When Splunk Enterprise Security is deployed on Splunk Enterprise, the Splunk platform sends anonymized usage data to Splunk Inc. ("Splunk") to help improve Splunk Enterprise Security in future releases. For information about how to opt in or out, and how the data is collected, stored, and governed, see Share data in Splunk Enterprise.
How data is collected
Splunk Enterprise Security uses saved searches to collect anonymous usage data. These searches run in the background regardless of whether or not you opt-in to send usage data to Splunk, and do not have any significant impact on performance.
What data is collected
Splunk Enterprise Security collects the following basic usage information:
Name | Description | Example |
---|---|---|
app.session.enterprise-security.threat-topology
|
|
{ [-] component: app.session.enterprise-security.threat-topology data: { [-] action: view app: SplunkEnterpriseSecuritySuite page: incident_review } deploymentID: dd2e7874-098f-549c-af70-0d33636be94d eventID: 538e4d34-0fbb-a4ea-05b4-0e50445823a1 experienceID: 63a92645-5d53-91f4-15b5-c32c12aac41a optInRequired: 3 splunkVersion: 9.0.1 timestamp: 1669674829 userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a version: 4 visibility: anonymous,support } |
app.session.enterprise-security.mitre-matrix
|
|
{ [-] component: app.session.enterprise-security.mitre-matrix data: { [-] action: view app: SplunkEnterpriseSecuritySuite page: incident_review } deploymentID: dd2e7874-098f-549c-af70-0d33636be94d eventID: dce50f20-e5d6-0229-65b1-61d04ccd7367 experienceID: 668d518b-2b52-e502-78b2-e9f8587cfbdb optInRequired: 3 splunkVersion: 9.0.1 timestamp: 1669678343 userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a version: 4 visibility: anonymous,support } |
app.session.enterprise-security.ba-enable-modal
|
|
{ [-] component: app.session.enterprise-security.ba-enable-modal data: { [-] action: click app: SplunkEnterpriseSecuritySuite page: ess_home section: submit-ticket } deploymentID: dd2e7874-098f-549c-af70-0d33636be94d eventID: de6b5a51-d15a-27de-6015-97c818a41757 experienceID: 8ec2c25a-8edd-5438-95b7-ae009c1db2aa optInRequired: 3 splunkVersion: 9.0.1 timestamp: 1669756275 userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a version: 4 visibility: anonymous,support } |
app.SplunkEnterpriseSecuritySuite.active_users
|
Report the number of active users. | { "version": "1.0", "end": 1521483766, "begin": 1521396000, "data": { "analyst_count": 0, "count": 1, "admin_count": 1, "user_count": 0 } } |
app.SplunkEnterpriseSecuritySuite.annotations_usage
|
Report the number of users that enable and start using annotations in correlation searches for the risk framework. | { "data": { "unique_annotation_count": 86, "unique_framework_count": 4, "searches_with_cis20": 200, "searches_with_kill_chain_phases": 176, "searches_with_mitre_attack": 119, "searches_with_nist": 199, "searches_with_annotations": 213 }, "version": "1.0" } |
app.SplunkEnterpriseSecuritySuite.datamodel_
|
Performs a data model audit to determine which models are the most heavily used. | { "data": { "size": 2265088, "datamodel": "Change_Analysis", "perc": 49.33 }, "version": "1.0" } |
app.SplunkEnterpriseSecuritySuite.feature_usage
|
|
{ "end": 1521483766, "begin": 1521396000, "version": "1.0", "data": { "count": 1, "avg_spent": 515, "view": "ess_home" } } |
app.SplunkEnterpriseSecuritySuite.datamodel_dataset_population
|
Reports which sourcetypes are populating data models and data sets. | { [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.datamodel_dataset_population data: { [-] count: 3510 dataset: Authentication model_name: Authentication sourcetype: XmlWinEventLog } deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1 eventID: 9416AAD3-7DE3-4985-80E5-D8EACF7373AC executionID: 31D2B8E6-1679-4041-91A8-D9955A2B2544 optInRequired: 3 timestamp: 1662700871 type: event userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4 visibility: [ [+] ] } |
