Splunk® Enterprise Security

Release Notes

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. To resolve redirect errors, you must use the version selector on the ES documentation homepage to navigate between the versions.

Share data usage in Splunk Enterprise Security

When Splunk Enterprise Security is deployed on Splunk Enterprise, the Splunk platform sends anonymized usage data to Splunk Inc. ("Splunk") to help improve Splunk Enterprise Security in future releases. For information about how to opt in or out, and how the data is collected, stored, and governed, see Share data in Splunk Enterprise.

How data is collected

Splunk Enterprise Security uses saved searches to collect anonymous usage data. These searches run in the background regardless of whether or not you opt-in to send usage data to Splunk, and do not have any significant impact on performance.

Splunk Enterprise Security also uses FullStory to collect experiential user journey information with the user personally identifiable information redacted.

What data is collected

Splunk Enterprise Security version 8.1 collects the following basic usage information:

For more information on telemetry information collected by Splunk SOAR, see Share data from Splunk SOAR (Cloud).

Name of telemetry event Search used to isolate results Results
drilldown-dashboard index=prod_analytics_entcloud "drilldown-dashboard" { action: click, app: SplunkEnterpriseSecuritySuite, appName: securityUI, component: securityUI.drilldown-dashboard, name: drilldown-dashboard, page: incident_review/, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review/, section: ir-expansion-link, sessionID: ..., type: event }
risk_events_table index=prod_analytics_entcloud "risk_events_table" { action: view, app: SplunkEnterpriseSecuritySuite, appName: securityUI, component: securityUI.risk_events_table, name: risk_events_table, page: incident_review, pathname: ..., sessionID: ..., type: event }
risk-timeline index=prod_analytics_entcloud "risk-timeline" { action: view, app: SplunkEnterpriseSecuritySuite, appName: securityUI, component: securityUI.risk-timeline, name: risk-timeline, page: incident_review, pathname: ..., sessionID: ..., type: event }
threat-topology index=prod_analytics_entcloud "threat-topology" { action: view, app: SplunkEnterpriseSecuritySuite, appName: securityUI, component: securityUI.threat-topology, name: threat-topology, page: incident_review, pathname: ..., sessionID: ..., type: event }
responseTemplateAppliedByType index=prod_analytics_entcloud "*responseTemplateAppliedByType" { app: SplunkEnterpriseSecuritySuite, incidentType: automation, page: incident_review, pathname: ..., sessionID: ..., type: event }
riskEventTimelineViewed index=prod_analytics_entcloud "*riskEventTimelineViewed" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.riskEventTimelineViewed, eventType: user, score: ..., sessionID: ..., type: event }
aqSidePanelOpened index=prod_analytics_entcloud "*aqSidePanelOpened" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.aqSidePanelOpened, id: ..., sessionID: ..., type: event }
aqSidePanelClosed index=prod_analytics_entcloud "*aqSidePanelClosed" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.aqSidePanelClosed, action: close, sessionID: ..., type: event }
imSubscription index=prod_analytics_entcloud "*imSubscription" data.appName="MissionControl" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.imSubscription, subscribed: false, sessionID: ..., type: event }
feedbackProvided index=prod_analytics_entcloud "feedbackProvided" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.feedbackProvided, messageId: ..., feedback: {...}, sessionID: ..., type: event }
messageSent index=prod_analytics_entcloud "messageSent" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.messageSent, message: ..., sessionID: ..., threadId: ..., type: event }
runSPLClicked index=prod_analytics_entcloud "runSPLClicked" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.runSPLClicked, sessionID: ..., threadId: ..., type: event }
splExecutedWithResults index=prod_analytics_entcloud "splExecutedWithResults" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.splExecutedWithResults, resultsCount: 42, sessionID: ..., threadId: ..., type: event }
splExecutedWithNoResults index=prod_analytics_entcloud "splExecutedWithNoResults" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.splExecutedWithNoResults, sessionID: ..., threadId: ..., type: event }
