Installing and upgrading to Splunk Enterprise Security 8x
This guide provides key installation and upgrade considerations for Splunk Enterprise Security (ES) 8.x. While this guide offers supplementary information, always refer to the official Splunk documentation for detailed steps and configurations.
Introducing Splunk Enterprise Security 8.x
Splunk Enterprise Security 8.x offers a range of powerful new features designed to transform Security Operation Center (SOC) workflows. With unified threat detection, incident response workflows (TDIR), modern triage capabilities, and enhanced detections, Splunk Enterprise Security 8.x empowers security analysts to detect what matters, investigate holistically, and respond rapidly. Key features include:
- Splunk Mission Control integration: Available natively in Splunk Enterprise Security, this feature consolidates detection, investigation, and response in one interface. It includes direct integration with Splunk SOAR for seamless orchestration and automation, reducing both Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR). Additionally, the familiar Incident Review page from ES 7.x is now the Analyst Queue under Splunk Mission Control on the main ES navigation.
- Industry-standard taxonomy: The new taxonomy focuses on preparation, detection/analysis, and containment/eradication/recovery phases, aligning with both Splunk capabilities for incident response and the Open Cybersecurity Schema Framework (OCSF). This alignment makes it easier for users to understand the roles and functions of each phase in the Security Operations Center (SOC) workflow.
Updated Splunk Enterprise Security 8.x taxonomy and terminology
ES 8.x includes some changes to taxonomy and terminology in product interfaces, bringing language used more in line with industry standards. Key changes between <=7.3 to 8.x are:
<= ES 7.3 | ES 8.0 |
---|---|
Correlation search, correlation rule, risk rule |
Event-based detection |
Risk incident rule | Finding-based detection |
Notable event, risk notable | Finding |
Comment | Note |
MC incident, ES investigation | Investigation |
Risk event | Intermediate finding |
Splunk events | Events |
Alerts | Third-party alerts |
MC incident details page | Investigation details page |
Risk object | Entity |
Response Plan, response template | Response Plan |
Indicator, threat artifact | Indicator |
Threat-matching searches | Threat-match detections |
Threat match, threat activity | Threat findings |
Artifact, evidence | Artifact |
Implementation architecture
Hardware requirements for search heads and indexers
To run Splunk Enterprise Security 8.x, the minimum hardware specifications are:
- CPUs: 16 physical cores, 32 vCPUs
- Memory: 32 GB RAM
Scaling considerations
You might need to increase the hardware specifications of your Splunk Enterprise Security deployment beyond the minimum hardware requirements based on your environment.
Increase the number of indexers in your deployment to scale with higher search load and search concurrency. The Splunk platform uses indexers to scale horizontally. The number of indexers required in an ES deployment varies based on the data volume, data type, retention requirements, search type, and search concurrency.
Supported deployments
Splunk Enterprise Security 8.0 can be deployed on-premises, on Splunk Cloud Platform, or in a hybrid environment.
Splunk Enterprise Security is available as a service on Splunk Cloud Platform for GCP, AWS, and Azure. Note that at release, the converged experience of ES and SOAR integration is only available to AWS customers. The Splunk Cloud Platform deployment architecture varies based on data and search load. Splunk Cloud Platform customers will need to work with Splunk Support to set up, manage, and maintain their cloud infrastructure.
Virtualized environments
When deploying Splunk ES in a virtualized environment:
- Ensure equal CPU and memory allocation as in a non-virtualized bare-metal setup.
- Reserve all CPU and memory resources.
- Do not oversubscribe hardware.
- Test the storage IOPS across all Splunk platform indexer nodes simultaneously to ensure that the IOPS match the reference hardware specification used in your environment.
- Note that insufficient storage performance is a common cause for poor search response and timeouts when scaling the Splunk platform in a virtualized environment.
A hybrid search configuration with Splunk Enterprise Security is not supported with Splunk Cloud Platform. For a hybrid environment, set up an on-premises Splunk Enterprise Security search head to search indexers in another cloud environment. Any hybrid search deployment configuration must account for added latency, bandwidth concerns, and include adequate hardware to support the search load.
