- \n
- Content versioning<\/li>\n\n\n\n
- Versioning deactivation<\/li>\n\n\n\n
- Index creation<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- The Process<\/strong><\/li>\n\n\n\n
- Usage<\/strong>\n
- \n
- Additional information<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Conclusion<\/strong><\/li>\n<\/ol>\n\n\n\n
Splunk Enterprise Security v8.0.2<\/a> is out since January, 22nd<\/sup>.<\/p>\n\n\n\n
I will present to you a new feature introduced in this version: detection versioning. <\/p>\n\n\n\n
Long awaited, this functionality is interesting in several ways. First of all, in theory, you can avoid using Git or GitLab to keep versions of your detections, as it is directly integrated into ES.<\/p>\n\n\n\n
Secondly, it makes troubleshooting detections easier: all you have to do is switch from one version to another directly from the UI.<\/p>\n\n\n\n
Limitations<\/h3>\n\n\n\n
Before starting, there are limitations to the versioning feature provided with ES 8.0.2.<\/p>\n\n\n\n
Content versioning<\/h4>\n\n\n\n
Only detections provided in Enterprise Security Content Update (ESCU)<\/a> and ES<\/a> are imported. User-created content is neither imported nor authorized to be managed by Versioning. However, you can still move your own detection rules to the Enterprise Security app before enabling versioning, and it will work.<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.octamis.com\/octamis-blog\/wp-content\/uploads\/2025\/02\/image.png\")
<\/figure>\n\n\n\nSource: Create multiple versions of a detection in Splunk Enterprise Security – Splunk Documentation<\/a><\/p>\n\n\n\n
Versioning deactivation<\/h4>\n\n\n\n
If you enable versioning, you cannot disable it from the GUI. The documentation advises contacting Splunk support<\/a> if you want to disable it.
You have been warned !<\/p>\n\n\n\nIndex creation<\/h4>\n\n\n\n
Enabling the versioning feature creates an index named
cms_main<\/code>. Be aware of this before enabling it, or plan beforehand where the index should be created.
Let’s go for the process to activate and use this feature.<\/p>\n\n\n\nThe Process<\/h3>\n\n\n\n
By default, versioning is not enabled. You need to enable it manually by going to ES > Configure > General Settings and selecting “Turn on” in the Detection Versioning tile.<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.octamis.com\/octamis-blog\/wp-content\/uploads\/2025\/02\/image-17.png\")
<\/figure>\n\n\n\n<\/p>\n\n\n\n
\n\n![\"\"](\"https:\/\/www.octamis.com\/octamis-blog\/wp-content\/uploads\/2025\/02\/image-3.png\")
<\/figure>\n<\/div>\n\n\n\n\nIt might take up to 10 minutes to turn on, as indicated in the documentation : Use detection versioning in Splunk Enterprise Security – Splunk Documentation<\/a><\/p>\n<\/div>\n<\/div>\n\n\n\n
This process enables the
SA-ContentVersioning<\/code> app located in Splunk directory and uses thecms_main<\/code> index (by default in$SPLUNK_DB<\/code> directory) to store changes.<\/p>\n\n\n\nIt also adds a lookup collection called \u2018
cms_metadata<\/code>\u2019 which contains metadata for each detection such as: <\/p>\n\n\n\n- \n
- ID <\/li>\n\n\n\n
- hash <\/li>\n\n\n\n
- version information <\/li>\n\n\n\n
- publishing time <\/li>\n\n\n\n
- user modifying the detection <\/li>\n\n\n\n
- app it belongs to <\/li>\n\n\n\n
- parent version (only the number, not the content)<\/li>\n<\/ul>\n\n\n\n
All detections included in Splunk ES and ESCU (if installed) are automatically imported and managed by versioning.<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.octamis.com\/octamis-blog\/wp-content\/uploads\/2025\/02\/image-4.png\")
<\/figure>\n\n\n\nAnd then you get a notification on the upper right corner :<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.octamis.com\/octamis-blog\/wp-content\/uploads\/2025\/02\/image-5.png\")
<\/figure>\n\n\n\nAdditional information : Create multiple versions of a detection in Splunk Enterprise Security – Splunk Documentation<\/a><\/p>\n\n\n\n
Usage<\/h3>\n\n\n\n
After versioning is turned on, you can find additional information in the \u201cVersion\u201d column in the Content Management.<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.octamis.com\/octamis-blog\/wp-content\/uploads\/2025\/02\/image-7.png\")
<\/figure>\n\n\n\nNow if you edit a versioned detection, you will find additional options in the Edit page:<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.octamis.com\/octamis-blog\/wp-content\/uploads\/2025\/02\/image-10.png\")
<\/figure>\n\n\n\nOn the right in the Details panel, you get an ID for your detection (called
detection_id<\/code>) and versions panel on the bottom. The version in green is the activated one.
