What's New for Splunk Enterprise Security v8?
Author: Ben Marrable
Release Date: 11/12/2024
Splunk introduced many changes when releasing Enterprise Security 8.0, see the links at the bottom for more. One of the most significant is the language used within the technology. The idea was to standardise the terminology across the CyberSecurity Industry and align to an open standard in the name of the Open CyberSecurity Schema Framework (OCSF). Below is a number of tables detailing many of the changes
In addition the goal is to align across the entire Splunk security portfolio:
• Enterprise Security (ES)
• Splunk Security Essentials (SSE)
• Security Orchestration Automation and Response (SOAR)
• Splunk Attack Analyzer (SAA)
• Splunk Asset and Risk Intelligence (ARI)
• Splunk User Behaviour Analytics (UBA)
Further explanations for these solution titles can be found on Splunk Docs.
You Might Also Like:
Terminology
ES 7.3<= Term | ES 8.0 Term | Meaning |
|---|---|---|
Correlation Search | Detection | A detection is a type of scheduled search. It lets you detect suspicious events and patterns in your data. You can configure a detection to generate a finding or an intermediate finding when search results meet specific conditions. The detection results must include at least one event to generate a finding. |
Correlation Rule | Event-Based Detection | An event-based detection is a type of detection looking at raw or accelerated data sent to Splunk as events. You can configure an Event-Based detection to generate a finding (previously known as a correlation rule) or an intermediate finding (previously known as a risk rule) when search results meet specific conditions. Event-based detections produce either a finding or an intermediate finding, they cannot do both as was previously possible |
Risk Rule | Event-Based Detection | See above |
Risk Indicator / Incident Rule | Finding-Based Detection | A finding-based detection is a type of detection looking at a collection of findings or intermediate findings. A finding group is created when that collection exceeds a given threshold over an entity. That collection could be over a variety of data points, such as the number of findings/intermediate findings or the accumulated risk score of those intermediate findings. Additionally the finding group could be triggered when a threshold of the number of entities is exceeded over a threat object. |
Notable Event | Finding | You can investigate findings using the Analyst Queue dashboard in Splunk Enterprise Security. |
Risk Notable | Finding Group | You can investigate finding groups using the Analyst Queue dashboard in Splunk Enterprise Security. |
Risk Observable / Event | Intermediate Finding | Intermediate findings are not displayed in the analyst queue. These can be seen in the underlying index or when grouped into a finding group by exceeding a threshold defined in a finding-based detection. |
Incident Review | Analyst Queue | The analyst queue takes the best features of both Enterprise Security and Mission Control’s incident review pages and combines them together. With a new streamlined progressive disclosure user interface aimed at minimising effort whilst maximising security analysts time. |
ES 7.3<= term | ES 8.0 Term | Meaning |
|---|---|---|
Comment | Note | OCSF terminology |
Splunk Events | Events | OCSF terminology |
Alerts | Third-Party Alerts | OCSF terminology |
Risk Object | Entity | OCSF terminology |
Response Plan, Response Template | Response Plan | OCSF terminology |
Indicator, Threat Artefact | Indicator | OCSF terminology |
Threat-Matching Searches | Threat-Match Detections | OCSF terminology |
Threat Match, Threat Activity | Threat Finding | OCSF terminology |
Artefact, Evidence | Artefact | OCSF terminology |
Intelligence Workflows (TIM) | Threatlists | OCSF terminology |
Feature Replacements and Deprecations
ES 7.3 | ES 8.0 | Meaning |
|---|---|---|
Incident Review | Mission Control Analyst Queue | Shows Findings and Investigations |
ES Investigations | Investigation | ES investigations is now deprecated and Mission Control Investigation is used in its place |
Mission Control Incident | Investigation | A case that has been manually or automatically flagged and is displayed in the analyst queue of the Mission Control page in Splunk Enterprise Security. Investigations are a collaborative process for security personnel such as analysts, SOC managers, automation engineers, security architects and so on to identify, collect, and examine findings or finding groups. |
Mission Control Incident Details Page | Investigation Details Page | See above |
ES Incident Review Row Expansion | Analyst Queue sidebar view | Details about the finding are now found on the sidebar view |
Investigation Bar, Dashboard and Workbench | Mission Control incident UI replaces ES Investigations | Data from previous Investigations will not be migrated across |
Sequence Templates | Not Available in ES v8 | Deprecated |
Previous Mission Control: SLAs, Role-Based Incident Type Filtering | Not Available in ES v8 | Deprecated |
PCI | No accompanying release for ES 8.0 | To follow |
Select All | Analysts can only select all from a single page, rather than every page | Slight change |
Findings vs Investigations
Findings | Investigations |
|---|---|
Generated by Detections | Generated if an analyst or automated playbook decides to elevate a finding |
Located in the Analyst Queue
| Located in the Analyst Queue
|
Can show individually in the Analyst Queue, under an investigation or under a Finding Group | Only shows up individually in the Analyst Queue |
Limited Response to a threat, including adaptive response and playbooks | Access to investigations UI which includes response plans and automation as well as those responses for a finding |
Types of Finding-Based Detections
Type | Finding Grouping Mechanism |
|---|---|
Entity | Common Entity
|
Threat Object
| Common Threat Object
|
Cumulative Entity Risk | Entity Risk Threshold has been exceeded over a period of time |
Kill Chain
| Kill Chain Phases exceed a threshold on an entity over a period of time
|
MITRE ATT&CK | Number of MITRE techniques or tactics exceeds a threshold on an entity over a period of time |
Similar Findings | Number of Entities exceeds thresholds for a given detection over a period of time |
User Interface Changes
ES 7.3<= term | ES 8.0 Term |
|---|---|
Security Posture | Moved under Analytics
|
Incident Review
| Renamed Mission Control |
Investigations | Moved into Mission Control |
Security Intelligence, Security Domains, Cloud Security, Audit
| Moved under Analytics
|
Configure | Remains the same but subtabs migrated to All Configurations Page
|
Content Management
| Moved under new Security Content tab, along with Use Case Library, Risk Factors, and new features:- Response Plans (Mission Control) and Playbooks (SOAR)
|
