Release notes for Splunk Enterprise Security
Find the following information on the Splunk Enterprise Security version 8.3.x release:
What's new in 8.3.0
Splunk Enterprise Security version 8.3.0 was released on November 19, 2025 and includes the following new enhancements:
| Splunk idea | New feature | Description |
|---|---|---|
| Enhanced version management and tracking | Ability to view the active and the latest version of a detection along with the full author names instead of user IDs. For more information, see Create multiple versions of a detection in Splunk Enterprise Security. | |
| Streamlined UI workflow in detection versioning | Includes sortable columns, dialog flash fixes, panel state persistence, and the ability to download links for version and activity history of detections. For more information, see Create multiple versions of a detection in Splunk Enterprise Security. | |
| Turning on or off the ability to edit notes | Ability to choose whether users can edit notes that exist for findings and investigations after they're saved. For more information, see Turn on or turn off the ability to edit notes. | |
| Pairing with Splunk SOAR clusters and warm standby | Ability to pair Splunk Enterprise Security with Splunk SOAR (On-premises) clustered environments, including using warm standby and backup and restore. For more information, see Pair Splunk Enterprise Security with Splunk SOAR in Administer Splunk Enterprise Security and Splunk SOAR Compatibility in the release notes. | |
| Pinning finding and investigation fields in the analyst queue | Ability to pin specific fields in the side panel of a finding or investigation or on the investigation overview page to keep the information you care about most easily accessible. For more information, see Pin fields for findings and investigations in Splunk Enterprise Security. | |
| Nested findings in the analyst queue | Ability to navigate complex investigations more efficiently by reducing visual clutter and maintaining context as you drill deeper into related data. Nested findings organize related findings and finding groups into a clear, hierarchical structure across the analyst queue and investigation overview page. For more information, see Navigate nested findings for triage. | |
| Finishing existing legacy investigations | Ability to finish your existing work, export data for reports, and maintain visibility into past findings with the legacy investigations interface. If you previously created investigations in Splunk Enterprise Security 7.x, you can still review and complete them after upgrading to version 8.x. For more information, see Review and finish existing legacy investigations. | |
| Entity risk scoring | Includes the new entity risk score (ERS), an enhanced version of the original risk score in Splunk Enterprise Security. It measures the overall risk level of an entity, such as a user or asset, based on findings associated with that entity. For more information, see Entity risk scoring in Splunk Enterprise Security and Using entity risk scores for detections in Splunk Enterprise Security. | |
| Threat intelligence storage optimization | Ability to optimize data retention for threat intelligence KV Store collections in Splunk Enterprise Security. For more information, see Threat intelligence collections in Splunk Enterprise Security. | |
| User and Entity Behavior Analytics (UEBA) for Splunk Enterprise Security Premier | Ability to detect insider threats, reduce false positives, and prioritize investigations based on risk with UEBA. UEBA identifies anomalies by comparing current activity against learned baselines for users and assets. See the following documentation to get started: | |
| Analyst queue performance improvements | Searching, automating, and interacting with findings on the analyst queue will load them into the KV Store collection for faster retrieval and load times. For more information, see Optimizing storage with KV Store retention policy. | |
| Updates to hide finding settings for finding groups | Hide findings setting now also hides findings that belong to finding groups. Help text for this feature has been updated to indicate that findings will still appear nested under the investigation or finding group to which they belong. |
Upgrade notice for 8.x
Upgrading Splunk Enterprise Security to version 8.x is a one-way operation. The upgrade process doesn't automatically back up the app, its content, or its data. Perform a full backup of the search head, including the KV Store, before initiating the Splunk Enterprise Security upgrade process.
When you upgrade to Splunk Enterprise Security version 8.x, you can no longer access any investigations created prior to the upgrade. To save archives of your investigation data, back up and restore your existing Splunk Enterprise Security instance.
If you need to revert back to the version that previously existed on your search head, you must restore the previous version of Splunk Enterprise Security from a backup.
See Upgrade Splunk Enterprise Security.