What is the impact on existing Customer Managed Platform (CMP) and Splunk Cloud Platform customers?
- CMP: Follow the standard process to download the latest version from Splunkbase and upgrade ES to the latest version using the standard process. You should back up the pre-upgrade version.
- Cloud: Splunk Enterprise Security 8.0 will be available on Splunk Cloud Platform (Classic and Victoria experience) for GCP, AWS, and Azure. You will be given the option to upgrade and opt-in to upgrade. Importantly, the converged experience of ES and SOAR integration will only be available to AWS customers. After ES customers upgrade to ES 8.0, Splunk TechOps will migrate and uninstall the Splunk Mission Control app from your ES cloud stacks.
Compatibility with existing security products
Splunk SOAR
ES 8.0 offers the ability to run Enterprise Security-based playbooks using Splunk SOAR.
You can pair your existing SOAR instance with ES with 8.0 and gradually migrate case management use cases from standalone SOAR to your new version of ES with Splunk Mission Control experience. You can continue to use your existing automation and workflows in ways that existed before ES 8.0, without interruption. ES 8.0 also comes with new case management capabilities, and an easier way to automate against that data, so you might want to revisit your playbooks or build new playbooks to take advantage of streamlined analyst interactions with automation.
Adding a response plan, starting a response plan task, initiating a SOAR Playbook, or starting a SOAR Action can all trigger the creation of an investigation. These manual actions help users create investigations based on specific scenarios or conditions, enabling them to focus on critical aspects of security incidents.
ES 8.0 Behavioral Analytics will be available for customers per the regional availability of the service.
Splunk User Behavior Analytics
UBA is available to integrate and with no changes, although you should be aware of several considerations to prevent installation challenges.
Indexing considerations
- Splunk Enterprise Security will support backward compatibility for existing data in ES. Index data will continue to exist and will also support the new features.
- The new case management lifecycle and Splunk Mission Control queue design address storage and performance concerns from previous versions, providing a more scalable and efficient solution for security incident management.
Detection considerations
- Event-based detections look directly at raw events sent to the Splunk platform and might output intermediate findings or findings, while finding-based detections consider findings generated by event-based detections and might output finding groups. This division helps users distinguish between initial threat detection and further analysis based on existing findings.
- A finding contains details about what the analytic calculated or observed, including a timestamp, key/value pairs, entity information, summary information, and metadata such as tactics, techniques, confidence, impact, risk score, and threat objects. This comprehensive information helps users quickly understand security incidents and respond accordingly. An easy-to-use UI allows customers to create finding-based detections using common ways to group findings, providing high fidelity output for analysts to begin investigating. This capability enables users to tailor their threat detection and response processes to their specific environment and needs
- An intermediate finding is a record of notable behaviors that signal notable activities but are not likely to be security incidents on their own. They serve as lower-level alerts that can be used as input for more advanced finding-based detections, which group them together with other findings and raise confidence that a security incident is likely.
- Intermediate findings are not meant for analysts to triage as they represent notable behaviors that signal notable activities but are not likely to be security incidents on their own.
RBA considerations
At release, notable or risk analysis events will not be updated to "Findings/Intermediate Findings" under Adaptive Response action. Additionally, legacy risk incident rules (RIR) will continue to function as expected. In release 8.0, risk incident rules and findings-based detections will coexist with refinements to the process anticipated in a future update.
App compatibility considerations
- The Security Essentials app will continue to function as normal.
- Enterprise Security will support backward compatibility for existing data in ES. This means that the ES Incident Review page from ES 7.3 will be available from the new Analyst Queue in the main navigation.
- The Splunk App for PCI compliance is not compatible with ES 8.0. However, future release compatibility is planned.
- Back up your Custom Navigation content before you upgrade so that you can restore custom configurations after migration.
Additional resources
These resources might help you understand and implement this guidance:
- YouTube: Enterprise Security 8.0 workflows