Ability to compare the differences between detection versions

What's new
Splunk Enterprise Security version 8.1.0 was released on June 10, 2025 and includes the following new enhancements:

New feature: Comparison between versions of detections
Description: Ability to compare the differences between detection versions to determine if an outdated version is turned on or to troubleshoot a detection that is generating false positive alerts.

New feature: UI improvements to the Intermediate findings timeline visualization
Description: Enhanced ability to interact with the visualization to analyze the relationship between intermediate findings and their associated risk scores. The Intermediate findings timeline visualization was previously referred to as the Risk timeline visualization in Splunk Enterprise Security versions 8.0.x.

New feature: Pairing with Splunk SOAR (On-premises)
Description: You can now pair Splunk SOAR (On-premises), in addition to pairing with Splunk SOAR (Cloud) to run actions, run playbooks, and review automation history in Splunk Enterprise Security.

New feature: Enhancements to the detection editor
Description:

1. Use only event-based detections to create finding groups
2. Select security annotations from various cyber-security frameworks using the drop-down menu in the detection editor
3. Multiple drill-down searches associated with a detection can no longer have the same name
4. Ability to delete a drill-down search with the same name if it is not the first drill down search
5. Ability to view, delete, add, or modify the pre-populated suppressed fields in the finding-based detection editor
6. Improve search experience by automatically expanding the tokens in the titles and descriptions of findings and detections prior to storing the findings and finding groups in the notable index.
7. Preview the search and test the search results for the finding-based detection in the detection editor to ensure that the detection fits your use case.
8. PCI governance controls added as annotation to monitor PCI DSS 4.0 requirements.

New feature: Reduced alert noise on the analyst queue since event-based detections can generate both findings and intermediate findings
Description: Event-based detections can be configured to generate both findings and intermediate findings with assigned risk scores that can be modified to reflect accurate risk levels.

New feature: Support for Splunk API
Description: The Splunk Enterprise Security API allows you to use and modify findings, investigations, risk scores, assets, and identities in Splunk Enterprise Security. Additionally, Splunk Enterprise Security offers a set of REST API endpoints that you can use to interact with the Splunk Enterprise Security frameworks programmatically or from Splunk search and build integration applications for use with Splunk Enterprise Security.

New feature: Intelligence summary for findings in the analyst queue
Description: Review threat intelligence attributes associated with a finding in the side panel of the analyst queue. Use threat intelligence attributes to help you determine whether you need to start an investigation based on that finding. Threat intelligence attributes include threat actors, MITRE tactics, CVEs, and malware associated with one or more observables present in the finding.

New feature: New default views in a collapsible side panel for filtering the analyst queue
Description: Filter the analyst queue by new default views such as Owned by me or Risk score. In a new collapsible side panel, you can select from different saved views to make the triage process easier.