Splunk® Enterprise Security

Install and Upgrade Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Share data in Splunk Enterprise Security

When Splunk Enterprise Security is deployed on Splunk Enterprise, the Splunk platform sends anonymized usage data to Splunk Inc. ("Splunk") to help improve Splunk Enterprise Security in future releases. For information about how to opt in or out, and how the data is collected, stored, and governed, see Share data in Splunk Enterprise.

How data is collected

Splunk Enterprise Security uses saved searches to collect anonymous usage data. These searches run in the background regardless of whether or not you opt-in to send usage data to Splunk, and do not have any significant impact on performance.

What data is collected

Splunk Enterprise Security collects the following basic usage information:

Name Description Example
app.session.enterprise-security.threat-topology
  • Report the number of users who have viewed the threat-topology visualization
  • Report the number of times users have rendered the threat-topology visualization 
{ [-]
   component: app.session.enterprise-security.threat-topology
   data: { [-]
     action: view
     app: SplunkEnterpriseSecuritySuite
     page: incident_review
   }
   deploymentID: dd2e7874-098f-549c-af70-0d33636be94d
   eventID: 538e4d34-0fbb-a4ea-05b4-0e50445823a1
   experienceID: 63a92645-5d53-91f4-15b5-c32c12aac41a
   optInRequired: 3
   splunkVersion: 9.0.1
   timestamp: 1669674829
   userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a
   version: 4
   visibility: anonymous,support
}
app.session.enterprise-security.mitre-matrix
  • Report the number of users who have viewed the mitre-matrix component
  • Report the number of times users have rendered the mitre-matrix component  
{ [-]
   component: app.session.enterprise-security.mitre-matrix
   data: { [-]
     action: view
     app: SplunkEnterpriseSecuritySuite
     page: incident_review
   }
   deploymentID: dd2e7874-098f-549c-af70-0d33636be94d
   eventID: dce50f20-e5d6-0229-65b1-61d04ccd7367
   experienceID: 668d518b-2b52-e502-78b2-e9f8587cfbdb
   optInRequired: 3
   splunkVersion: 9.0.1
   timestamp: 1669678343
   userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a
   version: 4
   visibility: anonymous,support
}
app.session.enterprise-security.ba-enable-modal
  • Report the number of users who have viewed the mitre-matrix component
  • Report the number of times users have rendered the mitre-matrix component  
{ [-]
   component: app.session.enterprise-security.ba-enable-modal
   data: { [-]
     action: click
     app: SplunkEnterpriseSecuritySuite
     page: ess_home
     section: submit-ticket
   }
   deploymentID: dd2e7874-098f-549c-af70-0d33636be94d
   eventID: de6b5a51-d15a-27de-6015-97c818a41757
   experienceID: 8ec2c25a-8edd-5438-95b7-ae009c1db2aa
   optInRequired: 3
   splunkVersion: 9.0.1
   timestamp: 1669756275
   userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a
   version: 4
   visibility: anonymous,support
}
app.SplunkEnterpriseSecuritySuite.active_users Report the number of active users.
{
  "version": "1.0",
  "end": 1521483766,
  "begin": 1521396000,
  "data": {
    "analyst_count": 0,
    "count": 1,
    "admin_count": 1,
    "user_count": 0
  }
}
app.SplunkEnterpriseSecuritySuite.annotations_usage Report the number of users that enable and start using annotations in correlation searches for the risk framework.
{
  "data": {
    "unique_annotation_count": 86,
    "unique_framework_count": 4,
    "searches_with_cis20": 200,
    "searches_with_kill_chain_phases": 176,
    "searches_with_mitre_attack": 119,
    "searches_with_nist": 199,
    "searches_with_annotations": 213
  },
  "version": "1.0"
}
app.SplunkEnterpriseSecuritySuite.datamodel_
distribution
Performs a data model audit to determine which models are the most heavily used.
{
  "data": {
    "size": 2265088,
    "datamodel": "Change_Analysis",
    "perc": 49.33
  },
  "version": "1.0"
}
app.SplunkEnterpriseSecuritySuite.feature_usage
  • Reports the amount of time it takes for a page to load.
  • Reports data about feature usage.
{
  "end": 1521483766,
  "begin": 1521396000,
  "version": "1.0",
  "data": {
    "count": 1,
    "avg_spent": 515,
    "view": "ess_home"
  }
}
app.SplunkEnterpriseSecuritySuite.datamodel_dataset_population Reports which sourcetypes are populating data models and data sets.
{ [-]
   app: SplunkEnterpriseSecuritySuite
   component: app.SplunkEnterpriseSecuritySuite.datamodel_dataset_population
   data: { [-]
     count: 3510
     dataset: Authentication
     model_name: Authentication
     sourcetype: XmlWinEventLog
   }
   deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
   eventID: 9416AAD3-7DE3-4985-80E5-D8EACF7373AC
   executionID: 31D2B8E6-1679-4041-91A8-D9955A2B2544
   optInRequired: 3
   timestamp: 1662700871
   type: event
   userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
   visibility: [ [+]
   ]
}
app.SplunkEnterpriseSecuritySuite.identity_manager Reports statistics pertaining to the usage of the Assets and Identities Framework.
{
"data": { [-]
"asset_blacklist_count": 0,
"asset_count": 3,
"asset_custom_count": 1,
"asset_custom_fields": 0,
"asset_enabled_count": 1,
"asset_ldap_count": 0,
"asset_search_count": 0,
"identity_blacklist_count": 0,
"identity_count": 3,
"identity_custom_count": 0,
"identity_custom_fields": 0,
"identity_enabled_count": 2,
"identity_ldap_count": 0,
"identity_search_count": 0,
"total_blacklist_count": 0,
"total_count": 6,
"total_custom_count": 1,
"total_enabled_count": 3,
"total_ldap_count": 0,
"total_search_count": 0
},
"version": 1.0
}
app.SplunkEnterpriseSecuritySuite.investigation_information Report on the length of investigations in Splunk Enterprise Security.
{ [-]
   app: SplunkEnterpriseSecuritySuite
   component: app.SplunkEnterpriseSecuritySuite.saved_search_information
   data: { [-]
     investigation_id: 3392852E-71F0-43DD-B826-F155BE830660
     name: TestInvestigation
     status_name: In Progress
     create_time: 1662700236
     status_time: 1662700236
   }
   deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
   eventID: 3392852E-71F0-43DD-B826-F155BE830660
   executionID: D35401ED-3320-4F4B-8542-BC1068F93454
   optInRequired: 3
   timestamp: 1662700236
   type: event
   userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
   visibility: [ [+]
   ]
}
app.SplunkEnterpriseSecuritySuite.lookup_usage Reports statistics pertaining to the usage of the Asset & Identity Manager, such as lookup table size and number of entries.
{
  "data": {
    "count": 0,
    "size": 22,
    "transform": "access_app_tracker"
  },
  "version": "1.0"
}
app.SplunkEnterpriseSecuritySuite.notable_event_status_changes
  • Reports the efficacy of the detections.
  • Reports how long the notable events are in progress.
{ [-]
   app: SplunkEnterpriseSecuritySuite
   component: app.SplunkEnterpriseSecuritySuite.saved_search_information
   data: { [-]
     time: {}
     event_id: DA-ESS-NetworkProtection
     search_name: Traffic - Traffic Over Time By Transport Protocol
     status_label: In Progress
     disposition_label: NA
     urgency: 0
   }
   deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
   eventID: 3392852E-71F0-43DD-B826-F155BE830660
   executionID: D35401ED-3320-4F4B-8542-BC1068F93454
   optInRequired: 3
   timestamp: 1662700236
   type: event
   userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
   visibility: [ [+]
   ]
}
app.SplunkEnterpriseSecuritySuite.macro_usage

Reports on how users use ESCU output filers for their content.

{ [-]
   app: SplunkEnterpriseSecuritySuite
   component: app.SplunkEnterpriseSecuritySuite.macro_usage
   data: { [-]
     macro_name: wmi_permanent_event_subscription___sysmon_filter
     definition: search *
   }
   deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
   eventID: 3392852E-71F0-43DD-B826-F155BE830660
   executionID: D35401ED-3320-4F4B-8542-BC1068F93454
   optInRequired: 3
   timestamp: 1662700236
   type: event
   userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
   visibility: [ [+]
   ]
}
app.SplunkEnterpriseSecuritySuite.risk_event_information
  • Reports the specific searches that create risk events in customer environments.
  • Reports the annotations that create risk events.
  • Reports how risk scores are associated with annotations.
{
{ [-]
   app: SplunkEnterpriseSecuritySuite
   component: app.SplunkEnterpriseSecuritySuite.risk_event_information
   data: { [-]
     _time: 1662673793
     annotations: {"analytic_story": ["Hermetic Wiper", "Malicious PowerShell"], "confidence": 100, "context": ["Source:Endpoint", "Stage:Recon"], "impact": 30, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "observable": [{"name": "Computer", "role": ["Victim"], "type": "Endpoint"}, {"name": "User", "role": ["Victim"], "type": "User"}]}
     calculated_risk_score: 30
     risk_factor_add: 0
     risk_factor_mult: 1
     hashed_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368
     hashed_normalized_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368
     risk_object_type: system
     risk_score: 30
     search_name: ESCU - WMI Recon Running Process Or Services - Rule
     orig_sourcetype: NA
   }
   deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
   eventID: 51708359-68B8-40D8-A789-011C8544DA92
   executionID: A11AB986-2A75-406D-8405-A65D6D83AADE
   optInRequired: 3
   timestamp: 1662702322
   type: event
   userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
   visibility: [ [+]
   ]
}
app.SplunkEnterpriseSecuritySuite.risk_notable_information
  • Reports the specific searches that create risk notables in customer environments.
  • Reports the risk events that create risk notables.
  • Reports how risk notables are associated with annotations.
{ [-]
   app: SplunkEnterpriseSecuritySuite
   component: app.SplunkEnterpriseSecuritySuite.risk_notable_information
   data: { [-]
     _time: 1662596119
     annotations: {"mitre_attack": "T1587.003", "analytic_story": "Splunk Vulnerabilities", "cis20": ["CIS 16", "CIS 3", "CIS 5"], "kill_chain_phases": "Exploitation", "nist": "DE.CM", "context": "Source:Endpoint", "observable": "{\"name\":\"splunk_server\",\"role\":[\"Victim\"],\"type\":\"Hostname\"}"}
     event_id: 1D3F1BA5-1EDB-43DB-A9BA-92C62607E589@@notable@@56ceb57a41ca64f8960a7c1ae5eec67c
     notable_type: risk_event
     risk_object_type: system
     hashed_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368
     hashed_normalized_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368
     hashed_all_risk_objects: ['62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368']
     risk_score: 1750
     risk_search: ESCU - Splunk Digital Certificates Infrastructure Version - Rule
     risk_event_count: 50
     search_name: Risk - 24 Hour Risk Threshold Exceeded - Rule
     security_domain: threat
     source_count: 1
     orig_sourcetype: NA
   }
   deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
   eventID: 04FB2258-FDEA-47E3-AFFA-0ECACBE79A5F
   executionID: 33F085CD-98E3-433A-AF4C-716A85D952A8
   optInRequired: 3
   timestamp: 1662702627
   type: event
   userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
   visibility: [ [+]
   ]
}
app.SplunkEnterpriseSecuritySuite.ba_detections
  • Reports on which behavioral analytics detections are enabled in customer environments.
  • Reports on how customers are using the test and risk indexes.
{ [-]
   app: SplunkEnterpriseSecuritySuite
   component: app.SplunkEnterpriseSecuritySuite.ba_detections
   data: { [-]
     name: Applications Spawning cmd.exe
     annotations: {"mitre_attack": ["T1106"]}
     enabled: 0
     useRiskIndex: 0
     version: 1.0
     id: e332f45a-e332f45a-e332f45a

   }
   deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
   eventID: 3392852E-71F0-43DD-B826-F155BE830660
   executionID: D35401ED-3320-4F4B-8542-BC1068F93454
   optInRequired: 3
   timestamp: 1662700236
   type: event
   userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
   visibility: [ [+]
   ]
}
app.SplunkEnterpriseSecuritySuite.ba_test_information
  • Reports the behavioral analytics searches that create risk events in customer environments.
  • Reports the annotations that create behavioral analytics risk events.
{ [-]
   app: SplunkEnterpriseSecuritySuite
   component: app.SplunkEnterpriseSecuritySuite.ba_Test_information
   data: { [-]
     _time: 1662673793
     annotations: {"analytic_story": ["Hermetic Wiper", "Malicious PowerShell"], "confidence": 100, "context": ["Source:Endpoint", "Stage:Recon"], "impact": 30, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "observable": [{"name": "Computer", "role": ["Victim"], "type": "Endpoint"}, {"name": "User", "role": ["Victim"], "type": "User"}]}
     hashed_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368
     risk_object_type: system
     risk_score: 30
     search_name: ESCU - WMI Recon Running Process Or Services - Rule
   }
   deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
   eventID: 51708359-68B8-40D8-A789-011C8544DA92
   executionID: A11AB986-2A75-406D-8405-A65D6D83AADE
   optInRequired: 3
   timestamp: 1662702322
   type: event
   userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
   visibility: [ [+]
   ]
}
app.SplunkEnterpriseSecuritySuite.riskfactors_usage Reports how customers use the risk framework.
{
{ [-]
app: SplunkEnterpriseSecuritySuite
component: app.SplunkEnterpriseSecuritySuite.riskfactors_usage
data: { [-]
fields_info: [ [-]
{"fields_used": "dest_priority", "count": 1}
{"fields_used": "user_category", "count": 2}
{"fields_used": "user_priority", "count": 2}
{"fields_used": "user_watchlist", "count": 1}
]
total: 5
}
deploymentID: 464150eb-1b95-528e-85ca-272ba19d113f
eventID: AB7AC804-8711-459C-A649-0A2DD8962299
executionID: 1E895CC2-5C46-456F-9A79-86CC0ED05036
optInRequired: 3
timestamp: 1603825511
type: aggregate
visibility: [ [+]
]
}
app.SplunkEnterpriseSecuritySuite.risk_riskfactors_impact Reports how the customers engage with risk framework.
{ [-]
app: SplunkEnterpriseSecuritySuite
component: app.SplunkEnterpriseSecuritySuite.risk_riskfactors_impact
data: { [-]
distinct_risk_object_count: 2
max_calc_risk_score: 100
max_risk_factor_add_matches: 0
max_risk_factor_mult_matches: 1
max_risk_score: 100
min_calc_risk_score: 100
min_risk_factor_add_matches: 0
min_risk_factor_mult_matches: 1
min_risk_score: 100
risk_factor_add_matches: 0
risk_factor_mult_matches: 0
risk_object_type: system
}
deploymentID: 3db462ee-7955-54b0-9a94-24bc19f352a8
eventID: 84949E43-2964-43CC-AA04-50F2C4082674
executionID: 27E5957D-41F4-4C83-A1F1-DCF5C9D324DC
optInRequired: 3
timestamp: 1603851828
type: aggregate
visibility: [ [+]
]
}
app.SplunkEnterpriseSecuritySuite.saved_search_information
  1. Reports what searches are enabled in customer environments.
  2. Reports the desired outcome of the search.
  3. Reports the use of SPL
{ [-]
   app: SplunkEnterpriseSecuritySuite
   component: app.SplunkEnterpriseSecuritySuite.saved_search_information
   data: { [-]
     annotations: {}
     app_name: DA-ESS-NetworkProtection
     creates_notable: 0
     creates_risk: 0
     uses_suppression: 0
     description:
     disabled: 0
     search: | `tstats` count from datamodel=Network_Traffic.All_Traffic by _time,All_Traffic.transport span=10m | timechart minspan=10m useother=`useother` count by All_Traffic.transport | `drop_dm_object_name("All_Traffic")`
     search_name: Traffic - Traffic Over Time By Transport Protocol
   }
   deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
   eventID: 3392852E-71F0-43DD-B826-F155BE830660
   executionID: D35401ED-3320-4F4B-8542-BC1068F93454
   optInRequired: 3
   timestamp: 1662700236
   type: event
   userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
   visibility: [ [+]
   ]
}
app.SplunkEnterpriseSecuritySuite.search_actions Reports what was searched for.
{
  "data": {
    "total_scheduled": 70,
    "action": "output_message",
    "is_adaptive_response": 1,
    "count": 6
  },
  "version": "1.0"
}
app.SplunkEnterpriseSecuritySuite.search_execution Reports average run time by search to help gauge performance.
{
  "end": 1521483766,
  "begin": 1521396000,
  "data": {
    "avg_run_time": 0.75,
    "count": 2,
    "search_alias": "Access - Authentication Tracker - Lookup Gen"
  },
  "version": "1.0",
}
data.context Reports how many times a given workbench panel was used and the distribution of fields drilled into from workflow actions.
{ 
   component: app.session.rum.mark
   data: { 
     app: SplunkEnterpriseSecuritySuite
     context: { 
       field: lokloklok
       panels: [ 
         f2c5c990f8fbf4f173ed8ae17ac3463c53e674e10494ea6ae331f25d410c7647
         f2c5c990f8fbf4f173ed8ae17ac3463c53e674e10494ea6ae331f25d410c7647
         a7f1eed1b49d2391fbe7f6b6cb91a3c146a4e905e536be8e3d5581f15f90248c
       ]
     }
     hero: embedded workbench panel page
     page: ess_workbench_panel
     sourceLocation: controller mounted
     timeSinceOrigin: 17539.599999785423
     transactionId: 9eb149d0-84d9-11ea-9a01-6da37c4190ff
   }
   deploymentID: 90dacf53-e620-5a99-8cd4-15225d4fafc3
   eventID: 19c90580-816d-2dc5-13a8-5af783596253
   experienceID: 6aa4e746-c8f0-234b-35b2-dff0e1b2fbab
   optInRequired: 3
   timestamp: 1587588081
   userID: 953b11dd9ec6593a941245c43738a191110c7e42f8e81b75fd6a18452a2755bb
   version: 3
   visibility: anonymous,support
}
app.SplunkEnterpriseSecuritySuite.splunk_apps Reports what apps are installed along with Splunk Enterprise Security
{ [-]
   app: SplunkEnterpriseSecuritySuite
   component: app.SplunkEnterpriseSecuritySuite.splunk_apps
   data: { [-]
     app_label: Splunk Add-on for UEBA
     app_name: Splunk_TA_ueba
     version: 3.1.0
   }
   deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
   eventID: 74F06225-D7EA-4EA8-B097-847679513164
   executionID: 9614FCEF-ACD0-42D7-9B26-3FAFC7DF28E9
   optInRequired: 3
   timestamp: 1662701117
   type: event
   userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
   visibility: [ [+]
   ]
app.session.rum.measure Reports performance metrics around API calls.
{ [-]
   component: app.session.rum.mark
   data: { [-]
     app: SplunkEnterpriseSecuritySuite
     context: { [-]
     }
     hero: data/transforms/managed_lookups
     page: ess_content_management_new
     sourceLocation: { [-]
       size: 234962 bytes
       status: 200
       success: true
     }
     timeSinceOrigin: 13765.400000035763
     transactionId: 9db527a0-f349-11ec-ba71-d51f5aafc42d
   }
   deploymentID: 9aa97b42-ff6d-5381-b1d3-a80ad934fbce
   eventID: cde8c736-b7f9-0c84-8d34-0d8d3f99bf3e
   experienceID: d0a6bfc4-4c5e-00f0-a302-b9a38ae05590
   optInRequired: 3
   splunkVersion: 8.2.2201
   timestamp: 1656025808
   userID: 923d6d128a7f8bfbb1950cc0be471b9251b0209477ad236e91f31debddd99699
   version: 4
   visibility: anonymous,support
}
Last modified on 28 July, 2023
About Splunk Enterprise Security   Deployment planning

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters