Release notes for Splunk Enterprise Security

Find the following information on the Splunk Enterprise Security version 8.5.x release:

What's new in 8.5.0

Splunk Enterprise Security version 8.5.0 was released on April 8, 2026 and includes the following new enhancements:

Splunk idea New feature Description
Configuration and settings: Manage specific configuration settings in the ES UI Ability to manage configuration files using a new system configurations page in Splunk Enterprise Security. For more information, see Modify configuration files using Splunk ES UI.
Configuration and settings: Configure workload pool to run search jobs Configure settings in the ES UI to manage resources and optimize system performance when running search jobs from the analyst queue. For more information, see Manage resources by assigning search jobs to a workload pool.
Detections: Detection tuning Adjust your detection SPL in real time to reduce false positives and improve the accuracy of alerts. For more information, see Tune detections in Splunk Enterprise Security.
Detections: Test detections in production Test detections on production data using Splunk Enterprise Security to evaluate their behavior and validate search results without impacting SOC analyst workflows. For more information, see Test detections on production data using Splunk Enterprise Security.
Detections: Test panel in the detection editor to validate detection search results Enhancements to the test panel in the detection editor to improve the accuracy of calculating alert volume during detection testing. You can select findings mode with a timeout option to calculate the number of findings based on the configuration settings of a detection and limit the duration of the test. You can select Events mode with a lookback option to show raw event counts within a specified time frame to spot duplicates or mis-configurations. For more information, see Estimate the volume of alerts from detection outputs in Splunk Enterprise Security.
Detections: Improvements in the detection editor for creating finding-based detections SPL templates are provided in the detection editor that you can modify to create finding-based detections. For more information, see Edit detection SPL templates and macros for finding-based detections.
Detection: Improvements to Detection editor and default templates for detections Tested SPL templates provided in the Detection editor to modify or create a finding-based detection. For more information, see Detection templates.
Analyst queue: Team-based queue enhancements Assign queue permissions at a granular level for different roles. Determine whether a role can create, read, update, delete, or execute actions. See Permissions for team-based queues and Role-based access control lockdown.
Exposure analytics Set up exposure analytics to automatically discover assets and users across your environment, enrich findings with context, and allow for precise attribution and a reduced attack surface.

To set up exposure analytics, see Exposure analytics set up guide for admins in Splunk Enterprise Security.

If you're an existing ARI user, see Using Splunk Asset and Risk Intelligence after upgrading to Splunk Enterprise Security 8.5.
Investigations: Workflow enhancements Improved field groupings and collapsible panels introduced in the investigation side panel. For more information, see Pre-defined fields in the side panel of the investigation.
Investigations: Improved guidance on managing KVStore collections KVStore optimization for detection performance. For more information, see Manage KV Store collections in Splunk Enterprise Security.
Splunk Attack Analyzer integration: Threat analysis for phishing incidents Powered by Splunk Attack Analyzer, threat analysis allows you to perform static analysis on email bodies and metadata to identify malicious activity, review resource trees and system verdicts to assess the nature of the threat, and examine email screenshots to confirm visual indicators of phishing. See Phishing investigation and threat analysis in Splunk Enterprise Security.
Configure SOAR apps in Splunk Enterprise Security Configure third-party apps in Enterprise Security to use Enterprise Security data. Microsoft (MS) Graph Office 365, IMAP, and Gmail apps can create findings in the Analyst Queue, so analysts can easily access full email content. See Configure Splunk SOAR apps in Splunk Enterprise Security.
Automation rules update Automation rules can now trigger based on ingestions by apps configured in Splunk Enterprise Security. See Configure automation rules to run playbooks based on findings in Splunk Enterprise Security and Configure Splunk SOAR apps in Splunk Enterprise Security.
PPSID-I-640 PPSID-I-131 PPSID-I-492 System insights dashboards

Splunk App for SOAR has new, intuitive dashboards – including more comprehensive metrics, direct links to run logs, and flexible alerting options – providing you with more precision and agility.

For details, see System insights in the Splunk App for SOAR documentation. ​
Splunk Cloud Connect for Splunk Enterprise Security Access Cloud extensions from Splunk Enterprise Security (On-premises). For more information, see Access Splunk Cloud Connect in Splunk Enterprise Security to access Cloud extensions. For some troubleshooting tips on common connection or user interface issues when using Splunk Cloud Connect, see Troubleshoot common issues when using Splunk Cloud Connect.
Support for CIM entity zones for entity risk scoring Support for CIM entity zones for entity risk scoring. For more information, see Entity risk scoring in Splunk Enterprise Security.
UEBA enhancements New UEBA detections and expanded regional availability. See UEBA regional availability and UEBA detection reference for UEBA on-premises.
Detection Studio Ability to identify optimal detections using Detection Studio in Splunk Enterprise Security is GA. For more information, see Identify optimal detections using Detection Studio in Splunk Enterprise Security.
Triage agent Set up the AI triage agent to autonomously investigate findings as they show up in queues. With the AI triage agent, you can find a suggested disposition, a clear rationale, and recommended next steps for the finding before a human touches it. See AI analysis in Splunk Enterprise Security and Setting up the AI triage agent.
SOP Agent created response plans Use the new SOP agent to import your existing SOP documents and create response plans from them. For details, see Create response plans with the SOP agent.
Ready-to-use Splunk response plans New built-in, ready-to-use Splunk response plans available with recommended Splunk SOAR automation. See Included response plans in Splunk Enterprise Security.
Expanded regional availability for Threat Intelligence Management New supported regions added for Threat Intelligence Management. See Threat Intelligence Management regional availability.

