Release notes for Splunk Enterprise Security

Find the following information on the Splunk Enterprise Security version 8.4.x release:

What's new in 8.4.0

Splunk Enterprise Security version 8.4.0 was released on February 4, 2026 and includes the following new enhancements:

Splunk idea New feature Description
Identify and leverage the most powerful detections using Detection Studio Ability to identify the most effective and powerful detections based on your data and security environment to improve search accuracy and reduce alert volume. For more information, see Identify the most optimal detections using Splunk Enterprise Security.
Improvements in the detection editor for creating event-based detections Ability to edit event-based detections is enhanced significantly and includes the following features:
  • Ability to specify findings and intermediate findings in separate sections of the detection editor along with their specific required fields.
  • Information on threat objects, drill-down searches, drill-down dashboards, annotations, and so on, which are​ common to both findings and intermediate findings can be specified in the Analyst Queue section of the detection editor in collapsible panels.
  • Risk scores are optional for findings and can be empty.
  • Entities are not required for a finding and risk messages are not required for entities of a finding.
  • If an intermediate finding output type is selected, at least one entity is required​.
For more information, see Create event-based detections in Splunk Enterprise Security.
Improvements in the detection editor for creating finding-based detections Ability to edit finding-based detections is enhanced significantly and includes the following features:
  • Content from ESCU and other simpler, easy to use content templates are included.
  • Fewer required fields and a streamlined design aligned with risk-based alerting best practices.
  • Default information type such as entity, kill-chain are removed.​
  • Panels to group findings based on entity type is deprecated
For more information, see Create finding-based detections in Splunk Enterprise Security.
New macros introduced to simplify the composition of the searches for finding-based detections Using these macros helps to standardize the aggregation of findings and group them based on entities. Macros also help to ensure consistency and maintainability of the search structure for finding-based detections. Following is a list of the new macros:
  • generate_findings_summary
  • calculate_findings_fields
  • generate_findings_summary_on_entity
Detection versioning is a default feature Turning on detection versioning is no longer optional but available by default when you install or upgrade to Splunk Enterprise Security version 8.4.
Allow skew detection Ability to offset the time to run detections based on scheduler load can automatically distribute search loads across time and improve performance. For more information, see Skew the scheduled time to run detections
Simplify the ability to create findings and investigations Create investigations from scratch or add findings to investigations while creating the finding. Additionally, the number of required fields for creating findings has been reduced. This helps to instantly track emerging threats and reduces the number of required steps to open a case immediately and populate details as they become known. For more information, see Create a simple finding or investigation in Splunk Enterprise Security
Add events to an investigation Ability to provide context for robust security use cases using the ability to add events to investigations and bridge the gap between detection and evidence. Adding events to investigations lets you pull relevant raw events directly into their active investigations. For more information, see Add events to an investigation in Splunk Enterprise Security.
GCP pairing with Splunk SOAR You can now pair Splunk Enterprise Security on GCP with Splunk SOAR on GCP. For more information, see Splunk SOAR Compatibility.
Unified data source configuration for Threat Intelligence Management Activate and deactivate data sources for native threat intelligence or Threat Intelligence Management (Cloud) in a unified interface. See Configure threat intelligence sources in Splunk Enterprise Security.
Team-based work queues Team-based queues organize findings and investigations into focused work-spaces that reflect each team's responsibilities. This can help teams stay focused, reduce noise, and respond to threats faster. See Analyst and team-based queues in Splunk Enterprise Security.
Turning the AI Assistant on or off The AI Assistant in Splunk Enterprise Security helps you work through investigations by summarizing findings, explaining activity in clear language, and suggesting next steps. You can turn the AI Assistant on or off at any time in the configuration settings. See Turn the AI Assistant on or off in Splunk Enterprise Security.
Import and export response plans Import your own response plans as JSON files into Splunk Enterprise Security, or export existing response plans. See Import response plans and Manage response plans.
Cisco Talos integration Cisco Talos data is now available in the Intelligence tab of investigations. Access premium threat intelligence to enrich your findings for easier triage and detecting threats. Cisco Talos Intelligence helps to examine URLs, IP addresses, domain names and so on for security threat classifications and related threat intelligence. See Overview of threat intelligence in Splunk Enterprise Security.
Create a UEBA finding exclusion rule using an entity list Create finding exclusion rules to suppress known safe or irrelevant activity that might otherwise inflate entity risk scores or create alert fatigue. You can now reuse existing entity lists to apply exclusions more effectively and consistently across key users and entities. See Create a finding exclusion rule using UEBA configuration page.

Upgrade notice for 8.x

Upgrading Splunk Enterprise Security to version 8.x is a one-way operation. The upgrade process doesn't automatically back up the app, its content, or its data. Perform a full backup of the search head, including the KV Store, before initiating the Splunk Enterprise Security upgrade process.

When you upgrade to Splunk Enterprise Security version 8.x, you can no longer access any investigations created prior to the upgrade. To save archives of your investigation data, back up and restore your existing Splunk Enterprise Security instance.

If you need to revert back to the version that previously existed on your search head, you must restore the previous version of Splunk Enterprise Security from a backup.

See Upgrade Splunk Enterprise Security.