splExecutionFailed index=prod_analytics_entcloud "splExecutionFailed" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.splExecutionFailed, sessionID: ..., threadId: ..., type: event }
responseReceived index=prod_analytics_entcloud "responseReceived" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.responseReceived, aiResponse: ..., sessionID: ..., type: event }
newChatStarted index=prod_analytics_entcloud "newChatStarted" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.newChatStarted, investigationId: ..., sessionID: ..., type: event }
threadCreated index=prod_analytics_entcloud "threadCreated" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.threadCreated, investigationId: ..., threadId: ..., sessionID: ..., type: event }
ir-analyst-workflow index=prod_analytics_entcloud "ir-analyst-workflow" { app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.ir-analyst-workflow, name: ir-analyst-workflow, page: incident_review, section: ir_views_panel, sessionID: ..., type: event }
filter-dropdown-ueba-app index=prod_analytics_entcloud "filter-dropdown-ueba-app" { app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.filter-dropdown-ueba-app, name: filter-dropdown-ueba-app, selections: ["DA-ESS-UEBA"], sessionID: ..., type: event }
filter-dropdown-cloud-ba-detection-type index=prod_analytics_entcloud "filter-dropdown-cloud-ba-detection-type" { app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.filter-dropdown-cloud-ba-detection-type, name: ..., selections: ["cloud_ba_detections"], sessionID: ..., type: event }
save-detection index=prod_analytics_entcloud "save-detection" { app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.save-detection, name: save-detection, section: event_based_detection, sessionID: ..., type: event }
threat-topology index=prod_analytics_entcloud "threat-topology" { app: SplunkEnterpriseSecuritySuite, page: incident_review, sessionID: ..., type: event }
disposition-required index=prod_analytics_entcloud "disposition-required" { app: SplunkEnterpriseSecuritySuite, page: ess_incident_review_configuration, section: disposition }
disposition-create index=prod_analytics_entcloud "disposition-create" { app: SplunkEnterpriseSecuritySuite, page: ess_incident_review_configuration, section: disposition }
ir-event-timeline index=prod_analytics_entcloud "ir-event-timeline" { app: SplunkEnterpriseSecuritySuite, page: incident_review, section: zoomClick }
diff-view-status index=prod_analytics_entcloud "diff-view-status" { app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.diff-view-status, name: diff-view-status, sessionID: ..., type: event }
change-default-app index=prod_analytics_entcloud "change-default-app" { app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.change-default-app, name: change-default-app, current_app: ..., sessionID: ..., type: event }
event-based detection index=prod_analytics_entcloud "event-based detection" { app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.diff-view-status, name: diff-view-status, sessionID: ..., type: event }
finding-based detection index=prod_analytics_entcloud "finding-based detection" { app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.change-default-detection, name: change-default-detection, sessionID: ..., type: event }
change-default-detection index=prod_analytics_entcloud "change-default-detection" { app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.change-default-detection, name: change-default-detection, current_detection: ..., sessionID: ..., type: event }
open-in-editor index=prod_analytics_entcloud "open-in-editor" { app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.open-in-editor, name: open-in-editor, section: event-based detection, sessionID: ..., type: event }
ba-enable-modal index=prod_analytics_entcloud "ba-enable-modal" { app: SplunkEnterpriseSecuritySuite, page: ess_home, section: remind-me-later }
drilldown-search index=prod_analytics_entcloud "drilldown-search" { app: SplunkEnterpriseSecuritySuite, page: incident_review, section: ir-expansion-link }
risk-analysis-dashboard index=prod_analytics_entcloud "risk-analysis-dashboard" { app: SplunkEnterpriseSecuritySuite, page: risk_analysis, section: viz_risk_score_by_object }
asset-identity-correlation-setup-status index=prod_analytics_entcloud "asset-identity-correlation-setup-status" { app: SplunkEnterpriseSecuritySuite, page: ess_configuration/, section: enabled_for_all_sourcetypes }
ir-enhanced-views-tour index=prod_analytics_entcloud "ir-enhanced-views-tour" { app: SplunkEnterpriseSecuritySuite, page: incident_review, section: showTour }
