Installing and upgrading to Splunk Enterprise Security 8x
This guide provides key installation and upgrade considerations for Splunk Enterprise Security (ES) 8.x. While this guide offers supplementary information, always refer to the official Splunk documentation for detailed steps and configurations. For step-by-step guidance on the upgrade process, see Upgrading to Enterprise Security 8.0.x.
Introducing Splunk Enterprise Security 8.x
Splunk Enterprise Security 8.x offers a range of powerful new features designed to transform security operation center (SOC) workflows. With unified threat detection, incident response workflows (TDIR), modern triage capabilities, and enhanced detections, Splunk Enterprise Security 8.x empowers security analysts to detect what matters, investigate holistically, and respond rapidly. Key features include:
- Splunk Mission Control integration: Available natively in Splunk Enterprise Security, this feature consolidates detection, investigation, and response in one interface. It includes direct integration with Splunk SOAR for seamless orchestration and automation, reducing both mean time to detect (MTTD) and mean time to respond (MTTR). Additionally, the familiar Incident Review page from ES 7.x is now the Analyst Queue under Splunk Mission Control on the main ES navigation.
- Industry-standard taxonomy: The new taxonomy focuses on preparation, detection/analysis, and containment/eradication/recovery phases, aligning with both Splunk capabilities for incident response and the Open Cybersecurity Schema Framework (OCSF). This alignment makes it easier for users to understand the roles and functions of each phase in the security operations center (SOC) workflow.
What’s new in Splunk Enterprise Security 8.1?
Splunk ES 8.1 introduces several enhancements that build on the 8.x platform. Here are the key updates unique to version 8.1:
- On-premises Splunk SOAR integration: Splunk ES 8.1 now supports pairing with Splunk SOAR (on-premises), in addition to its existing cloud-based SOAR integrations. This allows security teams using on-premises/CMP deployments to run playbooks, execute SOAR actions, and review automation history directly within Splunk ES.
- Enhanced analyst queue performance: In version 8.1 the analyst queue has received performance improvements, including faster load times and enhanced filtering options for investigations. This ensures that security analysts can access and review cases more efficiently.
- Improved Splunk Mission Control integration: Splunk ES 8.1 introduces refinements to Mission Control workflows, enabling smoother collaboration during cross-team investigations. Analysts can now manage cases with improved case management capabilities.
- UI improvements for Intermediate Findings Timeline: The Intermediate Findings Timeline visualization (formerly called the Risk Timeline) has been updated with enhanced interactivity, making it easier for analysts to analyze the relationship between intermediate findings and their associated risk scores.
- Expanded regional availability: Expanded regional availability for Mission Control features on Splunk Cloud Platform, although the converged Mission Control and SOAR experience remains exclusive to AWS at release.
These updates enhance security operations workflows and improve overall platform efficiency.
Updated Splunk Enterprise Security 8.x taxonomy and terminology
ES 8.x includes some changes to taxonomy and terminology in product interfaces, bringing language used more in line with industry standards. Key changes between <=7.3 to 8.x are:
<= ES 7.3 | ES 8.0 |
---|---|
Correlation search, correlation rule, risk rule |
Event-based detection |
Risk incident rule | Finding-based detection |
Notable event, risk notable | Finding |
Comment | Note |
MC incident, ES investigation | Investigation |
Risk event | Intermediate finding |
Splunk events | Events |
Alerts | Third-party alerts |
MC incident details page | Investigation details page |
Risk object | Entity |
Response Plan, response template | Response Plan |
Indicator, threat artifact | Indicator |
Threat-matching searches | Threat-match detections |
Threat match, threat activity | Threat findings |
Artifact, evidence | Artifact |
Implementation architecture
Hardware requirements for search heads and indexers
To run Splunk Enterprise Security 8.x, the minimum hardware specifications are:
- CPUs: 16 physical cores, 32 vCPUs
- Memory: 32 GB RAM
Scaling considerations
You might need to increase the hardware specifications of your Splunk Enterprise Security deployment beyond the minimum hardware requirements based on your environment.
Splunk ES 8.1 includes performance optimizations for large-scale deployments, especially in hybrid or cloud environments. The following are specific scaling considerations unique to ES 8.1:
- Scaling in hybrid or cloud deployments: Splunk ES 8.1 is optimized for hybrid and cloud deployments, with better support for scaling in cloud-native environments. Customers using Splunk Cloud Platform can now take advantage of enhanced resource allocation for Mission Control and SOAR integrations in supported regions.
- Enhanced indexer resource utilization: Splunk ES 8.1 includes optimizations for indexer resource utilization, particularly for deployments with high search concurrency or complex detection rules. While the base hardware requirements remain the same, users might notice improved performance with fewer additional indexers compared to version 8.0 in similar workloads.
- IOPS testing for virtualized environments: If you are deploying Splunk ES 8.1 in a virtualized environment, ensure that storage IOPS are tested across all indexers simultaneously. Insufficient IOPS can cause bottlenecks in search performance, particularly under workloads introduced by enhanced detection and Mission Control workflows in 8.1.
- Detection rule complexity: Splunk ES 8.1 continues to expand capabilities for event-based and finding-based detections. If your deployment relies heavily on complex detection rules or high volumes of risk-based alerts, you may need to scale your indexers to handle increased indexing and search demands.
- Plan for burst workloads: For on-premises deployments handling large-scale security events (e.g., during incident response or threat hunting), ensure that your infrastructure includes sufficient buffer capacity to accommodate burst workloads generated by Mission Control and SOAR integrations in version 8.1.
Supported deployments
Splunk Enterprise Security 8.x can be deployed:
- On-premises
- In Splunk Cloud Platform: Available on GCP, AWS, and Azure.
- In hybrid environments: On-premises search heads can query cloud-based indexers.
Splunk Enterprise Security is available as a service on Splunk Cloud Platform for GCP, AWS, and Azure. Splunk Cloud Platform customers will need to work with Splunk Support to set up, manage, and maintain their cloud infrastructure.
A hybrid search configuration with Splunk Enterprise Security is not supported with Splunk Cloud Platform. For a hybrid environment, set up an on-premises Splunk Enterprise Security search head to search indexers in another cloud environment. Any hybrid search deployment configuration must account for added latency, bandwidth concerns, and include adequate hardware to support the search load.
8.1-specific update: Splunk ES 8.1 introduces support for on-premises Splunk SOAR integration, allowing on-premises deployments to pair with Splunk SOAR 6.4.1 for automation and orchestration workflows.
Virtualized environments
When deploying Splunk ES in a virtualized environment:
- Ensure equal CPU and memory allocation as in a non-virtualized bare-metal setup.
- Reserve all CPU and memory resources.
- Do not oversubscribe hardware.
- Test the storage IOPS across all Splunk platform indexer nodes simultaneously to ensure that the IOPS match the reference hardware specification used in your environment.
- Note that insufficient storage performance is a common cause for poor search response and timeouts when scaling the Splunk platform in a virtualized environment.
A hybrid search configuration with Splunk Enterprise Security is not supported with Splunk Cloud Platform. For a hybrid environment, set up an on-premises Splunk Enterprise Security search head to search indexers in another cloud environment. Any hybrid search deployment configuration must account for added latency, bandwidth concerns, and include adequate hardware to support the search load.
What is the impact on existing Customer Managed Platform (CMP) and Splunk Cloud Platform customers?
- CMP: Follow the standard process to download the latest version from Splunkbase and upgrade ES to the latest version using the standard process. You should back up the pre-upgrade version.
- Cloud: Splunk Enterprise Security 8.0 will be available on Splunk Cloud Platform (Classic and Victoria experience) for GCP, AWS, and Azure. You will be given the option to upgrade and opt-in to upgrade. Importantly, the converged experience of ES and SOAR integration will only be available to AWS customers. After ES customers upgrade to ES 8.0, Splunk TechOps will migrate and uninstall the Splunk Mission Control app from your ES cloud stacks.
Detection considerations
Splunk ES 8.x introduces a distinction between event-based detections and finding-based detections:
- Event-based detections: Analyze raw events from the Splunk platform to generate findings or intermediate findings.
- Finding-based detections: Group findings to escalate incidents with higher confidence.
While the core concepts for event-based and finding-based detections remain the same, Splunk ES 8.1 introduces the following updates to enhance detection workflows:
-
Refinements to finding-based detections:
- In version 8.1, finding-based detections have been further optimized to improve the accuracy and efficiency of grouping findings into finding groups. These refinements help increase the fidelity of detections, giving analysts more actionable insights with less noise.
- The platform now offers additional metadata fields and improved logic for grouping findings, making detection workflows more effective for complex environments.
- Improved performance for detection processing:
- Splunk ES 8.1 introduces performance enhancements that reduce the processing time for event-based detections and subsequent generation of intermediate findings and findings. This is particularly noticeable in environments with high data ingestion rates or complex detection rules.
- UI enhancements for detection creation:
- The detection creation UI in version 8.1 has been refined to make it easier for users to define finding-based detections. These improvements include better grouping options and more intuitive workflows, enabling security teams to customize their detection processes more effectively.
-
Improved intermediate findings use cases:
- Splunk ES 8.1 emphasizes the value of intermediate findings as inputs for advanced detection workflows. Additional guidance and examples in the UI highlight how intermediate findings can be leveraged to create higher-confidence finding groups, making them more actionable within the security operations workflow.
Compatibility with existing security products
Splunk SOAR
ES 8.0 offers the ability to run Enterprise Security-based playbooks using Splunk SOAR.
You can pair your existing SOAR instance with ES with 8.0 and gradually migrate case management use cases from standalone SOAR to your new version of ES with Splunk Mission Control experience. You can continue to use your existing automation and workflows in ways that existed before ES 8.0, without interruption. ES 8.0 also comes with new case management capabilities, and an easier way to automate against that data, so you might want to revisit your playbooks or build new playbooks to take advantage of streamlined analyst interactions with automation.
Adding a response plan, starting a response plan task, initiating a SOAR Playbook, or starting a SOAR Action can all trigger the creation of an investigation. These manual actions help users create investigations based on specific scenarios or conditions, enabling them to focus on critical aspects of security incidents.
ES 8.0 Behavioral Analytics will be available for customers per the regional availability of the service.
Splunk ES 8.1 also introduces support for pairing with Splunk SOAR (on-premises), enabling on-premises/CMP deployments to leverage SOAR actions and playbooks directly within ES.
Splunk User Behavior Analytics
UBA is available to integrate and with no changes, although you should be aware of several considerations to prevent installation challenges.
Indexing considerations
- Splunk Enterprise Security will support backward compatibility for existing data in ES. Index data will continue to exist and will also support the new features.
- The new case management lifecycle and Splunk Mission Control queue design address storage and performance concerns from previous versions, providing a more scalable and efficient solution for security incident management.
RBA considerations
At release, notable or risk analysis events will not be updated to "Findings/Intermediate Findings" under Adaptive Response action. Additionally, legacy risk incident rules (RIR) will continue to function as expected. In release 8.0, risk incident rules and findings-based detections will coexist with refinements to the process anticipated in a future update.
App compatibility considerations
- Security Essentials app:
- The Security Essentials app continues to function normally in Splunk ES 8.x, including version 8.1. There are no known compatibility issues for this app in either 8.0 or 8.1.
- Backward compatibility for existing data:
- Splunk ES 8.x supports backward compatibility for existing data, ensuring that previously indexed data remains accessible and usable with the new features introduced in the 8.x series.
- The ES incident review page from ES 7.3 remains accessible via the analyst queue in the main navigation, a feature introduced in 8.0 and continued in 8.1 without changes.
- Splunk App for PCI Compliance:
- The Splunk App for PCI Compliance is not compatible with Splunk ES 8.x, including version 8.1. Future compatibility is planned but has not been introduced in 8.1. Users requiring PCI compliance features should watch for updates in future releases.
- Custom Navigation content:
- It is recommended to back up Custom Navigation content before upgrading to any version of Splunk ES 8.x, including 8.1. This ensures that custom configurations can be restored after migration, as the upgrade process may overwrite such settings.
- General compatibility guidance:
- For custom apps or third-party add-ons, testing in a staging or non-production environment is advised before upgrading to Splunk ES 8.x, including 8.1. This ensures compatibility and minimizes potential disruptions.
Additional resources
These resources might help you understand and implement this guidance:
- YouTube: Enterprise Security 8.0 workflows