Configuration and settings: Manage specific configuration settings in the ES UI
Enterprise SecuritySplunk
What's new in 8.5.0
Splunk Enterprise Security version 8.5.0 was released on April 8, 2026 and includes the following new enhancements:
New Feature: Configuration and settings: Manage specific configuration settings in the ES UI
Description: Ability to manage configuration files using a new system configurations page in Splunk Enterprise Security. For more information, see Modify configuration files using Splunk ES UI.
New Feature: Configuration and settings: Configure workload pool to run search jobs
Description: Configure settings in the ES UI to manage resources and optimize system performance when running search jobs from the analyst queue. For more information, see Manage resources by assigning search jobs to a workload pool.
New Feature: Detections: Detection tuning
Description: Adjust your detection SPL in real time to reduce false positives and improve the accuracy of alerts. For more information, see Tune detections in Splunk Enterprise Security.
New Feature: Detections: Test detections in production
Description: Test detections on production data using Splunk Enterprise Security to evaluate their behavior and validate search results without impacting SOC analyst workflows. For more information, see Test detections on production data using Splunk Enterprise Security.
New Feature: Detections: Test panel in the detection editor to validate detection search results
Description: Enhancements to the test panel in the detection editor to improve the accuracy of calculating alert volume during detection testing. You can select findings mode with a timeout option to calculate the number of findings based on the configuration settings of a detection and limit the duration of the test. You can select Events mode with a lookback option to show raw event counts within a specified time frame to spot duplicates or mis-configurations. For more information, see Estimate the volume of alerts from detection outputs in Splunk Enterprise Security.
New Feature: Detections: Improvements in the detection editor for creating finding-based detections
Description: SPL templates are provided in the detection editor that you can modify to create finding-based detections. For more information, see Edit detection SPL templates and macros for finding-based detections.
New Feature: Detection: Improvements to Detection editor and default templates for detections
Description: Tested SPL templates provided in the Detection editor to modify or create a finding-based detection. For more information, see Detection templates.
New Feature: Analyst queue: Team-based queue enhancements
Description: Assign queue permissions at a granular level for different roles. Determine whether a role can create, read, update, delete, or execute actions. See Permissions for team-based queues and Role-based access control lockdown.
New Feature: Exposure analytics
Description: Set up exposure analytics to automatically discover assets and users across your environment, enrich findings with context, and allow for precise attribution and a reduced attack surface.
To set up exposure analytics, see Exposure analytics set up guide for admins in Splunk Enterprise Security.
If you're an existing ARI user, see Using Splunk Asset and Risk Intelligence after upgrading to Splunk Enterprise Security 8.5.
New Feature: Investigations: Workflow enhancements
Description: Improved field groupings and collapsible panels introduced in the investigation side panel. For more information, see Pre-defined fields in the side panel of the investigation.
New Feature: Investigations: Improved guidance on managing KVStore collections
Description: KVStore optimization for detection performance. For more information, see Manage KV Store collections in Splunk Enterprise Security.
New Feature: Splunk Attack Analyzer integration: Threat analysis for phishing incidents
Description: Powered by Splunk Attack Analyzer, threat analysis allows you to perform static analysis on email bodies and metadata to identify malicious activity, review resource trees and system verdicts to assess the nature of the threat, and examine email screenshots to confirm visual indicators of phishing. See Phishing investigation and threat analysis in Splunk Enterprise Security.
New Feature: Configure SOAR apps in Splunk Enterprise Security
Description: Configure third-party apps in Enterprise Security to use Enterprise Security data. Microsoft (MS) Graph Office 365, IMAP, and Gmail apps can create findings in the Analyst Queue, so analysts can easily access full email content. See Configure Splunk SOAR apps in Splunk Enterprise Security.
New Feature: Automation rules update
Description: Automation rules can now trigger based on ingestions by apps configured in Splunk Enterprise Security. See Configure automation rules to run playbooks based on findings in Splunk Enterprise Security and Configure Splunk SOAR apps in Splunk Enterprise Security.
New Feature: System insights dashboards
Description: Splunk App for SOAR has new, intuitive dashboards – including more comprehensive metrics, direct links to run logs, and flexible alerting options – providing you with more precision and agility.
For details, see System insights in the Splunk App for SOAR documentation.
New Feature: Splunk Cloud Connect for Splunk Enterprise Security
Description: Access Cloud extensions from Splunk Enterprise Security (On-premises). For more information, see Access Splunk Cloud Connect in Splunk Enterprise Security to access Cloud extensions. For some troubleshooting tips on common connection or user interface issues when using Splunk Cloud Connect, see Troubleshoot common issues when using Splunk Cloud Connect.
New Feature: Support for CIM entity zones for entity risk scoring
Description: Support for CIM entity zones for entity risk scoring. For more information, see Entity risk scoring in Splunk Enterprise Security.
New Feature: UEBA enhancements
Description: New UEBA detections and expanded regional availability. See UEBA regional availability and UEBA detection reference for UEBA on-premises.
New Feature: Detection Studio
Description: Ability to identify optimal detections using Detection Studio in Splunk Enterprise Security is GA. For more information, see Identify optimal detections using Detection Studio in Splunk Enterprise Security.
New Feature: (Alpha) Triage agent
Description: Set up the AI triage agent to autonomously investigate findings as they show up in queues. With the AI triage agent, you can find a suggested disposition, a clear rationale, and recommended next steps for the finding before a human touches it. See AI analysis in Splunk Enterprise Security and Setting up the AI triage agent.
New Feature: SOP Agent created response plans
Description: Use the new SOP agent to import your existing SOP documents and create response plans from them. For details, see Create response plans with the SOP agent.
New Feature: Ready-to-use Splunk response plans
Description: New built-in, ready-to-use Splunk response plans available with recommended Splunk SOAR automation. See Included response plans in Splunk Enterprise Security.
New Feature: Expanded regional availability for Threat Intelligence Management
Description: New supported regions added for Threat Intelligence Management. See Threat Intelligence Management regional availability.