app.SplunkEnterpriseSecuritySuite.identity_manager
|
Reports statistics pertaining to the usage of the Assets and Identities Framework. | { "data": { [-] "asset_blacklist_count": 0, "asset_count": 3, "asset_custom_count": 1, "asset_custom_fields": 0, "asset_enabled_count": 1, "asset_ldap_count": 0, "asset_search_count": 0, "identity_blacklist_count": 0, "identity_count": 3, "identity_custom_count": 0, "identity_custom_fields": 0, "identity_enabled_count": 2, "identity_ldap_count": 0, "identity_search_count": 0, "total_blacklist_count": 0, "total_count": 6, "total_custom_count": 1, "total_enabled_count": 3, "total_ldap_count": 0, "total_search_count": 0 }, "version": 1.0 } |
app.SplunkEnterpriseSecuritySuite.investigation_information
|
Report on the length of investigations in Splunk Enterprise Security. | { [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.saved_search_information data: { [-] investigation_id: 3392852E-71F0-43DD-B826-F155BE830660 name: TestInvestigation status_name: In Progress create_time: 1662700236 status_time: 1662700236 } deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1 eventID: 3392852E-71F0-43DD-B826-F155BE830660 executionID: D35401ED-3320-4F4B-8542-BC1068F93454 optInRequired: 3 timestamp: 1662700236 type: event userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4 visibility: [ [+] ] } |
app.SplunkEnterpriseSecuritySuite.lookup_usage
|
Reports statistics pertaining to the usage of the Asset & Identity Manager, such as lookup table size and number of entries. | { "data": { "count": 0, "size": 22, "transform": "access_app_tracker" }, "version": "1.0" } |
app.SplunkEnterpriseSecuritySuite.notable_event_status_changes
|
|
{ [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.saved_search_information data: { [-] time: {} event_id: DA-ESS-NetworkProtection search_name: Traffic - Traffic Over Time By Transport Protocol status_label: In Progress disposition_label: NA urgency: 0 } deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1 eventID: 3392852E-71F0-43DD-B826-F155BE830660 executionID: D35401ED-3320-4F4B-8542-BC1068F93454 optInRequired: 3 timestamp: 1662700236 type: event userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4 visibility: [ [+] ] } |
app.SplunkEnterpriseSecuritySuite.macro_usage
|
Reports on how users use ESCU output filers for their content. |
{ [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.macro_usage data: { [-] macro_name: wmi_permanent_event_subscription___sysmon_filter definition: search * } deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1 eventID: 3392852E-71F0-43DD-B826-F155BE830660 executionID: D35401ED-3320-4F4B-8542-BC1068F93454 optInRequired: 3 timestamp: 1662700236 type: event userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4 visibility: [ [+] ] } |
app.SplunkEnterpriseSecuritySuite.risk_event_information
|
|
{ { [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.risk_event_information data: { [-] _time: 1662673793 annotations: {"analytic_story": ["Hermetic Wiper", "Malicious PowerShell"], "confidence": 100, "context": ["Source:Endpoint", "Stage:Recon"], "impact": 30, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "observable": [{"name": "Computer", "role": ["Victim"], "type": "Endpoint"}, {"name": "User", "role": ["Victim"], "type": "User"}]} calculated_risk_score: 30 risk_factor_add: 0 risk_factor_mult: 1 hashed_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368 hashed_normalized_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368 risk_object_type: system risk_score: 30 search_name: ESCU - WMI Recon Running Process Or Services - Rule orig_sourcetype: NA } deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1 eventID: 51708359-68B8-40D8-A789-011C8544DA92 executionID: A11AB986-2A75-406D-8405-A65D6D83AADE optInRequired: 3 timestamp: 1662702322 type: event userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4 visibility: [ [+] ] } |
app.SplunkEnterpriseSecuritySuite.risk_notable_information
|
|
{ [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.risk_notable_information data: { [-] _time: 1662596119 annotations: {"mitre_attack": "T1587.003", "analytic_story": "Splunk Vulnerabilities", "cis20": ["CIS 16", "CIS 3", "CIS 5"], "kill_chain_phases": "Exploitation", "nist": "DE.CM", "context": "Source:Endpoint", "observable": "{\"name\":\"splunk_server\",\"role\":[\"Victim\"],\"type\":\"Hostname\"}"} event_id: 1D3F1BA5-1EDB-43DB-A9BA-92C62607E589@@notable@@56ceb57a41ca64f8960a7c1ae5eec67c notable_type: risk_event risk_object_type: system hashed_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368 hashed_normalized_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368 hashed_all_risk_objects: ['62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368'] risk_score: 1750 risk_search: ESCU - Splunk Digital Certificates Infrastructure Version - Rule risk_event_count: 50 search_name: Risk - 24 Hour Risk Threshold Exceeded - Rule security_domain: threat source_count: 1 orig_sourcetype: NA } deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1 eventID: 04FB2258-FDEA-47E3-AFFA-0ECACBE79A5F executionID: 33F085CD-98E3-433A-AF4C-716A85D952A8 optInRequired: 3 timestamp: 1662702627 type: event userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4 visibility: [ [+] ] } |
app.SplunkEnterpriseSecuritySuite.ba_detections
|
|
{ [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.ba_detections data: { [-] name: Applications Spawning cmd.exe annotations: {"mitre_attack": ["T1106"]} enabled: 0 useRiskIndex: 0 version: 1.0 id: e332f45a-e332f45a-e332f45a } deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1 eventID: 3392852E-71F0-43DD-B826-F155BE830660 executionID: D35401ED-3320-4F4B-8542-BC1068F93454 optInRequired: 3 timestamp: 1662700236 type: event userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4 visibility: [ [+] ] } |
app.SplunkEnterpriseSecuritySuite.ba_test_information
|
|
{ [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.ba_Test_information data: { [-] _time: 1662673793 annotations: {"analytic_story": ["Hermetic Wiper", "Malicious PowerShell"], "confidence": 100, "context": ["Source:Endpoint", "Stage:Recon"], "impact": 30, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "observable": [{"name": "Computer", "role": ["Victim"], "type": "Endpoint"}, {"name": "User", "role": ["Victim"], "type": "User"}]} hashed_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368 risk_object_type: system risk_score: 30 search_name: ESCU - WMI Recon Running Process Or Services - Rule } deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1 eventID: 51708359-68B8-40D8-A789-011C8544DA92 executionID: A11AB986-2A75-406D-8405-A65D6D83AADE optInRequired: 3 timestamp: 1662702322 type: event userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4 visibility: [ [+] ] } |
app.SplunkEnterpriseSecuritySuite.riskfactors_usage
|
Reports how customers use the risk framework. | { { [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.riskfactors_usage data: { [-] fields_info: [ [-] {"fields_used": "dest_priority", "count": 1} {"fields_used": "user_category", "count": 2} {"fields_used": "user_priority", "count": 2} {"fields_used": "user_watchlist", "count": 1} ] total: 5 } deploymentID: 464150eb-1b95-528e-85ca-272ba19d113f eventID: AB7AC804-8711-459C-A649-0A2DD8962299 executionID: 1E895CC2-5C46-456F-9A79-86CC0ED05036 optInRequired: 3 timestamp: 1603825511 type: aggregate visibility: [ [+] ] } |
app.SplunkEnterpriseSecuritySuite.risk_riskfactors_impact
|
Reports how the customers engage with risk framework. | { [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.risk_riskfactors_impact data: { [-] distinct_risk_object_count: 2 max_calc_risk_score: 100 max_risk_factor_add_matches: 0 max_risk_factor_mult_matches: 1 max_risk_score: 100 min_calc_risk_score: 100 min_risk_factor_add_matches: 0 min_risk_factor_mult_matches: 1 min_risk_score: 100 risk_factor_add_matches: 0 risk_factor_mult_matches: 0 risk_object_type: system } deploymentID: 3db462ee-7955-54b0-9a94-24bc19f352a8 eventID: 84949E43-2964-43CC-AA04-50F2C4082674 executionID: 27E5957D-41F4-4C83-A1F1-DCF5C9D324DC optInRequired: 3 timestamp: 1603851828 type: aggregate visibility: [ [+] ] } |
