Splunk Security Essentials
Overview
Details
Security Content Library
Find security content for Splunk Cloud and Splunk's SIEM and SOAR offerings and deploy out-of-the-box security detections and analytic stories to enhance your investigations and improve your security posture.
Cybersecurity Frameworks
Identify gaps in your defenses and take control of your security posture with automatic mapping of data and security detections to MITRE ATT&CK® and Cyber Kill Chain® framework.
Data and Content Introspection
Gain visibility of the data coming into your environment to add context and telemetry to security events. Enrich your security detections with metadata and tags from the Security Content Library.
Security Data Journey
Get prescriptive security and data recommendations and establish a data strategy to develop a security maturity roadmap.
We have changed the security content delivery endpoint for ESCU to comply with Splunk guidance. This means that if you have SSE version 3.7.1 or lower, the last supported ESCU version is ESCU 4.22.0. In order to get the latest ESCU version, you will need to upgrade SSE to version 3.8.0.
Learn more:
Download the Product Brief : https://www.splunk.com/pdfs/product-briefs/splunk-security-essentials.pdf
Try out Splunk Security Essentials: https://www.splunk.com/en_us/form/splunk-security-essentials-online-demo.html
Check out the Documentation site: https://docs.splunk.com/Documentation/SSE
Overview
Support * sse-support@splunk.com
Release Notes
Version 3.8.1
Version 3.8.0
https://docs.splunk.com/Documentation/SSE/3.8.0/ReleaseNotes/Enhancements
We have changed the security content delivery endpoint for ESCU to comply with Splunk guidance. This means that if you have SSE version 3.7.1 or lower, the last supported ESCU version is ESCU 4.22.0. In order to get the latest ESCU version, you will need to upgrade SSE to version 3.8.0.
Version 3.7.1
Version 3.7.0
Version 3.6.0
Version 3.5.1
Version 3.4.0
Version 3.3.4
This release of Splunk Security Essentials included adding the latest Security Content and MITRE ATT&CK Enterprise JSON to Splunk Security Essentials and fixing the following issues:
- Custom Content modal is missing two options for Bookmark status.
- When adding a custom data source, option 1 and 2 in the modal do not work.
- After configuring Data Inventory and later revisiting, it looks like it is incomplete with some searches still outstanding.
- Local searches are missing from the list when adding Custom Content.
- Risk searches are not automatically mapped to local saved searches.
- Local Search mappings edit link directs to the Edit Alert interface rather than Edit Correlation Search.
- Add/Edit Custom Content modal is missing the bottom half.
- False positives in the Detect Credit Card Numbers SPL.
Version 3.3.3
In this release of Splunk Security Essentials, JQuery was migrated to version 3.5.1. This release also included fixes for the following issues:
-Label tooltips not working on Analytics Advisor
-MITRE Platform not updating to the latest values in the Analytics Advisor dropdown
-Automatic Posture Dashboards not being created
-Custom Content generates an error on the Data Inventory page
-Removed deprecated dashboards from Splunk Security Essentials
Version 3.3.2
-Added latest Security Content and ATT&CK Enterprise JSON to the build.
-Added analytic_story as a field on the ES Incident Review page.
Bug Fixes
-Changing bookmark status deletes existing bookmark notes
-MITRE Overview page tabs do not work
-Dropdowns on Security Content page can only be expanded once
-When using the multi-technique search on the Security Content page, the Technique dropdown isn't pre-selected with the entered Technique IDs
-On the Security Content drill down page, the "Line-by-Line SPL Documentation" action is broken
-Changing bookmark status on Showcase page not reflected in GUI
Version 3.3.0
- New visualization for ESCU/Splunk Security Research content. The visualization has a new look and there are added options to easily deploy all necessary lookups, macros, and schedule searches.
- Custom bookmark statuses. All bookmarks are now stored in the kvstore and you can set custom bookmark statuses for the Manage Bookmarks dashboard.
- New location for Splunk Security Essentials documentation: https://docs.splunk.com/Documentation/SSE
- Additional documentation and offline documentation has been added to SSE.
- Added new data sources, detections, and categories
Bug Fixes
- Fixed a bug in Data Introspection if there wasn’t any data available
- Modified export reports to include new fields
- Fixed a permissions issue for the Mission Control dashboard
- Error with MITRE matrix where attack groups would not render an icon on the table
- Fix logic error in local search mapping
- Numerous other small fixes
Version 3.2.2
- We’ve added the Software object from the ATT&CK Framework. This now appears on the Security Content page and the Analytics Advisor MITRE ATT&CK Overview dashboard.
- Incorporated the updates released in ATT&CK v8. The PRE-ATT&CK matrix have now been deprecated and merged into the standard Enterprise matrix.
- You can now browse and filter detections to the new “Network" matrix.
- An option to force a content update has been added under the Configuration page.
- The ATT&CK Technique dropdown on the Security Content page now includes the ID for the technique.