Other important notes for upgrading include the following:
- You cannot upload Splunk Enterprise Security 8.x on an on-premises deployment of Splunk Enterprise 10.x using the UI. You must install Splunk Enterprise Security 8.x using the command line. See Install Splunk Enterprise Security from the command line.
- Splunk Enterprise Security in a search head cluster environment uses an installer that creates tokens and turns on token authorization if it is not available. Post-installation, the installer deletes the tokens. If an error occurs, contact Splunk Support to delete any residual tokens.
- The Splunk Enterprise Security Health app is installed but is turned off for all Splunk Cloud customers. This app is turned on by the Splunk Cloud Platform only during upgrades to ensure that the stacks get upgraded faster. Do not turn on the Splunk Enterprise Security Health app.
Share threat data in Splunk Enterprise Security
Compatibility and support
- Splunk Enterprise Security version 8.x is compatible only with specific versions of the Splunk platform. See Splunk products version compatibility matrix for details.
- Current versions of Splunk Enterprise Security only support TAXII version 1.0 and TAXII version 1.1.
Deprecated or removed features
The following features have been deprecated from Splunk Enterprise Security 8.x:
- Configuring the investigation type macro is no longer available.
- Incident Review row expansion is no longer available.
- Enhanced workflows are no longer available.
- Sequence templates are no longer available.
- The Investigation bar, Investigation Workbench, and Investigation dashboard from the Splunk Enterprise Security user interface (UI) are replaced by the Mission Control UI.
- Service level agreements (SLAs) and role-based incident type filtering are not available.
- The Content management page was updated to remove the following types of content: Workbench Profile, Workbench Panel, and Workbench Tab.
- Workbench and workbench related views such as
ess_investigation_list,ess_investigation_overview, andess_investigationhave been removed. - Capabilities such as
edit_timelineandmanage_all_investigationshave been removed. - The Comments feature is replaced by an enhanced capability to add notes.
Add-ons
Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. For more information on the support provided for add-ons, see Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.
Splunk_TA_ForIndexers add-on for every release.To ensure that the Splunk Enterprise Security app works correctly, turn on the following add-ons. If any of the following add-ons aren't turned on, Splunk Support gets automatically notified and ensures that all the required add-ons are turned on automatically.
- DA-ESS-AccessProtection
- DA-ESS-EndpointProtection
- DA-ESS-IdentityManagement
- DA-ESS-NetworkProtection
- DA-ESS-ThreatIntelligence
- SA-AccessProtection
- SA-AuditAndDataProtection
- SA-EndpointProtection
- SA-IdentityManagement
- SA-NetworkProtection
- SA-ThreatIntelligence
- Splunk_SA_CIM
- Splunk_SA_Scientific_Python_linux_x86_64
- SplunkEnterpriseSecuritySuite
- Splunk_ML_Toolkit
Deprecated or removed add-ons
Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.
The following technology add-ons are removed from the installer, but still supported:
- Splunk Add-on for Blue Coat ProxySG
- Splunk Add-on for McAfee
- Splunk Add-on for Juniper
- Splunk Add-on for Microsoft Windows
- Splunk Add-on for Oracle Database
- Splunk Add-on for OSSEC
- Splunk Add-on for RSA SecurID
- Splunk Add-on for Sophos
- Splunk Add-on for FireSIGHT
- Splunk Add-on for Symantec Endpoint Protection
- Splunk Add-on for Unix and Linux
- Splunk Add-on for Websense Content Gateway
The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:
- TA-airdefense
- TA-alcatel
- TA-cef
- TA-fortinet
- TA-ftp
- TA-nmap
- TA-tippingpoint
- TA-trendmicro
Updated add-ons
The Common Information Model Add-on is updated to version 6.3.0.
Libraries
The following libraries are included in this release:
- Splunk_ML_Toolkit-5.3.0-1631633293630.tgz
- Splunk_SA_Scientific_Python_linux_x86_64-3.0.2-0
- Splunk_SA_Scientific_Python_windows_x86_64-3.0.0