Use detection versioning in Splunk Enterprise Security

Create and maintain multiple versions of detections that exist in the Splunk Enterprise Security, ESCU app, and other apps to track the relationships between them. Using versioning, you can track any customized detections that you create for specific use cases and identify the detections that are relevant for your use case. Additionally, versioning makes troubleshooting the detections easier.

Detection versioning is turned on by default from Splunk Enterprise Security versions 8.3 and higher.

Detection versioning does not corrupt the findings in the analyst queues of investigations. You can clone a specific version of a detection. When you make a change to a detection, saving the detection always saves it as a new version. If you make a change to a detection version that is currently turned on, the new version is not turned on by default. You can opt to save a detection version or you can opt to save as well as turn on a detection version.

Additionally, you can save a new version or create a clone of any version of a detection, which need not be the latest version. Lastly, you can optionally add a version note to a new version of a detection at the time of saving it, which can assist during investigations. As an administrator, you have the option to make notes mandatory when saving detection versions.

Note: Versioning is only supported for event-based detections and finding-based detections. UEBA detections are not currently supported for versioning.
Note: While versioning is initialized, do not make any changes to detections or create new detections

You can only update a versioned detection using the Splunk Enterprise Security detection editor. Updates made through other methods such as the following are not supported:

  • Editing the detection in the Splunk platform interface using the Advanced Edit page.
  • Using the savedsearches API to modify the detection directly
  • Manually editing the savedsearches.conf file on an on-premises deployment

Configure detection versioning for apps

Follow these steps to configure apps for detection versioning:

  1. In Splunk Enterprise Security, go to the Configure tab.
  2. Select General settings and then select Versioning panel.
  3. Go to Add apps field and add or select the app that you want to configure for versioning. For example, mission control.
  4. Select Add and then select Confirm to confirm that you want to configure the app for versioning.
    Note: Configure apps only when you are sure that you want to use detection versioning for the app. Otherwise, you must contact Splunk Support if you want to remove an app that is configured for detection versioning, which might cause delays.
    Note: Any missing metadata is added to the savedsearches.conf configuration file after the app is configured for versioning. Versioning on a detection doesn't occur if the metadata for the detection doesn't change during the upgrade of an app.
  5. Review the list of versioned apps in the table. Additionally, verify that you have configured and turned on the app with sharing set to Global.
Note: To turn off versioning for detections, you must contact Splunk Support.

Reviewing differences between detection versions

Review the differences between detection versions based on detection updates from the ESCU app and Splunk Enterprise Security to determine if you are using on outdated version and need a newer version of the detection to be turned on. You can also compare the differences between detection versions to troubleshoot a detection that is turned on but generating false positive alerts.

You can view differences between any version of any detection, irrespective of whether you made the updates manually or whether the updates were made automatically using the app.

Compare detection versions

Follow these steps to compare different versions of a detection:

  1. In Splunk Enterprise Security, open the detection in the detection editor.
  2. Go to the Versions panel in the Edit detection page and select the toggle button for Diff comparison to turn on the comparison of detection versions.
    The Versions panel displays a complete list of all the versions available for a detection along with the creation date and time.
  3. From the App drop-down menu in the diff window, select the app from which you want to compare the detection.
  4. From the Detection drop-down menu in the diff window, select the name of the detection for which you want to compare the versions.
    The drop-down menu in the diff window lists the recently edited detections that you can select to view.
  5. From the Version drop-down menu in the diff window, select the version of the detection that you want to compare against the selected version highlighted in the Version panel.
  6. Select Submit.
  7. Review the highlighted differences between the two detection versions using the side-by-side comparison windows. This screen image shows the highlighted differences between detection versions..

    Note: Viewing the differences in the detection versions is only a READ-ONLY option. The detection diff comparison viewer displays content in the format of *.conf file instead of what is displayed on the detection editor.
  8. Use the Text wrap button on the right panel for text wrapping or horizontal scrolling as required.
  9. Use the clickable mini-map to navigate and view the differences between the detections.
  10. Select the Open in editor icon on the left panel to open and edit the selected detection on the left panel in the detection editor on a separate tab.