dlfa-setup-modal index=prod_analytics_entcloud "dlfa-setup-modal" { action: modal closed }
incidentReviewPollingPaused index=prod_analytics_entcloud "incidentReviewPollingPaused" { action: incidentList.polling.paused, app: missioncontrol, page: mc_incident_review, pathname: /en-US/app/missioncontrol/mc_incident_review, sessionID: ... }
incidentReviewPollingUnpaused index=prod_analytics_entcloud "incidentReviewPollingUnpaused" { action: incidentList.polling.unpaused, app: missioncontrol, page: mc_incident_review, pathname: /en-US/app/missioncontrol/mc_incident_review, sessionID: ... }
fileUploadedIncident index=prod_analytics_entcloud "fileUploadedIncident" { app: SplunkEnterpriseSecuritySuite, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, sessionID: ..., size: 172 }
fileUploadedTask index=prod_analytics_entcloud "fileUploadedTask" { app: missioncontrol, page: mc_incident_review, pathname: /en-US/app/missioncontrol/mc_incident_review, sessionID: ..., size: 3094317 }
fileDownloaded index=prod_analytics_entcloud "fileDownloaded" { count: 96, host: ..., source: ..., sourcetype: ... }
manualIncidentCreated index=prod_analytics_entcloud "manualIncidentCreated" { app: missioncontrol, page: mc_incident_review, pathname: /en-US/app/missioncontrol/mc_incident_review, sessionID: ..., incident_type: default }
responsePlanTaskEnded index=prod_analytics_entcloud "responsePlanTaskEnded" { action: taskStatus.ended, app: missioncontrol, page: mc_incident_review, planId: ..., taskId: ..., sessionID: ..., type: event }
responseTemplateSearchCount index=prod_analytics_entcloud "responseTemplateSearchCount" { app: SplunkEnterpriseSecuritySuite, count: 1, name: ..., page: ess_configuration/, pathname: ..., sessionID: ..., status: published }
responsePlanSearchClicked index=prod_analytics_entcloud "responsePlanSearchClicked" { app: SplunkEnterpriseSecuritySuite, page: incident_review, pathname: ..., responseName: ..., sessionID: ..., spl: ... }
responsePlanSoarAutomationClicked index=prod_analytics_entcloud "responsePlanSoarAutomationClicked" { app: missioncontrol, component: app.session.MissionControl, incidentId: ..., page: mc_incident_review, phaseId: ..., sessionID: ..., taskId: ..., type: playbook }
responsePlanAddTaskError index=prod_analytics_entcloud "responsePlanAddTaskError" { errorInfo: { errorType: responsePlanAddTaskError, payload: request payload } }
responseTemplateCreated index=prod_analytics_entcloud "responseTemplateCreated" { app: SplunkEnterpriseSecuritySuite, name: ..., page: ess_configuration/, pathname: ..., sessionID: ..., status: published }
responseTemplateUpdated index=prod_analytics_entcloud "responseTemplateUpdated" { app: SplunkEnterpriseSecuritySuite, name: ..., page: ess_configuration/, pathname: ..., sessionID: ..., status: published }
responseTemplateAppliedManually index=prod_analytics_entcloud "responseTemplateAppliedManually" { app: SplunkEnterpriseSecuritySuite, count: 1, incidentId: ..., page: incident_review, pathname: ..., sessionID: ... }
responseTemplateAppliedByType index=prod_analytics_entcloud "responseTemplateAppliedByType" { app: SplunkEnterpriseSecuritySuite, count: 1, incidentType: automation, page: incident_review, pathname: ..., sessionID: ... }
aqSidePanelBackNextNavigation index=prod_analytics_entcloud "aqSidePanelBackNextNavigation" { direction: next, app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.aqSidePanelBackNextNavigation, name: aqSidePanelBackNextNavigation, page: incident_review, pathname: ..., sessionID: ..., type: event }
aqSidePanelStartInvestigation index=prod_analytics_entcloud "aqSidePanelStartInvestigation" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.aqSidePanelStartInvestigation, id: ..., name: aqSidePanelStartInvestigation, page: incident_review, pathname: ..., sessionID: ..., type: event }
aqSidePanelUpdateMetadata index=prod_analytics_entcloud "aqSidePanelUpdateMetadata" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.aqSidePanelUpdateMetadata, field: status, id: ..., name: aqSidePanelUpdateMetadata, value: 5, sessionID: ..., type: event }
fileUploadTooBigError index=prod_analytics_entcloud "*fileUploadTooBigError" { errorMessage: "File upload failed, Please upload a file under 50 MB" }
timRedirectError index=prod_analytics_entcloud "*timRedirectError" { errorInfo: "Failed to get matching Incident for the Notable. Error" }
soarRedirectError index=prod_analytics_entcloud "*soarRedirectError" { errorInfo: "Failed to redirect to Splunk SOAR from the current Enterprise Security Domain" }
soarRedirect index=prod_analytics_entcloud "*soarRedirect" { app: SplunkEnterpriseSecuritySuite, nextPage: /lists, page: soar_redirect, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/soar_redirect }
JSONSyntaxError index=prod_analytics_entcloud "*JSONSyntaxError" { app: missioncontrol, error: "SyntaxError: Bad escaped character in JSON at position 42 (line 1 column 43)", errorType: JSONSyntaxError, page: mc_incident_review, pathname: /en-US/app/missioncontrol/mc_incident_review, sessionID: ..., type: event }
uiError index=prod_analytics_entcloud "*uiError" { app: SplunkEnterpriseSecuritySuite, error: Unauthorized, errorType: riskEventAIStatusError, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, sessionID: ..., type: event }
newChatStarted index=prod_analytics_entcloud "*newChatStarted" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.newChatStarted, investigationId: ..., name: newChatStarted, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, sessionID: ..., type: event }
threadCreated index=prod_analytics_entcloud "*threadCreated" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.threadCreated, investigationId: ..., name: threadCreated, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, sessionID: ..., threadId: ..., type: event }
messageSent index=prod_analytics_entcloud "*messageSent" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.messageSent, investigationId: ..., message: ..., messageSendTime: ..., name: messageSent, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, sessionID: ..., threadId: ..., type: event }
responseReceived index=prod_analytics_entcloud "*responseReceived" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.responseReceived, investigationId: ..., messageId: ..., name: responseReceived, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, responseReceivedTime: ..., sessionID: ..., threadId: ..., type: event }
feedbackProvided index=prod_analytics_entcloud "*feedbackProvided" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.feedbackProvided, investigationId: ..., messageId: ..., name: feedbackProvided, optInRequired: 3, page: incident_review, feedback: {...}, responseReceivedTime: ..., sessionID: ..., threadId: ..., type: event }
runSPLClicked index=prod_analytics_entcloud "*runSPLClicked" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.runSPLClicked, investigationId: ..., messageId: ..., name: runSPLClicked, optInRequired: 3, page: incident_review, responseReceivedTime: ..., sessionID: ..., threadId: ..., type: event }
splExecutedWithResults index=prod_analytics_entcloud "*splExecutedWithResults" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.splExecutedWithResults, investigationId: ..., messageId: ..., name: splExecutedWithResults, optInRequired: 3, page: incident_review, responseReceivedTime: ..., resultsCount: 42, threadId: ..., type: event }
splExecutedWithNoResults index=prod_analytics_entcloud "*splExecutedWithNoResults" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.splExecutedWithNoResults, investigationId: ..., messageId: ..., name: splExecutedWithNoResults, optInRequired: 3, page: incident_review, responseReceivedTime: ..., sessionID: ..., threadId: ..., type: event }
splExecutionFailed index=prod_analytics_entcloud "*splExecutionFailed" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.splExecutionFailed, investigationId: ..., messageId: ..., name: splExecutionFailed, optInRequired: 3, page: incident_review, responseReceivedTime: ..., sessionID: ..., threadId: ..., type: event }
secaError index=prod_analytics_entcloud "*secaError" { errorInfo: { api: 'getThreadStatus', investigationId: incident?.id, threadId: ..., code: error_code, message: _(Thread run status returned status => ${status} and error code => ${error_code}) } }
ir-analyst-workflow index=prod_analytics_entcloud "*ir-analyst-workflow" data.appName="enterprise-security" { action: ..., app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.ir-analyst-workflow, name: ir-analyst-workflow, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, section: ir_views_panel, sessionID: ..., type: event }
module-federation-mc-remote-entry index=prod_analytics_entcloud "*module-federation-mc-remote-entry" { action: { connected: true }, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.module-federation-mc-remote-entry, name: module-federation-mc-remote-entry, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, section: incident_review, sessionID: ..., type: event }
