Splunk Security Essentials Release Notes

Splunk Security Essentials - 2.4.0 Release

Major New Feature (Beta): Data Inventory
- Walks you through the data source categories that feed all of the out-of-the-box content in Splunk’s Security products, to indicate whether you have the data and how complete it is.
- Data Availability is now available across the app, with filters or status markers indicating what content you have the data to power.
Major New Feature (Beta): Analytics Advisor
- Including a new Content Overview and dashboards focused on MITRE ATT&CK and the Kill Chain, to provide more clarity on what content is available and how it could be used.
- In addition to orienting you to content, these dashboards will help you see what content you can use with the data you have today. They'll also show you where your already-active content is most focused.
Major Enhancements: Bookmarking
- On the main Security Content and the Data Source Check dashboards, you can now mark content as "Bookmarked" or "Implemented" allowing you to quickly note content you've enabled, to feed the new (beta) Content Dashboards.
- You can also select a bookmark status (such as Implemented, or Needs Tuning) from the search page, alongside the data availability status.
- On the Bookmarked Content dashboard, we've made it much easier to select the status for your bookmarked content.
- We've also overhauled this page with full support for Snapshots of your current Bookmarked Content list and Custom Content list, including Creation / Deletion / Restore / Import / Export of snapshots.
- Why all this Bookmarking? This is the third pillar of new content to support the Analytics Advisor dashboards! Look for an overhaul of the Custom Content list in the next SSE release, along with more enhancements.
MITRE ATT&CK Technique-level Mapping
- We have gone through all of the content that exists across Splunk Security Essentials, Enterprise Security, ES Content Update, and User Behavior Analytics to drive as many technique-level details as possible.
- This content is now exposed on the main Contents page, the | sseanalytics command, and the new (beta) MITRE Content Dashboard.
Improved the Security Contents Search Engine
- You probably didn't know this even existed! We replaced the search icon with an actual search bar to make it more obvious.
- We replaced the search engine with lunr.js which provides support for better filtering, and wildcards! If you didn't know, this is a traditional web search engine which scores for relevance, rather than a log search.
Numerous bugs fixed and smaller enhancements made

Even more so than normal, this was a huge release with contributions from many folks at Splunk. Thank you everyone!

Released by David Veuve - 2019-04-22

Splunk Security Essentials - 2.3.0 Release

This release is focused almost exclusively on a much-requested new feature, the addition of dashboard panels!

How it Works

The Data Source Check dashboard has been expanded with some new functionality. You've probably used this dashboard before to see what content you have the data needed to support -- one of the Splunk Security Essentials crowd favorites! Now, once you've completed that scan (which, by the way, we now store so you don't have to run through it every time), you can click "Create Posture Dashboards" to pop-up the menu with up to 50 out-of-the-box dashboard panels.

Just like everything in Splunk Security Essentials, the dashboards are aware of whether you have the required data sources or not, and they'll take advantage of all of the performance possible, using accelerated tstats queries if you have accelerated data models, or falling back to raw event searches if not. And of course, if you just want to explore the options, you can use just the demo data.

Once you click "Create Dashboards", SSE will create 1-3 new dashboards and automatically add them to the SSE navigation. These dashboards are optimized SimpleXML, so you're welcome to crib searches, rearrange panels, or add new searches as easily as you manipulate any other dashboards.

This is a new feature designed primarily for those getting started (who might prefer a list of the users with the top failed logins, over an email alert), but there are useful dashboard panels for all levels of user. Have feedback? Post on Splunk Answers, or tweet at @davidveuve.

Released by David Veuve - 2018-11-02

Splunk Security Essentials - 2.3.1 Release

Numerous Windows TA 5 bug fixes (missed a specific format before, thank you to those on answers who pointed out the problem!)
Few Bug Fixes for the new 2.3 Dashboarding feature
The main page no longer says "What's New in 2.2" with outdated info, it now says "What's New in 2.3" with updated info!

Released by David Veuve - 2019-01-03

Splunk Security Essentials - 2.3.0 Release

This release is focused almost exclusively on a much-requested new feature, the addition of dashboard panels!

How it Works

Released by David Veuve - 2018-11-02

Splunk Security Essentials - 2.2.0 Release

25 New Use Cases:
1. Aggregate Risky Events
2. Basic Dynamic DNS Detection
3. Building a Departmental Peer Group
4. Detect Many Unauthorized Access Attempts
5. First Time Access to Jump Server for Peer Group
6. Flight Risk Emailing
7. Flight Risk Printing
8. Flight Risk Web Browsing
9. Geographically Improbable Access Detected for Privileged Accounts
10. Many USB File Copies for User
11. New Cloud Provider for User
12. New Data Exfil DLP Alerts for User
13. New User Taking Privileged Actions
14. Non-Privileged Users taking Privileged Actions
15. Potential Day Trading
16. Pull List of Privileged Users
17. RFC1918 IP Not in CMDB
18. Risky Events from Privileged Users
19. Stale Account Usage
20. Unusual Child Process for spoolsv.exe or connhost.exe
21. User Finding Project Code Names from Many Departments
22. User Login to Unauthorized Geo
23. User Login with Local Credentials
24. User with Many DLP Events
25. Web Browsing to Unauthorized Sites
Dramatically improved bookmark export / print-to-pdf capability. If you want to build a report of content from Splunk Security Essentials, simply bookmark them on the main content page (upper right corner of any of the tiles) and then navigate to the Bookmarked Content page and click print. Rather than an ugly printed dashboard, you'll get a modestly attractive many-page-long report with all the details for all the content you've highlighted.
Drill Down to ES and ESCU. If you have ES or ESCU installed and you click on an ES/ESCU use case, a box will pop up allowing you to directly link over to ES/ESCU to view/edit that detection. (Also more ESCU content than ever before!)
Improved Notable Event Workflow! For most of the low volume alerts, we now recommend creating a notable event if you have ES installed! And the workflow will drive you into ES to configure it too.
Tons of Bug Fixes and Usability Improvements! Tried to squash every bug related to an easy user experience, including Windows TA 5 issues, and more! Plus this pop-up is pretty cool too, right?

Released by David Veuve - 2018-08-30

Splunk Security Essentials

Splunk Security Essentials - 2.4.0 Release

Splunk Security Essentials - 2.3.0 Release

How it Works

Splunk Security Essentials - 2.3.1 Release

Splunk Security Essentials - 2.3.0 Release

How it Works

Splunk Security Essentials - 2.2.0 Release

Splunk Security Essentials - 2.1.1 Release

Splunk Security Essentials - 2.1.0 Release

Splunk Security Essentials - 2.0.0 Release

Splunk Security Essentials - 1.4.6 Release

Splunk Security Essentials - 1.4.5 Release

Splunk Security Essentials - 1.4.4 Release

Splunk Security Essentials - 1.4.3 Release

Splunk Security Essentials - 1.4.2 Release

Splunk Security Essentials - 1.4.1 Release

Splunk Security Essentials - 1.4.0 Release

Splunk Security Essentials - 1.3.2 Release

Splunk Security Essentials - 1.3.1 Release

Splunk Security Essentials - 1.3.0 Release

Splunk Security Essentials - 1.2.0 Release

Splunk Security Essentials - 1.1.1 Release

Splunk Security Essentials - 1.1.0 Release

Splunk Security Essentials - 1.0.3 Release

Splunk Security Essentials - 1.0.2 Release

Splunk Security Essentials - 1.0.1 Release

Splunk Security Essentials - 1.0.0 Release