

  • Refinements to finding-based detections: In version 8.3, findings-based detections have been further optimized to improve the accuracy and efficiency of grouping findings into finding groups. These refinements help increase the fidelity of detections, giving analysts more actionable insights with less noise. The platform now offers additional metadata fields and improved logic for grouping findings, making detection workflows more effective for complex environments.
  • Improved performance for detection processing: Splunk ES 8.3 introduces performance enhancements that reduce the processing time for event-based detections and subsequent generation of intermediate findings and findings. This is particularly noticeable in environments with high data ingestion rates or complex detection rules.
  • UI enhancements for detection creation: The detection creation UI in version 8.3 has been refined to make it easier for users to define finding-based detections. These improvements include better grouping options and more intuitive workflows, enabling security teams to customize their detection processes more effectively.
  • Improved intermediate findings use cases: Splunk ES 8.3 emphasizes the value of intermediate findings as inputs for advanced detection workflows. Additional guidance and examples in the UI highlight how intermediate findings can be leveraged to create higher-confidence finding groups, making them more actionable within the security operations workflow.

Compatibility with existing security products

ES 8.3 continues to build on the robust integrations and compatibility features introduced in earlier 8.x releases, ensuring seamless operation within diverse security environments. This article outlines the key compatibility aspects and considerations for ES 8.3, focusing on integration with Splunk SOAR, Splunk User Behavior Analytics (UBA), indexing, risk-based alerting, app compatibility, and upgrade best practices.

Splunk SOAR

ES 8.3 maintains comprehensive support for running Enterprise Security-based playbooks using Splunk SOAR, enabling security teams to orchestrate and automate workflows efficiently. Customers can pair their existing SOAR instances with ES 8.3 and gradually migrate case management use cases from standalone SOAR deployments to the integrated Splunk Mission Control experience. This migration path preserves existing automation and workflows without interruption.

The release enhances case management capabilities and automation, encouraging users to revisit or develop new playbooks to leverage streamlined analyst interactions with automation. Key actions such as adding a response plan, starting a response plan task, initiating a SOAR playbook, or starting a SOAR action can trigger the creation of investigations, helping analysts focus on critical aspects of security incidents.

On-premises and customer managed platform (CMP) deployments continue to benefit from direct SOAR actions and playbook integrations within ES, as introduced in previous 8.x versions.

Splunk User Behavior Analytics

Integration with Splunk User Behavior Analytics remains supported in ES 8.3 without significant changes. However, users should remain aware of considerations to avoid installation challenges and ensure smooth operation.

Indexing considerations

  • ES 8.3 supports backward compatibility for existing indexed data, ensuring that previously indexed information remains accessible and compatible with new features.
  • The updated case management lifecycle and Splunk Mission Control queue design continue to address storage and performance concerns from earlier versions, providing a scalable and efficient solution for security incident management.

RBA considerations

At release, notable or risk analysis events will not be updated to "Findings/Intermediate Findings" under Adaptive Response action. Additionally, legacy risk incident rules (RIR) will continue to function as expected. In release 8.3, risk incident rules and findings-based detections will coexist with refinements to the process anticipated in a future update.

App compatibility considerations

  • Security Essentials app:
    • The Security Essentials app continues to function normally in Splunk ES 8.3. There are no known compatibility issues for this app in either 8.0 or 8.1.
  • Backward compatibility for existing data:
    • Splunk ES 8.x supports backward compatibility for existing data, ensuring that previously indexed data remains accessible and usable with the new features introduced in the 8.x series.
    • The ES incident review page from ES 7.3 remains accessible via the analyst queue in the main navigation, a feature introduced in 8.0 and continued in 8.3 without changes.
  • Splunk App for PCI Compliance:
    • The Splunk App for PCI Compliance is not compatible with Splunk ES 8.x, including version 8.3. Future compatibility is planned but has not been introduced in 8.3. Users requiring PCI compliance features should watch for updates in future releases.
  • Custom Navigation content:
    • It is recommended to back up Custom Navigation content before upgrading to any version of Splunk ES 8.x, including 8.3. This ensures that custom configurations can be restored after migration, as the upgrade process might overwrite such settings.
  • General compatibility guidance:
    • For custom apps or third-party add-ons, testing in a staging or non-production environment is advised before upgrading to Splunk ES 8.x, including 8.3. This ensures compatibility and minimizes potential disruptions.

Summary

Splunk Enterprise Security 8.3 builds on the transformative 8.x platform with real-time investigations, expanded use cases, enhanced automation, and deeper integrations, including Cisco security products. It continues to empower SOC teams with unified TDIR workflows, improved detection fidelity, and scalable performance for modern security operations. For detailed installation and configuration steps, always refer to the official Splunk documentation.

Additional resources

These resources might help you understand and implement this guidance: