When Splunk Enterprise Security is deployed on Splunk Enterprise, the Splunk platform sends anonymized usage data to Splunk Inc. ("Splunk") to help improve Splunk Enterprise Security in future releases. For information about how to opt in or out, and how the data is collected, stored, and governed, see Share data in Splunk Enterprise.
How data is collected
Splunk Enterprise Security uses saved searches to collect anonymous usage data. These searches run in the background regardless of whether or not you opt-in to send usage data to Splunk, and do not have any significant impact on performance.
What data is collected
Splunk Enterprise Security version 8.0 collects the following basic usage information:
For information on telemetry information collected by Splunk Mission Control, see Share Splunk Mission Control data usage in Splunk Enterprise Security.
For information on telemetry information collected by Splunk SOAR, see Share data from Splunk SOAR (Cloud).
Name | Description | Example |
---|---|---|
app.SplunkEnterpriseSecuritySuite
|
Reports on the name of the dispositions. | data: { [-] action: test2 app: SplunkEnterpriseSecuritySuite page: ess_incident_review_configuration section: disposition } |
|
Reports on the following information from the Analyst queue.
|
aqSidePanelOpened - opening a finding or investigation in the side panel data:{[-] id:15a31804-400d-414a-9bae-5bebd86255cf } aqSidePanelClosed - closing the side panel no additional data fields collected. aqSidePanelBackNextNavigation - using back or next navigation in side panel data:{[-] direction:back } aqSidePanelStartInvestigation - start an investigation from a finding via "Start investigation" button data:{[-] id:15a31804-400d-414a-9bae-5bebd86255cf } aqSidePanelUpdateMetadata - update metadata (dropdown fields) of a finding or investigation from the side panel data:{[-] id:15a31804-400d-414a-9bae-5bebd86255cf field:urgency value:High } splSearchDoneSuccess - tracks execution time for SPL searches { action:'searchExecution.finished', searchMacro:params?.search||'', executionTime, } splRessultsSuccess - tracks time till results from splSearchDoneSuccess has a response { action: 'searchResults.load', searchMacro: params?.search || '', executionTime, } splResultsError - tracks error if no results are found as well as execution time { action: 'searchResults.error', searchMacro: params?.search || '', executionTime, } incidentReviewPollingPaused - tracks the incident list polling when it becomes paused. { action: 'incidentList.polling.paused' } incidentReviewPollingUnpaused - tracks the incident list polling when it becomes unpaused. { action: 'incidentList.polling.unpaused' } threat-topology - tracks the threat-topology tab click to indicate it has been viewed { action: 'view', } drilldown-search - tracks the drilldown search expansion link being clicked { action: 'click', section: 'ir-expansion-link', } Event_Delete - Delete Event for incident {"event_count": -1} |
app.session.MissionControl.filterClick
|
Reports on information when filtering the Analyst queue such as updating a filter, applying a filter, or clearing a filter. | data: { [-] action: filterIncidentReviewTabl-e.click } |
app.session.MissionControl.soarRedirectError
|
Reports when pairing with SOAR. | soarRedirectError - tracks redirection error during handshake { fetchJWTError, missingSoarHost: !!data && !soarHost, missingSoarToken: !!data && !soarToken, } soarRedirect - tracks when SOAR becomes redirected { nextPage: redirectURL.split('?')[0] } |
app.session.enterprise-security.turn-on-versioning-feature
|
Reports when detection versioning is turned on. | { [-] component: app.session.enterprise-security.turn-on-versioning-feature data: ( [+] } deploymentID: ece11b7b-152c-551-9615-6b88319deded eventID: 23ac34e8-504a-78a1-9778-df50888f6461 experienceID: 78ed95c7-ea3e-4b93-1c4f-9f48f6962065 optInRequired: 3 original_event_id: 24d9888d1bdfdb05e6beee8f13208a434300162302a88c68cddd7def7f0b630 original_timestamp: 1720808246 splunkVersion: 9.2.1 timestamp: 1720808246 userID: d8a3c6a8cb2ce3185b989857043cd71a7451e502cd38002a2682eca0439a207e version: 4 visibility: anonymous } |
app.session.enterprise-security.change-detection-status
|
