Upgrading to Enterprise Security 8.0.x - Compatibility checks
This article is part of a comprehensive guide to help you upgrade or migrate pre-8.x Splunk Enterprise Security deployments to Splunk Enterprise Security 8. 0. x. If you do not feel comfortable completing these steps on your own and would prefer assistance in completing the upgrade, contact our Professional Services experts.
Before planning an upgrade, please review the following advisories regarding applications that might be installed in your environment.
Splunk PCI
There is not currently a version of the Splunk PCI application that is compatible with Splunk Enterprise Security 8.0.x. A future release of the app is being worked on, and support for the PCI app is tentatively slated for Enterprise Security 8.1.x.
If you are running either Splunk App for PCI Compliance - Splunk Enterprise or Splunk App for PCI Compliance - Splunk Enterprise Security, do not proceed any further. Do NOT upgrade to Splunk Enterprise Security 8.0.x.
Mothership
Mothership’s core functionality (sending SPL to remote environments) remains compatible with ES 8.0.x. Dashboards such as Multi-ES Incident Review, Multi-ES Security Posture, and Multi-ES Incident Review Dashboard Studio continue to work out of the box. There are some issues, however, that break in ES 8.0.x, and will require updates to the Mothership app:
- ES 8.0.x taxonomy changes: Notable references (for example,
multi_es_security_posture_view
) require updates to align with the ES 8.0.x taxonomy - Finding groups & roll-up findings: In ES 8.0.x, AQ FBD findings can be grouped and expanded. However, in Mothership, child findings do not appear when pulling in parent findings, which breaks the grouping relationship.
These limitations apply to both the ES Mothership App for Splunk and the Mothership App for Splunk.
Splunk SOAR
The following SOAR configurations are not supported in ES 8.0.x:
- Hybrid architecture (CMP & Cloud)
- Container labels to segregate roles/access to incidents and investigations
- SOAR clusters (CMP)
Risk Notable Playbook Pack (SOAR RNPP)
The SOAR RNPP was designed to work with Splunk Enterprise Security 7.x. Upgrading to ES 8.0.x has the potential to break some RNPP functionalities that rely on specific ES 7.x capabilities, which might no longer be available in ES 8.0.x. However, you can continue to use it with ES 8.0.x at your own risk.
Security operational model architectures (Centralized SOC/RBAC/multitenancy)
If you use any of the configuration states defined here, do NOT upgrade to Splunk Enterprise Security 8.0.x.
- Segregation of data where multiple business units (customers) send data into a single Splunk/ES stack.
- The SOC differentiates notable events by business units (customer) where multiple customers are sending data into a single Splunk/ES stack.
- You use role-based access control (RBAC), allowing users access to dedicated indexes and/or dashboards.