filter-dropdown-ueba-app index=prod_analytics_entcloud "*filter-dropdown-ueba-app" data.appName="enterprise-security" data.name="filter-dropdown-ueba-app" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.filter-dropdown-ueba-app, name: filter-dropdown-ueba-app, optInRequired: 3, page: ess_content_management, pathname: ..., section: cm-filter-dropdown-selection, selections: ["DA-ESS-UEBA"], sessionID: ..., type: event }
filter-dropdown-cloud-ba-detection-type index=prod_analytics_entcloud "filter-dropdown-cloud-ba-detection-type" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.filter-dropdown-cloud-ba-detection-type, name: filter-dropdown-cloud-ba-detection-type, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: cm-filter-dropdown-selection, selections: ["cloud_ba_detections"], sessionID: ..., type: event }
save-detection index=prod_analytics_entcloud "save-detection" { action: save, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.save-detection, name: save-detection, optInRequired: 3, page: correlation_search_edit, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/correlation_search_edit, section: event_based_detection, sessionID: ..., type: event }
threat-topology index=prod_analytics_entcloud "threat-topology" { action: view, app: SplunkEnterpriseSecuritySuite, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, sessionID: ... }
disposition-required index=prod_analytics_entcloud "disposition-required" { action: is_not_required, app: SplunkEnterpriseSecuritySuite, page: ess_incident_review_configuration, section: disposition }
disposition-create index=prod_analytics_entcloud "disposition-create" { action: view, app: SplunkEnterpriseSecuritySuite, page: ess_incident_review_configuration, section: disposition }
ir-event-timeline index=prod_analytics_entcloud "ir-event-timeline" { action: click, app: SplunkEnterpriseSecuritySuite, page: incident_review, section: zoomClick }
diff-view-status index=prod_analytics_entcloud "diff-view-status" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.diff-view-status, name: diff-view-status, optInRequired: 3, page: correlation_search_edit, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/correlation_search_edit, section: event_based_detection, sessionID: ..., type: event }
change-default-app index=prod_analytics_entcloud "change-default-app" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.change-default-app, name: change-default-app, current_app: splunk_investigation_kit, optInRequired: 3, page: ess_configuration/, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_configuration/, section: default_app_settings, sessionID: ..., type: event }
event-based detection index=prod_analytics_entcloud "event-based detection" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.event-based detection, name: event-based detection, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: cm-detection-tab, sessionID: ..., type: event }
finding-based detection index=prod_analytics_entcloud "finding-based detection" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.finding-based detection, name: finding-based detection, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: cm-detection-tab, sessionID: ..., type: event }
change-default-detection index=prod_analytics_entcloud "change-default-detection" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.change-default-detection, name: change-default-detection, current_detection: event_based_detection, optInRequired: 3, page: ess_configuration/, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_configuration/, section: default_app_settings, sessionID: ..., type: event }
open-in-editor index=prod_analytics_entcloud "open-in-editor" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.open-in-editor, name: open-in-editor, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: cm-table-open-in-editor, sessionID: ..., type: event }
drilldown-dashboard index=prod_analytics_entcloud "drilldown-dashboard" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.drilldown-dashboard, name: drilldown-dashboard, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, section: ir-expansion-link, sessionID: ..., type: event }
ba-enable-modal index=prod_analytics_entcloud "ba-enable-modal" { action: remind-me-later, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.ba-enable-modal, name: ba-enable-modal, optInRequired: 3, page: ess_home, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_home, section: remind-me-later, sessionID: ..., type: event }
drilldown-search index=prod_analytics_entcloud "drilldown-search" { action: view, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.drilldown-search, name: drilldown-search, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, section: ir-expansion-link, sessionID: ..., type: event }
risk-analysis-dashboard index=prod_analytics_entcloud "risk-analysis-dashboard" { action: view, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.risk-analysis-dashboard, name: risk-analysis-dashboard, optInRequired: 3, page: risk_analysis, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/risk_analysis, section: viz_risk_score_by_object, sessionID: ..., type: event }
asset-identity-correlation-setup-status index=prod_analytics_entcloud "asset-identity-correlation-setup-status" { action: view, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.asset-identity-correlation-setup-status, name: asset-identity-correlation-setup-status, optInRequired: 3, page: ess_configuration/, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_configuration/, section: enabled_for_all_sourcetypes, sessionID: ..., type: event }
ir-enhanced-views-tour index=prod_analytics_entcloud "ir-enhanced-views-tour" { action: showTour, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.ir-enhanced-views-tour, name: ir-enhanced-views-tour, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, section: enhanced_views_tour, sessionID: ..., type: event }
dlfa-setup-modal index=prod_analytics_entcloud "dlfa-setup-modal" { action: modal closed, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.dlfa-setup-modal, name: dlfa-setup-modal, optInRequired: 3, page: ess_configuration/, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_configuration/, section: dlfa-setup-modal, sessionID: ..., type: event }
turn-on-versioning-feature index=prod_analytics_entcloud environment=* "turn-on-versioning-feature" { action: enabled, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.turn-on-versioning-feature, name: turn-on-versioning-feature, optInRequired: 3, page: ess_configuration/, pathname: /en-GB/app/SplunkEnterpriseSecuritySuite/ess_configuration/, sessionID: ..., type: event }
change-detection-status index=prod_analytics_entcloud environment=* "change-detection-status" data.appName="enterprise-security" { action: off, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.change-detection-status, name: change-detection-status, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: finding_based_detection, sessionID: ..., type: event }
ir-analyst-workflow index=prod_analytics_entcloud environment=* "*change_current_view" OR "*toggle_views_panel" { action: { action: change_current_view, filter_set: {...}, is_default: false, is_private: true, table_attributes: [...] }, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.ir-analyst-workflow, name: ir-analyst-workflow, optInRequired: 3, page: incident_review/, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review/, section: ir_views_panel, sessionID: ..., type: event }
editor-clone-detection index=prod_analytics_entcloud environment=* "editor-clone-detection" data.appName="enterprise-security" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.editor-clone-detection, name: editor-clone-detection, optInRequired: 3, page: ess_content_management, pathname: /en-GB/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: event_based_detection, sessionID: ..., type: event }
editor-modal-clone-detection index=prod_analytics_entcloud environment=* "editor-modal-clone-detection" data.appName="enterprise-security" { action: cloned, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.editor-modal-clone-detection, name: editor-modal-clone-detection, optInRequired: 3, page: ess_content_management, pathname: /en-GB/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: ebd, sessionID: ..., type: event }
module-federation-ueba-remote-entry index=prod_analytics_entcloud environment=* "module-federation-ueba-remote-entry" { app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.module-federation-ueba-remote-entry, name: module-federation-ueba-remote-entry, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, section: incident_review, sessionID: ..., type: event }
tune-risk-link-cmp-ba-detection index=prod_analytics_entcloud environment=* "tune-risk-link-cmp-ba-detection" data.appName="enterprise-security" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.tune-risk-link-cmp-ba-detection, name: tune-risk-link-cmp-ba-detection, page: ess_configuration, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_configuration, section: tune-risk-link-cmp-ba-detection, sessionID: ..., type: event }