You now have the button called \u201cSave as new version\u201d instead of a simple \u201cSave\u201d button.
If you modify something on the rule, a new version appears after the saving :<\/p>\n\n\n\n![\"\"](\"https:\/\/www.octamis.com\/octamis-blog\/wp-content\/uploads\/2025\/02\/image-6.png\")
<\/figure>\n\n\n\nBy default, the new version has \u201cOff\u201d as Status.<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.octamis.com\/octamis-blog\/wp-content\/uploads\/2025\/02\/image-11.png\")
<\/figure>\n\n\n\nIf you want to activate that version, you must click on that new version (the version appears at the end of the URL):<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.octamis.com\/octamis-blog\/wp-content\/uploads\/2025\/02\/image-9.png\")
<\/figure>\n\n\n\nThen you must select \u201cOn\u201d at the bottom. It\u2019s activated immediately (no need to save).<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.octamis.com\/octamis-blog\/wp-content\/uploads\/2025\/02\/image-8.png\")
<\/figure>\n\n\n\nThen the version is activated :<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.octamis.com\/octamis-blog\/wp-content\/uploads\/2025\/02\/image-12.png\")
<\/figure>\n\n\n\nAt the upper right corner you get a notification indicating the new version is activated:<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.octamis.com\/octamis-blog\/wp-content\/uploads\/2025\/02\/image-13.png\")
<\/figure>\n\n\n\nBack to Content Management, you can find, at the end of each detection rule that has a version, the Action menu that can show you the Version history in a new modal window :<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.octamis.com\/octamis-blog\/wp-content\/uploads\/2025\/02\/image-14.png\")
<\/figure>\n\n\n\nThe modal window :<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.octamis.com\/octamis-blog\/wp-content\/uploads\/2025\/02\/image-15.png\")
<\/figure>\n\n\n\nUnfortunately, there is now way to view the differences between these versions : if you click “View”, you get to the Edit page of that detection version.<\/p>\n\n\n\n
<\/p>\n\n\n\n
Additional information<\/h4>\n\n\n\n
Versioning information is stored in multiple locations:<\/p>\n\n\n\n
- \n
- cms_metadata lookup <\/li>\n\n\n\n
- cms_main index <\/li>\n\n\n\n
- savedsearches.conf (see below) <\/li>\n\n\n\n
- content_versioning.conf <\/li>\n\n\n\n
- feature_flags.conf <\/li>\n\n\n\n
- content-version.conf<\/li>\n<\/ul>\n\n\n\n
These files are not currently documented on https:\/\/docs.splunk.com\/<\/a>, but you can find their spec files in the
SA-ContentVersioning\/README<\/code> app directory. Lets see what information these artifacts contain.<\/p>\n\n\n\n- \n
content_versioning.conf<\/code> : contains the[content_versioning]<\/code> stanza, referencing all allowed apps that are included in content versioning. Only ES and ESCU detection rules are referenced here. This parameter must be in JSON format.<\/li>\n\n\n\nfeature_flags.conf<\/code>: contains 2 parameters,versioning_activated<\/code> andversioning_init<\/code> but are not documented. The first one is related whether versioning is activated or not.<\/li>\n<\/ul>\n\n\n\nAdditionally, the savedsearches.conf file contains, for every detection, a specific parameter named “
