Limitations

Following are some of the limitations in Splunk Enterprise Security version 8.x:

  • In ES 8.0.3 versions and higher, the process of assigning timestamps to intermediate findings that are generated by event-based detections creates a more accurate risk timeline. However, this can impact the behavior of detections that depend on the relative timing of intermediate findings. In ES 8.0.3+, the timestamp is set to the time value of the search results, if it exists. If no time value exists in the search results, the timestamp is set to the current time, which is the time when the risk event was written to the risk index.

  • Splunk Enterprise Security supports only HTTPS connections.
  • Splunk Enterprise Security version 8.x supports search head clustering only on Linux operating systems. On Windows, Splunk Enterprise Security 8.x is supported only on standalone systems.
  • Incident Review row expansion is no longer available. Use the side panel view to review information on findings and investigations.
  • The Investigation bar, Investigation Workbench, and Investigation dashboard from the Splunk Enterprise Security user interface (UI) is replaced by the Mission Control UI. Data from Mission Control incidents are migrated to Splunk Enterprise Security version 8.x. See Migrating Splunk Mission Control incident data to Splunk Enterprise Security 8.x
  • Investigation data from Splunk Enterprise Security versions 7.3.2 or prior are not migrated to investigations in Splunk Enterprise Security version 8.x.
    Note: To save archives of your investigation data, back up and restore your existing Splunk Enterprise Security instance.
  • Sequence templates are "read-only" in Splunk Enterprise Security version 8.x and higher.
  • Service level agreements (SLAs) and role-based incident type filtering is not available in Splunk Enterprise Security 8.x.
  • You can only select all findings from a single page instead of selecting all findings from every page using the Select all option.
  • Adaptive response actions are not available for investigations.
  • The Comments feature available in prior versions of Splunk Enterprise Security is now replaced by an enhanced capability to add notes.

    Note: Splunk Enterprise Security does not support the ability to enforce a note when editing a feature or investigation.
  • If you customized your navigation bar in previous versions of Splunk Enterprise Security, you need to reset it in order to see the new navigation bar pages for version 8.x.

  • For limitations with hybrid pairing, see Splunk SOAR compatibility