cmp-ba-detection-action index=prod_analytics_entcloud environment=* "*cmp-ba-detection-action" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.cmp-ba-detection-action, name: cmp-ba-detection-action, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: tune-risk-link-cmp-ba-detection, sessionID: ..., type: event, url: /en-US/app/SplunkEnterpriseSecuritySuite/ess_configuration/#/ueba/risk-exclusion-rules?... }
cm-filter-dropdown-selection index=prod_analytics_entcloud environment=* "*cm-filter-dropdown-selection" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.filter-dropdown-ueba-app, name: filter-dropdown-ueba-app, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: cm-filter-dropdown-selection, selections: ["DA-ESS-UEBA"], sessionID: ..., type: event }
filter-dropdown-ba-detection-type index=prod_analytics_entcloud environment=* "*filter-dropdown-ba-detection-type" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.filter-dropdown-ba-detection-type, name: filter-dropdown-ba-detection-type, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: filter-dropdown-ba-detection-type, selections: ["DA-ESS-UEBA"], sessionID: ..., type: event }
fetch-ba-detections index=prod_analytics_entcloud environment=* "*fetch-ba-detections" { errorInfo: "failed to fetch CMP UEBA detections details with error" }
Seca.ContextSent index=prod_analytics_entcloud component="app.MissionControl.Seca.ContextSent" { context_type: spl_data_models }
Incident_Create index=prod_analytics_entcloud component="app.MissionControl.Incident_Create" { artifact_count: 0 }
Incident_Update index=prod_analytics_entcloud component="app.MissionControl.Incident_Update" { incident_count: 5, status: 2 }
Event_Add index=prod_analytics_entcloud component="app.MissionControl.Event_Add" { action: add, entity_type: notable, entity_uuid: ..., name: notable, optInRequired: 3, page: investigation/overview, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/investigation/overview, sessionID: ..., type: event }
Added_Children_Incidents index="prod_analytics_entcloud" component="app.MissionControl.Added_Children_Incidents" data: { [-] 
    children_incident_count: 1
    incident_count: 1
  }
New_Parent_Child_Incident_Relationship index="prod_analytics_entcloud" component="app.MissionControl.New_Parent_Child_Incident_Relationship" data: { [-] 
    incident_count: 1
  }
CustomField_Create index="prod_analytics_entcloud" component="app.MissionControl.CustomField_Create" data: { [-] 
    customfield_count: 1
    name: CustomField_Create
  }
ArtifactConfig_Create index="prod_analytics_entcloud" component="app.MissionControl.ArtifactConfig_Create" data: { [-] 
    artifactconfig_count: 1
  }
Seca.MessageSent index="prod_analytics_entcloud" component="app.MissionControl.Seca.MessageSent" data: { [-] 
    investigation_id: 1dda3208-23f8-4969-b689-d088f4ffea61
    message: Failed to execute generated spl search index=<index> | stats count by index, sourcetype. Spl is invalid, spl parse error b'{"messages":[{"type":"FATAL","text":"Error in \'search\' command: Unable to parse the search: Comparator \'>\' is missing a term on the right hand side."}]}'
    messageSentTime: 2025-04-23 01:03:44
    name: Seca.MessageSent
    thread_id: d1699059-f8a7-4fa2-bd47-4a46174c9090
  }
Event_Delete index="prod_analytics_entcloud" component="app.MissionControl.Event_Delete" data: { [-] 
    event_count: -1
  }
Event_Update index="prod_analytics_entcloud" component="app.MissionControl.Event_Update" artifact_count: 0
Event_Create index="prod_analytics_entcloud" component="app.MissionControl.Event_Create" artifact_count: 0
Event_List index="prod_analytics_entcloud" component="app.MissionControl.Event_List" search_count: 1, search_job_elapsed_time: 1744295613
active_users index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.active_users" admin_count: 0, analyst_count: 0, count: 0, user_count: 0
annotations_usage index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.annotations_usage" searches_with_annotations: 1869, searches_with_cis20: 1809, searches_with_kill_chain_phases: 1739, searches_with_mitre_attack: 1779, searches_with_nist: 1809, unique_annotation_count: 977, unique_framework_count: 7
asset_identity_correlation_setup_status index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.asset_identity_correlation_setup_status" asset_identity_correlation_setup_status: disabled_for_all_sourcetypes
datamodel_distribution index="prod_analytics_entcloud" datamodel: Performance
