What's new in Splunk Enterprise Security 8.3 Essentials
Splunk Enterprise Security (ES) 8.3 Essentials edition introduces enhancements that improve analyst efficiency, expand automation, and strengthen detection and investigation workflows across the SOC.
This article highlights the key changes since ES 8.1 and builds upon the ES 8 Updates for the Splunk SOC course, focusing on features available in the ES Essentials 8.3 edition.
ES 8.3 is available as ES Essentials and ES Premier editions. This article applies only to ES Essentials. For Premier, visit What's new in Splunk Enterprise Security 8.3 Premier.
ES Essentials 8.3 overview
ES Essentials 8.3 edition delivers built-in security automation with native SOAR (v7.1). In the ES Essentials cloud edition, Threat Intelligence Management (TIM), and the Security AI Assistant enhance analyst workflows by providing threat intelligence and AI-powered guidance throughout Investigations.
For more information, see Overview of Splunk Enterprise Security editions.
Mission Control enhancements
ES 8.3 introduces usability improvements to Mission Control and the analyst queue.
Simplified navigation
Updated navigation buttons allow analysts to switch between Investigations, finding groups, findings, and all types directly from the analyst queue filters section.
For more information, see Sort and filter findings and investigations for triage in Splunk Enterprise Security.
Views menu
The previous dropdown menu is replaced with a Views menu that improves discoverability with default views as well as custom views. Analysts can manage custom views from Saved views > Manage saved views.
For more information, see Manage saved views to display findings and investigations in Splunk Enterprise Security.
Nested findings
Findings and finding groups added to an investigation are now nested under that investigation and removed from the analyst queue as standalone entries. This hierarchy reduces noise and helps analysts maintain context during complex investigations.
For more information, see Manage analyst workflows using the analyst queue in Splunk Enterprise Security.
Entity risk score enhancements
ES 8.3 implements Entity Risk Score (ERS) which builds on the original Splunk Enterprise Security risk score by continuously assessing the overall risk of an entity, such as a user or asset. ERS aggregates findings from the previous seven days, normalizes the score to a 0 - 100 scale, and recalculates risk using the Risk – EWA Entity Risk Score Calculation scheduled search, which runs every 20 minutes by default.
For more information, see Entity risk scoring in Splunk Enterprise Security.
New entity risk score calculation details dashboard
Selecting a risk score in the analyst queue opens the entity risk score calculation details dashboard. This dashboard provides visibility into:
- Current entity risk score
- Risk contributions
- Associated detections and findings
- Asset and identity attributes
Finding details panel improvements
Field pinning
Analysts can pin important fields in the finding or Investigation details panel, as well as in an investigation. Pinned fields remain visible at the top of the panel for faster access during triage. For more information, see Pin fields for findings and investigations in Splunk Enterprise Security.
Expanded entity context
When entities are configured in both detections and Assets and Identities, additional entity metadata appears in the finding details, including business unit, category, priority, and entity type.
Threat intelligence summary (cloud-only)
In the ES Essentials cloud edition, a new Threat Intelligence section summarizes related threat actors, malware, MITRE tactics, and CVEs to provide immediate context. For more information, see Manage analyst workflows using the analyst queue in Splunk Enterprise Security.
Investigation workflow updates
Clearer navigation
The View details button is renamed to View investigation, making the action explicit.
Intermediate findings visibility
Investigations containing intermediate findings now display a dedicated section on the Overview tab. Analysts can review:
- Event timelines
- Threat topology (relationships between risk and threat objects)
This view improves situational awareness and helps identify related impacts across identities and assets.
For more information, see Access the intermediate findings timeline to review findings in Splunk Enterprise Security.
Threat Intelligence Management (cloud-only)
ES Essentials 8.3 CMP (on-premises) edition and cloud edition continue to utilize the Threat Intelligence Framework configured under Configure > Threat intelligence. The Threat Intelligence Framework provides a centralized way to ingest, normalize, and operationalize threat intelligence across security workflows. The framework collects intelligence from supported sources and normalizes it into threat objects that enrich events, detections, and findings. This enrichment enables ES to correlate activity against known indicators of compromise, helping analysts identify and prioritize suspicious behavior more efficiently.
ES Essentials cloud-only edition introduces support for Threat Intelligence Management (TIM). When ES is paired with the Threat Intelligence Management Cloud system, the app sends all observables found in findings and investigations to the TIM Cloud system and searches for threat intelligence enrichment about those observables. TIM is embedded directly into findings and investigations.
The cloud-only edition has both Threat Intelligence Management and Threat Intelligence Framework sections under Configure > Threat intelligence.
For more information, see Threat Intelligence configuration documentation.
Security AI Assistant (cloud-only)
In the ES Essentials cloud edition, Security AI Assistant provides guided workflows inside findings and investigations to reduce analyst workload.
Splunk supports both native and frontier large language models. Customer data is not stored, used for training, or processed outside Splunk infrastructure.
Supported capabilities
- Finding summaries
- Automated Investigation reports
- SPL generation
- MITRE ATT&CK analysis
- Suggested triage actions
- Context-aware Investigation Q&A
Analysts can use guided workflow buttons or submit free-form questions using Ask me anything about security. AI responses are generated in the context of finding and Investigation data.
For more information, see Opt out of data sharing for the AI assistant in Splunk Enterprise Security.
Detection engineering enhancements
Detection editor navigation
The event-based detection editor includes an updated navigation menu for faster access to configuration sections.
Test detection (Beta)
Beta features are provided "as is" and might change or be discontinued at any time.
Detection testing allows engineers to test event-based detections without enabling them. Engineers can validate search logic, scheduling, and entity extraction before deployment.
Testing supports 24 hours, 7 days (default), or 30 days of data. Results include:
- Finding volume
- Intermediate findings
- Entity matches
- Omitted results
A Top 5 entities view highlights frequent matches to help reduce noise.
For more information, see Use detections to search for threats in Splunk Enterprise Security.
Detection version comparison
With Detection Versioning enabled, the Diff comparison feature allows engineers to compare detection versions from ESCU or Splunk Enterprise Security. This helps identify outdated detections, review manual changes, and troubleshoot false positives.
Diff comparison displays read-only, side-by-side results in .conf format and highlights the differences between versions.
For more information, see Use detection versioning in Splunk Enterprise Security.
Integrated SOAR
As in ES 8.1, Splunk SOAR integrates directly with ES Essentials 8.3 to automate Investigation and response workflows. Analysts can run playbooks from the analyst queue, and administrators can configure automation rules to trigger playbooks automatically when detections generate findings.
For more information, see Automate your investigation response with actions and playbooks in Splunk Enterprise Security.
Additional resources
The following resources might help you understand and implement this guidance:
- Splunk Education: ES 8 updates for the Splunk SOC
- Splunk Resource: ES Premier 8.3 click-through demo
- Splunk Help: Splunk ES 8 documentation
- Lantern Article: Tuning Enterprise Security assets & identities