action.correlationsearch.metadata<\/code>“, stored in JSON format and containing version information:<\/p>\n\n\n\naction.correlationsearch.metadata = {\"detection_id\": \"f235c3dd-26c5-405f-ac7b-671dff1f6640\", \"detection_version\": \"1\", \"minor_version\": 1, \"version\": \"1.1\", \"parent_detection_version\": \"\", \"app_version\": \"8.0.2\", \"source_id\": \"\", \"source_detection_name\": \"\", \"version_hash\": \"0b22f572fb8c44f7f21c1b385fed632308452031aa5cd81b6d478edf0c9a5307\", \"create_time\": 1738681838.650662, \"publish_time\": \"\", \"user\": \"\", \"notes\": \"[]\", \"deprecated\": 0, \"app_name\": \"SplunkEnterpriseSecuritySuite\", \"_key\": \"0b22f572fb8c44f7f21c1b385fed632308452031aa5cd81b6d478edf0c9a5307\"}<\/code><\/p>\n\n\n\nThe only way to get your own detection rules versioned with this version of ES is to put your rules in one of following allowed-apps :
DA-ESS-AccessProtection,DA-ESS-EndpointProtection,DA-ESS-IdentityManagement,DA-ESS-NetworkProtection,DA-ESS-ThreatIntelligence,SA-AccessProtection,SA-AuditAndDataProtection,SA-EndpointProtection,SA-IdentityManagement,SA-NetworkProtection,SA-ThreatIntelligence,SA-UEBA,SA-Utils<\/code> orSplunkEnterpriseSecuritySuite<\/code>.
Thedetection_id<\/code> in these metadata is created by the detection versioning feature. And version 1.1 of every rule is the original version of the detection when the feature is turned on.<\/p>\n\n\n\n<\/p>\n\n\n\n
Conclusion<\/h3>\n\n\n\n
I\u2019m pretty skeptical on this detection versioning feature on Splunk ES. I thought all detection rules would be eligible to be versioned, but it is restricted to specific apps. That\u2019s the first point.
And when you have a versioning tool, you guess that you can do\/view a simple diff between two versions of your detection rules.
So the fact that this feature exists now is a good thing. I\u2019m simply hoping that it will improve and simplify over time. The usage of lookup, index, specific and non-documented files and current restrictions (limited to ES\/ESCU apps, no deactivation from GUI, no diff, no built-in dashboard) lets the preference go to github\/lab\/ops<\/em> or Logcraft<\/a> to manage your detection rules.<\/p>\n\n\n\n- \n
- <\/li>\n\n\n\n
- <\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
Table of contents Splunk Enterprise Security v8.0.2 is out since January, 22nd. I will present to you a new feature introduced in this version: detection versioning. Long awaited, this functionality is interesting in several ways. First of all, in theory, you can avoid using Git or GitLab to keep versions of your detections, as it […]<\/p>\n","protected":false},"author":10,"featured_media":394,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[30,10,31],"_links":{"self":[{"href":"https:\/\/www.octamis.com\/octamis-blog\/wp-json\/wp\/v2\/posts\/359"}],"collection":[{"href":"https:\/\/www.octamis.com\/octamis-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.octamis.com\/octamis-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.octamis.com\/octamis-blog\/wp-json\/wp\/v2\/users\/10"}],"replies":[{"embeddable":true,"href":"https:\/\/www.octamis.com\/octamis-blog\/wp-json\/wp\/v2\/comments?post=359"}],"version-history":[{"count":37,"href":"https:\/\/www.octamis.com\/octamis-blog\/wp-json\/wp\/v2\/posts\/359\/revisions"}],"predecessor-version":[{"id":427,"href":"https:\/\/www.octamis.com\/octamis-blog\/wp-json\/wp\/v2\/posts\/359\/revisions\/427"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.octamis.com\/octamis-blog\/wp-json\/wp\/v2\/media\/394"}],"wp:attachment":[{"href":"https:\/\/www.octamis.com\/octamis-blog\/wp-json\/wp\/v2\/media?parent=359"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.octamis.com\/octamis-blog\/wp-json\/wp\/v2\/categories?post=359"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.octamis.com\/octamis-blog\/wp-json\/wp\/v2\/tags?post=359"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
- Usage<\/strong>\n