For Enhancements in Splunk SOAR, see the following articles:

Welcome to Splunk SOAR (Cloud)

Welcome to Splunk SOAR (On-premises)

Upgrade notice for 8.x

Upgrading Splunk Enterprise Security to version 8.x is a one-way operation. The upgrade process doesn't automatically back up the app, its content, or its data. Perform a full backup of the search head, including the KV Store, before initiating the Splunk Enterprise Security upgrade process.

When you upgrade to Splunk Enterprise Security version 8.x, you can no longer access any investigations created prior to the upgrade. To save archives of your investigation data, back up and restore your existing Splunk Enterprise Security instance.

If you need to revert back to the version that previously existed on your search head, you must restore the previous version of Splunk Enterprise Security from a backup.

See Upgrade Splunk Enterprise Security.

Note: Upgrades to Splunk Enterprise Security version 8.x from versions 6.x and earlier are not supported. If you are using on-premises version 6.x or earlier, you must first upgrade to version 7.3.2 before upgrading to version 8.x.

Other important notes for upgrading include the following:

  • You cannot upload Splunk Enterprise Security 8.x on an on-premises deployment of Splunk Enterprise 10.x using the UI. You must install Splunk Enterprise Security 8.x using the command line. See Install Splunk Enterprise Security from the command line.
  • Splunk Enterprise Security in a search head cluster environment uses an installer that creates tokens and turns on token authorization if it is not available. Post-installation, the installer deletes the tokens. If an error occurs, contact Splunk Support to delete any residual tokens.
  • The Splunk Enterprise Security Health app is installed but is turned off for all Splunk Cloud customers. This app is turned on by the Splunk Cloud Platform only during upgrades to ensure that the stacks get upgraded faster. Do not turn on the Splunk Enterprise Security Health app.

Share threat data in Splunk Enterprise Security

Sharing telemetry usage data is different from sharing threat data. Sharing of threat data in Splunk Enterprise Security is only introduced for Splunk Enterprise Security Hosted Service Offering (cloud) customers with a standard terms contract renewed or created after January 10, 2025. For more information, see Share threat data in Splunk Enterprise Security

Compatibility and support

  • Splunk Enterprise Security version 8.x is compatible only with specific versions of the Splunk platform. See Splunk products version compatibility matrix for details.
  • Current versions of Splunk Enterprise Security only support TAXII version 1.0 and TAXII version 1.1.

Deprecated or removed features

The following features have been deprecated from Splunk Enterprise Security 8.x:

  • Configuring the investigation type macro is no longer available.
  • Incident Review row expansion is no longer available.
  • Enhanced workflows are no longer available.
  • Sequence templates are no longer available.
  • The Investigation bar, Investigation Workbench, and Investigation dashboard from the Splunk Enterprise Security user interface (UI) are replaced by the Mission Control UI.
  • Service level agreements (SLAs) and role-based incident type filtering are not available.
  • The Content management page was updated to remove the following types of content: Workbench Profile, Workbench Panel, and Workbench Tab.
  • Workbench and workbench related views such as ess_investigation_list, ess_investigation_overview, and ess_investigation have been removed.
  • Capabilities such as edit_timeline and manage_all_investigations have been removed.
  • The Comments feature is replaced by an enhanced capability to add notes.
  • In Splunk Enterprise Security version 7.3, admins can turn on a setting to require analysts to leave a comment with a minimum character length after updating a notable event. In Splunk Enterprise Security version 8.x, you can no longer require a note when an analyst updates a finding in the analyst queue.

Add-ons

Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. For more information on the support provided for add-ons, see Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.

Note: Some new features might not work for on-prem Splunk Enterprise Security deployments 8.x and higher, unless you upgrade the Splunk_TA_ForIndexers add-on for every release.
Note: Do not uninstall the Mission Control app since the app is part of Splunk Enterprise Security.

To ensure that the Splunk Enterprise Security app works correctly, turn on the following add-ons. If any of the following add-ons aren't turned on, Splunk Support gets automatically notified and ensures that all the required add-ons are turned on automatically.

  • DA-ESS-AccessProtection
  • DA-ESS-EndpointProtection
  • DA-ESS-IdentityManagement
  • DA-ESS-NetworkProtection
  • DA-ESS-ThreatIntelligence
  • SA-AccessProtection
  • SA-AuditAndDataProtection
  • SA-EndpointProtection
  • SA-IdentityManagement
  • SA-NetworkProtection
  • SA-ThreatIntelligence
  • Splunk_SA_CIM
  • Splunk_SA_Scientific_Python_linux_x86_64
  • SplunkEnterpriseSecuritySuite
  • Splunk_ML_Toolkit

Deprecated or removed add-ons

Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.

The following technology add-ons are removed from the installer, but still supported:

The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:

  • TA-airdefense
  • TA-alcatel
  • TA-cef
  • TA-fortinet
  • TA-ftp
  • TA-nmap
  • TA-tippingpoint
  • TA-trendmicro

Updated add-ons

The Common Information Model Add-on is updated to version 8.5.0 and was released on April 2, 2026. The version number for the Common Information Model is synchronized with the version number of Splunk Enterprise Security from this release.

Libraries

The following libraries are included in this release:

  • Splunk_ML_Toolkit-5.3.0-1631633293630.tgz
  • Splunk_SA_Scientific_Python_linux_x86_64-3.0.2-0
  • Splunk_SA_Scientific_Python_windows_x86_64-3.0.0