Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster Analysis, and New Investigation Tools

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify and accelerate detection engineering, triage and investigation. This release is part of our commitment to deliver critical updates more regularly to combat the fast-moving threat landscape.  

Get results faster with the Analyst Queue 

When defenders open the Analyst Queue, they want to see the most critical threats first. This release adds new capabilities and behind‑the‑scenes improvements to help quickly identify what matters and keep key context at their fingertips. 

• Entity Risk Score — Scores are now normalized to a 0–100 scale and weighted by multiple factors such as severity, uniqueness, and frequency. Risky activity is aggregated over time and noise is reduced, so critical threats are easier to spot. 

• Pinned Fields — Keep key data points fixed in view in the Analyst Queue sidebar and Investigations, so that they can be referred to instantly while reviewing other information in the Finding. 

• Performance improvements under the hood — Optimizations to search scheduling and data retrieval help the Analyst Queue load faster and reduce delays in displaying newly ingested Findings, keeping investigations moving smoothly. 

Simplify Investigations with AI Assistant (Cloud Only, Controlled Availability) 

The AI Assistant in Security helps speed up investigations by using natural language to create SPL searches, summarize findings, and produce ready‑to‑share reports. 

With the AI Assistant, analysts can: 

• Write SPL just by describing what you want to find. 

• Summarize Findings and Investigations in plain language. 

• Create investigation reports in minutes. 

• Get suggested remediation steps and next actions. 

This helps reduce escalation to senior analysts and allows junior analysts to work more independently. 

Build, Test, and Deploy Effective Detections Faster 

Creating effective detections takes time, and small mistakes can cause false positives, missed threats, or wasted analyst effort. ES now gives SOC teams more control over how detections are built and validated directly within the product so they can deploy detections with confidence. 

Security teams can now (in Beta): 

• Preview and test detections in ES before enabling them — Quickly evaluate and fine‑tune detections, review previous versions, and minimize noise to avoid disrupting  workflows (in Beta) 

• Track changes with improved audit history — know exactly when a detection was enabled or disabled, and by whom. 

Check out the demo here! 

As our team continues to enhance Finding-based Detections (in Beta), we want to ensure that users have a more customizable experience. These detections group related security events (Findings) into “Finding Groups” to simplify reviews and deliver more embedded context. These updates include: 

• The “Lookback” grouping with a configurable lookback time-range automatically groups recent Findings into an initial “lookback” Finding Group so that detection engineers can test and validate the grouping criteria that is working as expected.   

• Improved thresholds for smoother detection boundaries and overlap handling that eliminates detection gaps when Finding Groups transition between time windows. Granular configurations allow Detection Engineers to customize grouping thresholds and enable selective Finding Group reopening, ensuring continuous grouping of related detections beyond default time windows, maintaining investigative context and threat continuity. 

• Enable flexible configurations for Finding Group reopening at the detection level. When Finding Groups close after reaching their time window, they can now automatically reopen upon detecting new malicious activity, ensuring continuous threat correlation and preventing security gaps. 

Shape the Future of Detection Engineering — Join the Detection Studio Alpha Program 

We’re inviting customers to participate in the Alpha Program for Detection Studio! 

As a capability of ES, Detection Studio provides the complete detection lifecycle experience that enables detection engineers to seamlessly plan, develop, test, deploy and monitor detections. With Detection Studio, detection engineers improve confidence in detection deployment and enabling faster mean-time-to-detect. 

Want to join the effort to deliver significantly better detection engineering? Sign up here! 

Extending UEBA to support on-prem deployments (ES Premier required) 

Additionally, UEBA — now available on both Splunk Cloud and on‑premises deployments (ES Premier required) — is a major step forward from the older UBA product. Splunk UBA required its own standalone server to run, and forced analysts to switch between it and ES during investigations. UEBA is natively integrated into ES Premier and expands coverage to monitor both users and entities such as devices and hosts. This integration means no context switching between products, no separate server to maintain (saving time, money, and operational effort) and faster access to the insights you need. It also features a redesigned detection engine for stronger, more adaptive analytics that surface threats older approaches might miss. 

UEBA continuously learns baseline behaviors and adapts automatically over time, accounting for seasonal, role‑based, or operational patterns. This adaptive approach reduces false positives while keeping focus on anomalies that truly matter. 

With UEBA, analysts can: 

• Detect zero‑day attacks, insider threats, and compromised accounts by spotting behavioral deviations at the user or entity level. 

• Prioritize investigation targets with views of top risky users and assets, risk score trends over time, and MITRE ATT&CK heatmaps showing related tactics and techniques. 

• Use and customize pre‑built detection models for threats like insider activity, credential compromise, and data exfiltration. 

• Quickly gather context with entity detail and connection views that link identity attributes (role, department) to asset details (location, device type, criticality) and map related activity. 

By combining statistical, rules‑based, and machine learning models — both supervised and unsupervised — UEBA adds context, improves coverage, and helps analysts act quickly when unusual behavior occurs. 

See it in action here! 

Upgrade Today 

With ES 7.3 approaching its End of Support, upgrading to ES Essentials 8.3 ensures you can take advantage of all the new workflow improvements and new capabilities discussed today. For detailed upgrade information, please check out our latest Tech Talk, and the Upgrade Guide! 

Happy Splunking! 
— The Splunk ES Team