Reports when any version of the detection is turned on or turned off. | { [-] component: app.session.enterprise-security.change-detection-status data: { [-] action: on app: SplunkEnterpriseSecuritySuite page: finding_based_detection section: finding_based_detection deploymentID: ece11b7b-152c-55e1-9615-6b88319deded eventID: 40c0450e-181f-13cc-92d4-f0f1fcbd3f0c experienceID: 415c2b23-a769-6ce6-bfb7-d8599e34ec4c optInRequired: 3 original_event_id: 1a4cd5afd0edb67a0c9e19d319776fdebd5c2760742be2156124149811cd6703 original_timestamp: 1721077418 splunkVersion: 9.2.1 timestamp: 1721077418 userID: d8a3c6a8cb2ce3185b989857043cd71a7451e502cd38002a2682eca0439a207e version: 4 visibility: anonymous } |
app.session.enterprise-security.click-clone-detection
|
Reports when cloning a detection. | { [-] component: app.session.enterprise-security.click-clone-detection data: { [-] action: click app: SplunkEnterpriseSecuritySuite page: finding_based_detection section: finding_based_detection deploymentID: ece11b7b-152c-55e1-9615-6b88319deded eventID: 08e15867-18ea-4e84-7770-806b0ee6fc05 experienceID: 116b0f1d-63fd-682a-de59-384a11c4295c optInRequired: 3 original_event_id: 3ad9fad94205829ba21adf632a8d2c4e2665f5a5c3be5797208eca50782e85b2 original_timestamp: 1721323830 splunkVersion: 9.2.1 timestamp: 1721323830 userID: d8a3c6a8cb2ce3185b989857043cd71a7451e502cd38002a2682eca0439a207e version: 4 visibility: anonymous } |
app.session.enterprise-security.clone-detection
|
Reports when cloning a detection is completed. | component: app.session.enterprise-security.clone-detection data: { [-] action: cloned app: SplunkEnterpriseSecuritySuite page: finding_based_detection section: finding_based_detection deploymentID: ece11b7b-152c-55e1-9615-6b88319deded eventID: 265814b6-1738-074c-f496-f9aea50d6f81 experienceID: 116b0f1d-63fd-682a-de59-384a11c4295c opt InRequired: 3 original_event_id: c864d57f553df0e3bfd409153b92ab1c8a0543d579a76e81f333586ac179eeb7 original_timestamp: 1721323842 splunkVersion: 9.2.1 timestamp: 1721323842 userID: d8a3c6a8cb2ce3185b989857043cd71a7451e502cd38002a2682eca0439a207e version: 4 visibility: anonymous } |
app.session.enterprise-security.save-detection
|
Reports when a new version of a detection is saved. | { [-] component: app.session.enterprise-security.save-detection data: { [-] action: save app: SplunkEnterpriseSecuritySuite page: finding_based_detection section: finding_based_detection } deploymentID: ece11b7b-152c-551-9615-6b88319deded eventID: 2083c707-88a0-2e50-3e50-f6479bdc81df experienceID: 169f32dd-a05c-9b86-de66-c2fe6e62d238 optInRequired: 3 original_event_id: 315c44b4e192ba411f0d643ad168b7bea1743cd75e5a4b23148335f628fa4bcd original_timestamp: 1721423295 splunkVersion: 9.2.1 timestamp: 1721423295 userID: d8a3c6a8cb2ce3185b989857043cd71a7451e502cd38002a2682eca0439a207e version: 4 visibility: anonymous } |
app.session.MissionControl.imSubscription
|
Reports on the intelligence management configuration and and checks if the user is subscribed. | imSubscription { subscribed: 0 or 1 } |
|
|
imcorrelationsearchstatus data: { [-] app: SplunkEnterpriseSecuritySuite csearch_label: _TW_Threat Activity Detected csearch_name: Threat - _TW_Threat Activity Detected - Rule description: Alerts when any activity matching threat intelligence is detected. disabled: 0 is_scheduled: 1 schedule: 10 * * * * security_domain: threat } imparsemodinputstatus data: { [-] parse_mod_disabled: 0 } imretrievemodinputstatus data: { [-] retrieve_mod_disabled: 0 } |
|
|
responseTemplateSearchCount { name:hashString(responseData.name), status:responseData.template_status, count:getSearchCount(responseData), } responsePlanSearchClicked { responseName: hashString(responseName), spl: hashString(spl), } responsePlanAddTaskError { errorType: telemetryEvents.RESPONSE_PLAN_ADD_ADHOC_TASK_ERROR, errorMessage: apiErrorMessage, payload: requestPayload, } JSONSyntaxError - tracks the JSON Syntax error { errorType: JSONSyntaxError } |
app.session.MissionControl.fileUploadTooBigError
|
Reports on the error messages if the size of the uploaded file exceeds a threshold. | data: { [-] errorMessage: error } |
Glossary | Credits |
This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.0, 8.0.1
Feedback submitted, thanks!