app.SplunkEnterpriseSecuritySuite.saved_search_information
|
|
{ [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.saved_search_information data: { [-] annotations: {} app_name: DA-ESS-NetworkProtection creates_notable: 0 creates_risk: 0 uses_suppression: 0 description: disabled: 0 search: | `tstats` count from datamodel=Network_Traffic.All_Traffic by _time,All_Traffic.transport span=10m | timechart minspan=10m useother=`useother` count by All_Traffic.transport | `drop_dm_object_name("All_Traffic")` search_name: Traffic - Traffic Over Time By Transport Protocol } deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1 eventID: 3392852E-71F0-43DD-B826-F155BE830660 executionID: D35401ED-3320-4F4B-8542-BC1068F93454 optInRequired: 3 timestamp: 1662700236 type: event userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4 visibility: [ [+] ] } |
app.SplunkEnterpriseSecuritySuite.search_actions
|
Reports what was searched for. | { "data": { "total_scheduled": 70, "action": "output_message", "is_adaptive_response": 1, "count": 6 }, "version": "1.0" } |
app.SplunkEnterpriseSecuritySuite.search_execution
|
Reports average run time by search to help gauge performance. | { "end": 1521483766, "begin": 1521396000, "data": { "avg_run_time": 0.75, "count": 2, "search_alias": "Access - Authentication Tracker - Lookup Gen" }, "version": "1.0", } |
data.context
|
Reports how many times a given workbench panel was used and the distribution of fields drilled into from workflow actions. | { component: app.session.rum.mark data: { app: SplunkEnterpriseSecuritySuite context: { field: lokloklok panels: [ f2c5c990f8fbf4f173ed8ae17ac3463c53e674e10494ea6ae331f25d410c7647 f2c5c990f8fbf4f173ed8ae17ac3463c53e674e10494ea6ae331f25d410c7647 a7f1eed1b49d2391fbe7f6b6cb91a3c146a4e905e536be8e3d5581f15f90248c ] } hero: embedded workbench panel page page: ess_workbench_panel sourceLocation: controller mounted timeSinceOrigin: 17539.599999785423 transactionId: 9eb149d0-84d9-11ea-9a01-6da37c4190ff } deploymentID: 90dacf53-e620-5a99-8cd4-15225d4fafc3 eventID: 19c90580-816d-2dc5-13a8-5af783596253 experienceID: 6aa4e746-c8f0-234b-35b2-dff0e1b2fbab optInRequired: 3 timestamp: 1587588081 userID: 953b11dd9ec6593a941245c43738a191110c7e42f8e81b75fd6a18452a2755bb version: 3 visibility: anonymous,support } |
app.SplunkEnterpriseSecuritySuite.splunk_apps
|
Reports what apps are installed along with Splunk Enterprise Security | { [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.splunk_apps data: { [-] app_label: Splunk Add-on for UEBA app_name: Splunk_TA_ueba version: 3.1.0 } deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1 eventID: 74F06225-D7EA-4EA8-B097-847679513164 executionID: 9614FCEF-ACD0-42D7-9B26-3FAFC7DF28E9 optInRequired: 3 timestamp: 1662701117 type: event userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4 visibility: [ [+] ] |
app.session.rum.measure
|
Reports performance metrics around API calls. | { [-] component: app.session.rum.mark data: { [-] app: SplunkEnterpriseSecuritySuite context: { [-] } hero: data/transforms/managed_lookups page: ess_content_management_new sourceLocation: { [-] size: 234962 bytes status: 200 success: true } timeSinceOrigin: 13765.400000035763 transactionId: 9db527a0-f349-11ec-ba71-d51f5aafc42d } deploymentID: 9aa97b42-ff6d-5381-b1d3-a80ad934fbce eventID: cde8c736-b7f9-0c84-8d34-0d8d3f99bf3e experienceID: d0a6bfc4-4c5e-00f0-a302-b9a38ae05590 optInRequired: 3 splunkVersion: 8.2.2201 timestamp: 1656025808 userID: 923d6d128a7f8bfbb1950cc0be471b9251b0209477ad236e91f31debddd99699 version: 4 visibility: anonymous,support } |
About Splunk Enterprise Security | Deployment planning |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2
Feedback submitted, thanks!