Note: Upgrades to Splunk Enterprise Security version 8.x from versions 6.x and earlier are not supported. If you are using on-premises version 6.x or earlier, you must first upgrade to version 7.3.2 before upgrading to version 8.x.

Other important notes for upgrading include the following:

  • You cannot upload Splunk Enterprise Security 8.x on an on-premises deployment of Splunk Enterprise 10.x using the UI. You must install Splunk Enterprise Security 8.x using the command line. See Install Splunk Enterprise Security from the command line.
  • Splunk Enterprise Security in a search head cluster environment uses an installer that creates tokens and turns on token authorization if it is not available. Post-installation, the installer deletes the tokens. If an error occurs, contact Splunk Support to delete any residual tokens.
  • The Splunk Enterprise Security Health app is installed but is turned off for all Splunk Cloud customers. This app is turned on by the Splunk Cloud Platform only during upgrades to ensure that the stacks get upgraded faster. Do not turn on the Splunk Enterprise Security Health app.

Share threat data in Splunk Enterprise Security

Sharing telemetry usage data is different from sharing threat data. Sharing of threat data in Splunk Enterprise Security is only introduced for Splunk Enterprise Security Hosted Service Offering (cloud) customers with a standard terms contract renewed or created after January 10, 2025. For more information, see Share threat data in Splunk Enterprise Security

Compatibility and support

  • Splunk Enterprise Security version 8.x is compatible only with specific versions of the Splunk platform. See Splunk products version compatibility matrix for details.
  • Current versions of Splunk Enterprise Security only support TAXII version 1.0 and TAXII version 1.1.

Deprecated or removed features

The following features have been deprecated from Splunk Enterprise Security 8.x:

  • Configuring the investigation type macro is no longer available.
  • Incident Review row expansion is no longer available.
  • Enhanced workflows are no longer available.
  • Sequence templates are no longer available.
  • The Investigation bar, Investigation Workbench, and Investigation dashboard from the Splunk Enterprise Security user interface (UI) are replaced by the Mission Control UI.
  • Service level agreements (SLAs) and role-based incident type filtering are not available.
  • The Content management page was updated to remove the following types of content: Workbench Profile, Workbench Panel, and Workbench Tab.
  • Workbench and workbench related views such as ess_investigation_list, ess_investigation_overview, and ess_investigation have been removed.
  • Capabilities such as edit_timeline and manage_all_investigations have been removed.
  • The Comments feature is replaced by an enhanced capability to add notes.
  • In Splunk Enterprise Security version 7.3, admins can turn on a setting to require analysts to leave a comment with a minimum character length after updating a notable event. In Splunk Enterprise Security version 8.x, you can no longer require a note when an analyst updates a finding in the analyst queue.

Add-ons

Technology-specific add-ons are supported differently than the add-ons that make up the Splunk Enterprise Security framework. For more information on the support provided for add-ons, see Support for Splunk Enterprise Security and provided add-ons in the Release Notes manual.

Note: Some new features might not work for on-prem Splunk Enterprise Security deployments 8.x and higher, unless you upgrade the Splunk_TA_ForIndexers add-on for every release.
Note: Do not uninstall the Mission Control app since the app is part of Splunk Enterprise Security.

To ensure that the Splunk Enterprise Security app works correctly, turn on the following add-ons. If any of the following add-ons aren't turned on, Splunk Support gets automatically notified and ensures that all the required add-ons are turned on automatically.

  • DA-ESS-AccessProtection
  • DA-ESS-EndpointProtection
  • DA-ESS-IdentityManagement
  • DA-ESS-NetworkProtection
  • DA-ESS-ThreatIntelligence
  • SA-AccessProtection
  • SA-AuditAndDataProtection
  • SA-EndpointProtection
  • SA-IdentityManagement
  • SA-NetworkProtection
  • SA-ThreatIntelligence
  • Splunk_SA_CIM
  • Splunk_SA_Scientific_Python_linux_x86_64
  • SplunkEnterpriseSecuritySuite
  • Splunk_ML_Toolkit

Deprecated or removed add-ons

Splunk Enterprise Security no longer includes many of the technology add-ons in the Splunk Enterprise Security package. Instead, you can download the technology add-ons that you need directly from Splunkbase. This change improves the performance of Splunk ES by reducing the number of unnecessary enabled add-ons, and allows you to install the most appropriate and updated versions of add-ons when you install Splunk ES.

The following technology add-ons are removed from the installer, but still supported:

The following technology add-ons are removed from the installer, supported for the next year, but are deprecated and will reach end of support one year from the release date of this Enterprise Security version:

  • TA-airdefense
  • TA-alcatel
  • TA-cef
  • TA-fortinet
  • TA-ftp
  • TA-nmap
  • TA-tippingpoint
  • TA-trendmicro

Updated add-ons

The Common Information Model Add-on is updated to version 6.4.0.

Libraries

The following libraries are included in this release:

  • Splunk_ML_Toolkit-5.3.0-1631633293630.tgz
  • Splunk_SA_Scientific_Python_linux_x86_64-3.0.2-0
  • Splunk_SA_Scientific_Python_windows_x86_64-3.0.0