Use detection versioning in Splunk Enterprise Security

Create and maintain multiple versions of any detection and track the relationships between the detections that exist in Splunk Enterprise Security and the ESCU app. You can also track the customized detections created for specific use cases and identify the detections that are relevant for your use case. Additionally, versioning makes troubleshooting detections easier.

You can turn on or turn off any version of any detections without the findings corrupting the analyst queues of investigations. You can clone, delete, or archive a specific version of a detection. When you make a change to a detection, saving the detection always saves it as a new version. If you make a change to a detection version that is currently turned on, the new version is not turned on by default. You must turn on the new version of the detection once you are ready to do so.

Additionally, you can save a new version or create a clone of any version of a detection, which need not be the latest version. Lastly, you can optionally add a version note to a new version of a detection at the time of saving it, which can assist during investigations.

Note: While versioning is initialized, do not make any changes to detections or create new detections.

Turn on versioning for detections

Follow these steps to turn on the ability to create multiple versions for detections:

Note: Ensure the cms_main index is available. If you configure the indexes manually, you must configure the cms_main index before turning on detection versioning.
  1. In Splunk Enterprise Security, go to the Configure tab.
  2. Select General settings.
  3. Go to Detection versions panel and select Turn on to turn on versioning for detections.

A confirmation message displays when turning on versioning for detections is completed. Turning on detections can take approximately 10 minutes.

Note: To turn off versioning for detections, you must contact Splunk Support.

Reviewing differences between detection versions

Review the differences between detection versions based on detection updates from the ESCU app and Splunk Enterprise Security to determine if you are using on outdated version and need a newer version of the detection to be turned on. You can also compare the differences between detection versions to troubleshoot a detection that is turned on but generating false positive alerts.

You can view differences between any version of any detection, irrespective of whether you made the updates manually or whether the updates were made automatically using the app.

Compare detection versions

Follow these steps to compare different versions of a detection:

  1. In Splunk Enterprise Security, open the detection in the detection editor.
  2. Go to the Versions panel in the Edit detection page and select the toggle button for Diff comparison to turn on the comparison of detection versions.
    The Versions panel displays a complete list of all the versions available for a detection along with the creation date and time.
  3. From the App drop-down menu in the diff window, select the app from which you want to compare the detection.
  4. From the Detection drop-down menu in the diff window, select the name of the detection for which you want to compare the versions.
    The drop-down menu in the diff window lists the recently edited detections that you can select to view.
  5. From the Version drop-down menu in the diff window, select the version of the detection that you want to compare against the selected version highlighted in the Version panel.
  6. Select Submit.
  7. Review the highlighted differences between the two detection versions using the side-by-side comparison windows. This screen image shows the highlighted differences between detection versions..

    Note: Viewing the differences in the detection versions is only a READ-ONLY option. The detection diff comparison viewer displays content in the format of *.conf file instead of what is displayed on the detection editor.
  8. Use the Text wrap button on the right panel for text wrapping or horizontal scrolling as required.
  9. Use the clickable mini-map to navigate and view the differences between the detections.
  10. Select the Open in editor icon on the left panel to open and edit the selected detection on the left panel in the detection editor on a separate tab.