Installing and upgrading to Splunk Enterprise Security 8x

What’s new in Splunk Enterprise Security 8.1?

Splunk ES 8.1 introduces several enhancements that build on the 8.x platform. Here are the key updates unique to version 8.1:

• On-premises Splunk SOAR integration: Splunk ES 8.1 now supports pairing with Splunk SOAR (on-premises), in addition to its existing cloud-based SOAR integrations. This allows security teams using on-premises/CMP deployments to run playbooks, execute SOAR actions, and review automation history directly within Splunk ES.
• Enhanced analyst queue performance: In version 8.1 the analyst queue has received performance improvements, including faster load times and enhanced filtering options for investigations. This ensures that security analysts can access and review cases more efficiently.
• Improved Splunk Mission Control integration: Splunk ES 8.1 introduces refinements to Mission Control workflows, enabling smoother collaboration during cross-team investigations. Analysts can now manage cases with improved case management capabilities.
• UI improvements for Intermediate Findings Timeline: The Intermediate Findings Timeline visualization (formerly called the Risk Timeline) has been updated with enhanced interactivity, making it easier for analysts to analyze the relationship between intermediate findings and their associated risk scores.
• Expanded regional availability: Expanded regional availability for Mission Control features on Splunk Cloud Platform, although the converged Mission Control and SOAR experience remains exclusive to AWS at release.

These updates enhance security operations workflows and improve overall platform efficiency.

Hardware requirements for search heads and indexers

To run Splunk Enterprise Security 8.x, the minimum hardware specifications are:

• CPUs: 16 physical cores, 32 vCPUs
• Memory: 32 GB RAM

Scaling considerations

You might need to increase the hardware specifications of your Splunk Enterprise Security deployment beyond the minimum hardware requirements based on your environment.

Splunk ES 8.1 includes performance optimizations for large-scale deployments, especially in hybrid or cloud environments. The following are specific scaling considerations unique to ES 8.1:

• Scaling in hybrid or cloud deployments: Splunk ES 8.1 is optimized for hybrid and cloud deployments, with better support for scaling in cloud-native environments. Customers using Splunk Cloud Platform can now take advantage of enhanced resource allocation for Mission Control and SOAR integrations in supported regions.
• Enhanced indexer resource utilization: Splunk ES 8.1 includes optimizations for indexer resource utilization, particularly for deployments with high search concurrency or complex detection rules. While the base hardware requirements remain the same, users might notice improved performance with fewer additional indexers compared to version 8.0 in similar workloads.
• IOPS testing for virtualized environments: If you are deploying Splunk ES 8.1 in a virtualized environment, ensure that storage IOPS are tested across all indexers simultaneously. Insufficient IOPS can cause bottlenecks in search performance, particularly under workloads introduced by enhanced detection and Mission Control workflows in 8.1.
• Detection rule complexity: Splunk ES 8.1 continues to expand capabilities for event-based and finding-based detections. If your deployment relies heavily on complex detection rules or high volumes of risk-based alerts, you may need to scale your indexers to handle increased indexing and search demands.
• Plan for burst workloads: For on-premises deployments handling large-scale security events (e.g., during incident response or threat hunting), ensure that your infrastructure includes sufficient buffer capacity to accommodate burst workloads generated by Mission Control and SOAR integrations in version 8.1.

Virtualized environments

When deploying Splunk ES in a virtualized environment:

• Ensure equal CPU and memory allocation as in a non-virtualized bare-metal setup.
• Reserve all CPU and memory resources.
• Do not oversubscribe hardware.
• Test the storage IOPS across all Splunk platform indexer nodes simultaneously to ensure that the IOPS match the reference hardware specification used in your environment.
• Note that insufficient storage performance is a common cause for poor search response and timeouts when scaling the Splunk platform in a virtualized environment.

Splunk SOAR

ES 8.0 offers the ability to run Enterprise Security-based playbooks using Splunk SOAR.

You can pair your existing SOAR instance with ES with 8.0 and gradually migrate case management use cases from standalone SOAR to your new version of ES with Splunk Mission Control experience. You can continue to use your existing automation and workflows in ways that existed before ES 8.0, without interruption. ES 8.0 also comes with new case management capabilities, and an easier way to automate against that data, so you might want to revisit your playbooks or build new playbooks to take advantage of streamlined analyst interactions with automation.

Adding a response plan, starting a response plan task, initiating a SOAR Playbook, or starting a SOAR Action can all trigger the creation of an investigation. These manual actions help users create investigations based on specific scenarios or conditions, enabling them to focus on critical aspects of security incidents.

ES 8.0 Behavioral Analytics will be available for customers per the regional availability of the service.

Splunk ES 8.1 also introduces support for pairing with Splunk SOAR (on-premises), enabling on-premises/CMP deployments to leverage SOAR actions and playbooks directly within ES.

Splunk User Behavior Analytics

UBA is available to integrate and with no changes, although you should be aware of several considerations to prevent installation challenges.

Indexing considerations

• Splunk Enterprise Security will support backward compatibility for existing data in ES. Index data will continue to exist and will also support the new features.
• The new case management lifecycle and Splunk Mission Control queue design address storage and performance concerns from previous versions, providing a more scalable and efficient solution for security incident management.

RBA considerations

At release, notable or risk analysis events will not be updated to "Findings/Intermediate Findings" under Adaptive Response action. Additionally, legacy risk incident rules (RIR) will continue to function as expected. In release 8.0, risk incident rules and findings-based detections will coexist with refinements to the process anticipated in a future update.

App compatibility considerations

• Security Essentials app:
  • The Security Essentials app continues to function normally in Splunk ES 8.x, including version 8.1. There are no known compatibility issues for this app in either 8.0 or 8.1.
• Backward compatibility for existing data:
  • Splunk ES 8.x supports backward compatibility for existing data, ensuring that previously indexed data remains accessible and usable with the new features introduced in the 8.x series.
  • The ES incident review page from ES 7.3 remains accessible via the analyst queue in the main navigation, a feature introduced in 8.0 and continued in 8.1 without changes.
• Splunk App for PCI Compliance:
  • The Splunk App for PCI Compliance is not compatible with Splunk ES 8.x, including version 8.1. Future compatibility is planned but has not been introduced in 8.1. Users requiring PCI compliance features should watch for updates in future releases.
• Custom Navigation content:
  • It is recommended to back up Custom Navigation content before upgrading to any version of Splunk ES 8.x, including 8.1. This ensures that custom configurations can be restored after migration, as the upgrade process may overwrite such settings.
• General compatibility guidance:
  • For custom apps or third-party add-ons, testing in a staging or non-production environment is advised before upgrading to Splunk ES 8.x, including 8.1. This ensures compatibility and minimizes potential disruptions.