- The MITRE ATT&CK Matrix is now backwards compatible with Splunk v7 but without the Sub-Techniques being rendered. The Sub-Techniques will not be nested as they are on v8 as this is a limitation of Splunk v7.
- A new filter is available in Security Content to find Phantom playbooks mapped to content.
Bug Fixes
- ATT&CK Sub-Techniques nesting appeared in the wrong order on the ATT&CK Matrix panel.
- Fixed bug with cim_vladiator in the Suggested Apps.
Version 3.2.1
• Mitre ATT&CK Updates - Added support for MITRE ATT&CK Sub-Techniques
• Better Industry Framework Support - Included support for CIS and NIST
• Automatic updates for Security Research Content - Security Content from the Splunk Research team (i.e. ESCU) is now automatically downloaded into SSE using the Splunk Security Content API
•Support for ES 6.3+ Annotations Framework - Enabling detections through SSE will now populate the Annotations Framework with MITRE ATT&CK, Killchain, NIST, CIS and some SSE fields.
• Major UI Improvements for Content Mapping - It's now easier than ever to maintain all your Content in SSE and have it mapped with what is actually enabled in your environment. You can now also map multiple saved searches to a single piece of content in SSE and still have enrichment for Notables and Risk Objects.
• Bug Fixes - As with every release we have squashed numerous bugs.
Version 3.2.0
This release comes with some great new capabilities and a ton of new content:
• MITRE ATT&CK Sub-Techniques in the Analytics Advisor as well as a new and improved look.
• All Security Research Content is now available and we’ve included the actual search string in the SSE UI in the detection showcase page.
• NIST/CIS filtering for the detections.
• More datasources are detected by the Data Inventory (Windows DNS, Windows DHCP, Azure AD Sign-in)
• New Timeline visualization on the “Analyze ES Risk Attributions” dashboard. This will show notables and risk modifiers on a timeline with links to ATT&CK Tactics and Techniques. (Requires the Timeline Viz)
• 4 new native detections and 40+ detections from the Security Research team.
• Plenty of general improvements and bug fixes
Version 3.1.2
Added Data Inventory support for many new data sources that are not linked to CIM data models yet
Azure, GCP, AWS logs
Kubernetes audit logs from Azure, GCP, AWS
Splunk Connect for Kubernetes
Sysmon DNS
Stability improvements for Data Introspection
Added a new filter in the content page for industry mapping
Updated content with the latest content from Splunk Research
Various bug fixes
Version 3.1.1
Added updated content
Few small bug fixes
Version 3.1.0
- New Mitre Mappings - Added support for MITRE platform mappings when filtering content.
- Improved content mapping features to more easily find in SSE and export to ES
- Word Doc Export - We've added in the ability to export your bookmarked content as a Word document
- Updated ESCU content - Updated to the latest version of the ES Content Update (1.0.53)
- Bug Fixes - Fixed bugs relating to partner content update, and a few other smaller bugs
Version 3.0.6
Fix for mitremap command content_available flag
Fix for loading partner content from external sources
Version 3.0.5
- Fixed a bug relating to introspection button not appearing
- Fixed DS mapping bug
- Fixed bug loading partner content from external sources
- Few other small fixes and tweaks
Version 3.0.3
Version 3.0.3 Release Notes:
Hopefully knocked out the last big data introspection bug, which impacted environments with lots of cardinality in the source field. Please see the troubleshooting link below if your system is in an unhappy state.
Also knocked out lots of other bugs!
If your data inventory wouldn't complete successfully with version 3.0.2 or earlier, upgrade to 3.0.3 and then reset your configuration by walking through the steps detailed here: https://docs.splunksecurityessentials.com/technical-details/troubleshooting/#data-inventory-introspection
Version 3.0.2
3.0.2 Release Notes:
Critical Bug Fix for Older Splunk Releases (Linux/OSX 7.0 and earlier, Win maybe all 7.3 and earlier)
Fix for minor error that threw a warning on all releases
* Improved debugging capability
Version 3.0.1
3.0.1 Release Notes
Python3 Compatibility in anticipation of future Splunk releases
Numerous bug fixes
* A Partner Framework
Version 3.0.0
Release Notes:
SSE 3.0 is a huge release! Check https://docs.splunksecurityessentials.com/whatsnew for all the details, and check out https://www.splunksecurityessentials.com/ for the new website!
Here are some of the highlights:
New Home Page and major UX overhaul, with tours showing you how to configure everything in the app
Extensive documentation and detail of UBA and ESCU content
Content recommendation dashboards for MITRE ATT&CK and RBA
Azure and GCP content
Promoting Beta functionality, including the Analytics Advisor dashboards, and Data Inventory
MLTK-powered Data Availability Dashboard
CIM Compliance Check Dashboard
Enough bug fixes to qualify us as entomologists
* Docs site and Web Site! https://www.splunksecurityessentials.com
This release had a ton of contributors. Thank you to all of them! https://docs.splunksecurityessentials.com/release-notes/contributors/