Release notes for Splunk Enterprise Security

Find the following information on the Splunk Enterprise Security version 8.2.x release:

What's new in 8.2.0

What's new in this version of Splunk Enterprise Security.

Splunk Enterprise Security version 8.2.0 was released on September 9, 2025 and includes the following new enhancements:

New feature Description
AI Assistant for investigationsSummarize findings, get an SPL search, and generate an investigation report with the AI Assistant. See Scenario: Jordan uses the AI Assistant to summarize an investigation and generate SPL.
Note: The AI Assistant for Splunk Enterprise Security is not automatically available by default. An administrator must reach out to their account management team to get started.
Version activity for detectionsAbility to view the version activity of a detection. For more information, see Use detection versioning in Splunk Enterprise Security.

Detection audit trail

Monitor when detections are turned on or off, modified, or deployed, including who made changes and when. This is essential for compliance and change management of security rules.
Testing detections in the detection editorAbility to evaluate detection performance and efficiency within your SOC workflow by testing detections and reviewing search results. For more information, see Validate detections in Splunk Enterprise Security.
Validate the SPL of a custom finding-based detectionAbility to validate the SPL query conditions for a custom finding-based detection in the detection editor. For more information, see Guidelines to create a custom finding-based detection.
Viewing notes on the findings or finding groups included in an investigationAbility to view notes on the findings or finding groups that are included in an investigation to get the complete context of linked findings when reviewing investigations. For more information, see Create and share notes on an investigation.
Option to keep finding groups closedAbility to configure in the detection editor whether closed finding groups are reopened or not if additional findings or intermediate findings are added to the finding group. For more information, see Configure conditions to create finding groups in Splunk Enterprise Security.
Lookback finding groups Ability to create lookback finding groups to group historical findings based on the first time the detection runs. For more information, see Configure conditions to create finding groups in Splunk Enterprise Security.
Overlap finding groupsAbility to create overlap finding groups to prevent overlooking edge cases that might represent risk. For more information, see Configure conditions to create finding groups in Splunk Enterprise Security.
Button options for filtering the analyst queue by type: Findings, Investigations, Finding groups, or All types.

Quickly filter the analyst queue by type using the buttons above the queue. See Filter the findings and investigations.

Making notes optional or requiredEnforce notes or make them optional when an analyst updates a finding or investigation. See Make notes required or optional.
Making note titles optional or requiredChange the note title requirement setting to make note titles required or optional when analysts update a finding or investigation. See Make note titles required or optional.
Hiding duplicate findings that have been added to an investigationA finding that is part of an investigation can appear both nested under the investigation and also as a separate listing in the analyst queue. You can opt to show the finding in both locations, or you can hide the finding so that it only appears nested under an investigation. See Hide or show duplicate findings that have been added to an investigation.
Redesigned quick actions in the analyst queueRefresh the analyst queue manually or with auto-refresh, now in the quick actions menu at the top of the analyst queue. See Refresh the analyst queue.
Syncing changes with included findings Apply changes made in an investigation or finding group to all of its included findings. See Sync changes with included findings.
Optimizing storage with KV Store retention policyTurn on the KV Store retention policy to automatically remove old records from KV Store collections based on a configured time-based or size-based policy. See Optimizing storage with KV Store retention policy.
Expanded API capabilities
  • To create Findings
  • Add findings to investigations
  • Create, read, update, and delete notes
Adding a TAXII 2 threat intelligence feedSplunk Enterprise Security versions 8.2 and later now support TAXII version 2.0 and TAXII version 2.1. Add threat intelligence from a TAXII 2 feed to Splunk Enterprise Security. See Add a TAXII 2 feed.
Other key highlights
  • Your preferences for viewing charts, timelines, filters, and the count on the analyst queue count persists throughout your session.
  • Findings that are part of an investigation are hidden from the top-level of the Analyst Queue by default so that you can focus on actionable alerts.
  • New Splunk Enterprise Security APIs are now searchable using SPL REST command.
  • Performance-based enhancements: The search ID reuse improves load times across the Analyst Queue and investigations by reusing the results of cached search jobs.
  • SAML user tokens support is no longer required for native SOAR functionality.

Upgrade notice for 8.x

Upgrading Splunk Enterprise Security to version 8.x is a one-way operation. The upgrade process doesn't automatically back up the app, its content, or its data. Perform a full backup of the search head, including the KV Store, before initiating the Splunk Enterprise Security upgrade process.

When you upgrade to Splunk Enterprise Security version 8.x, you can no longer access any investigations created prior to the upgrade. To save archives of your investigation data, back up and restore your existing Splunk Enterprise Security instance.

If you need to revert back to the version that previously existed on your search head, you must restore the previous version of Splunk Enterprise Security from a backup.

See Upgrade Splunk Enterprise Security.

Note: Upgrades to Splunk Enterprise Security version 8.x from versions 6.x and earlier are not supported. If you are using on-premises version 6.x or earlier, you must first upgrade to version 7.3.2 before upgrading to version 8.x.

Other important notes for upgrading include the following:

  • Splunk Enterprise Security in a search head cluster environment uses an installer that creates tokens and turns on token authorization if it is not available. Post-installation, the installer deletes the tokens. If an error occurs, contact Splunk Support to delete any residual tokens.
  • The Splunk Enterprise Security Health app is installed but is turned off for all Splunk Cloud customers. This app is turned on by the Splunk Cloud Platform only during upgrades to ensure that the stacks get upgraded faster. Do not turn on the Splunk Enterprise Security Health app.

Share threat data in Splunk Enterprise Security

Sharing telemetry usage data is different from sharing threat data. Sharing of threat data in Splunk Enterprise Security is only introduced for Splunk Enterprise Security Hosted Service Offering (cloud) customers with a standard terms contract renewed or created after January 10, 2025. For more information, see Share threat data in Splunk Enterprise Security

Compatibility and support

  • Splunk Enterprise Security version 8.x is compatible only with specific versions of the Splunk platform. See Splunk products version compatibility matrix for details.
  • Current versions of Splunk Enterprise Security only support TAXII version 1.0 and TAXII version 1.1.

Deprecated or removed features

The following features have been deprecated from Splunk Enterprise Security 8.x:

  • Configuring the investigation type macro is no longer available.
  • Incident Review row expansion is no longer available.
  • Enhanced workflows are no longer available.
  • Sequence templates are no longer available.
  • The Investigation bar, Investigation Workbench, and Investigation dashboard from the Splunk Enterprise Security user interface (UI) are replaced by the Mission Control UI.
  • Service level agreements (SLAs) and role-based incident type filtering are not available.
  • The Content management page was updated to remove the following types of content: Workbench Profile, Workbench Panel, and Workbench Tab.
  • Workbench and workbench related views such as ess_investigation_list, ess_investigation_overview, and ess_investigation have been removed.
  • Capabilities such as edit_timeline and manage_all_investigations have been removed.
  • The Comments feature is replaced by an enhanced capability to add notes.
  • In Splunk Enterprise Security version 7.3, admins can turn on a setting to require analysts to leave a comment with a minimum character length after updating a notable event. In Splunk Enterprise Security version 8.x, you can no longer require a note when an analyst updates a finding in the analyst queue.

Add-ons

Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. For more information on the support provided for add-ons, see Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.

Note: Some new features might not work for on-prem Splunk Enterprise Security deployments 8.x and higher, unless you upgrade the Splunk_TA_ForIndexers add-on for every release.
Note: Do not uninstall the Mission Control app since the app is part of Splunk Enterprise Security.

To ensure that the Splunk Enterprise Security app works correctly, turn on the following add-ons. If any of the following add-ons aren't turned on, Splunk Support gets automatically notified and ensures that all the required add-ons are turned on automatically.

  • DA-ESS-AccessProtection
  • DA-ESS-EndpointProtection
  • DA-ESS-IdentityManagement
  • DA-ESS-NetworkProtection
  • DA-ESS-ThreatIntelligence
  • SA-AccessProtection
  • SA-AuditAndDataProtection
  • SA-EndpointProtection
  • SA-IdentityManagement
  • SA-NetworkProtection
  • SA-ThreatIntelligence
  • Splunk_SA_CIM
  • Splunk_SA_Scientific_Python_linux_x86_64
  • SplunkEnterpriseSecuritySuite
  • Splunk_ML_Toolkit

Deprecated or removed add-ons

Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.

The following technology add-ons are removed from the installer, but still supported:

The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:

  • TA-airdefense
  • TA-alcatel
  • TA-cef
  • TA-fortinet
  • TA-ftp
  • TA-nmap
  • TA-tippingpoint
  • TA-trendmicro

Updated add-ons

The Common Information Model Add-on is updated to version 6.2.0.

Libraries

The following libraries are included in this release:

  • Splunk_ML_Toolkit-5.3.0-1631633293630.tgz
  • Splunk_SA_Scientific_Python_linux_x86_64-3.0.2-0
  • Splunk_SA_Scientific_Python_windows_x86_64-3.0.0