enabled_vulnerability_data_searches index="prod_analytics_entcloud" "*enabled_vulnerability_data_searches" annotations: {}, correlation_search_enabled: 0, creates_notable: 0, creates_risk: 0, disabled: 0
feature_usage index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.feature_usage" avg_spent: 245, count: 1, view: incident_review
identity_manager index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.identity_manager" asset_blacklist_count: 0, asset_count: 4, asset_custom_count: 2, asset_enabled_count: 2, identity_blacklist_count: 0, identity_count: 3
lookup_usage index="prod_analytics" "app.SplunkEnterpriseSecuritySuite.lookup_usage" count: 0, size: 0, transform: threatintel_by_email_subject
search_actions index="prod_analytics" "app.SplunkEnterpriseSecuritySuite.search_actions" action: notable, count: 2, is_adaptive_response: 1, total_scheduled: 110
search_execution index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.search_execution" avg_run_time: 18.63, count: 192, is_realtime: 0, search_alias: Access - Access App Tracker - Lookup Gen
riskfactors_usage index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.riskfactors_usage" total: 12, fields_info: [dest_priority, other, src, src_category, user, user_category, user_priority, user_watchlist]
risk_riskfactors_impact index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.risk_riskfactors_impact" distinct_risk_object_count: 231, max_calc_risk_score: 90, max_risk_score: 90, min_calc_risk_score: 20, min_risk_score: 20, risk_object_type: system, risk_factor_add_matches: 866, risk_factor_mult_matches: 866, max_risk_factor_add_matches: 0, max_risk_factor_mult_matches: 1, min_risk_factor_add_matches: 0, min_risk_factor_mult_matches: 1
risk_event_information index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.risk_event_information" calculated_risk_score: 0, risk_factor_add: 0, risk_factor_mult: 0, risk_object_type: system, risk_score: 0, threat_object_type: signature
risk_notable_information index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.risk_notable_information" annotations: {"mitre_attack": ""}, notable_type: risk_event, risk_event_count: 18, risk_object_type: other
notable_information index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.notable_information" annotations: {}, notable_type: notable, search_name: Threat - High Confidence APT, Malware and C2 Matches - Rule, security_domain: threat, severity: medium
notables_percent_suppressed index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.notables_percent_suppressed" total_notables_count: 137613
notables_assigned_over_time index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.notables_assigned_over_time" Assigned Notables: 0, Unassigned Notables: 3301336, Date: 2024-12-01
ba_test_information index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.ba_test_information" risk_score: 45, risk_object_type: user, orig_sourcetype: NA, threat_object_type: NA, annotations: {"analytic_story":["Malicious PowerShell","Active Directory Lateral Movement","Hermetic Wiper","Scheduled Tasks","Data Destruction"],"mitre_attack":["T1021.003","T1053.005","T1059.001","T1021","T1047"],"nist":["DE.CM"],"cis20":["CIS 10"]}
saved_search_information index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.saved_search_information" creates_notable: 0, creates_risk: 0, disabled: 0, search_name: Bucket Merge Retrieve Conf Settings, annotations: {}
ba_detections index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.ba_detections" name: Unauthorized Activity Time (Preview), id: c0fbe7ee-57d4-11ee-8c99-0242ac120002, enabled: 1, useRiskIndex: 0, version: 1.15.63, annotations: {"mitre_attack":"T1003", "analytic_story":"Active Directory Lateral Movement", "kill_chain_phases":"Exploitation", "nist":"DE.CM", "cis20":"CIS 10"}
notable_event_status_changes index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.notable_event_status_changes" disposition_label: Benign Positive - Suspicious But Expected, urgency: informational, status: 5, status_label: Closed, time_modified: 04/22/2025 06:29:37
notable_events_by_urgency index="prod_analytics_entcloud" "*notable_events_by_urgency" creates_notable: 0, creates_risk: 0, disabled: 1, search_name: Notable_Events_By_Urgency, annotations: {}
datamodel_dataset_population index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.datamodel_dataset_population" dataset: All_Changes, model_name: Change, sourcetype: []
splunk_apps index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.splunk_apps" app_label: DA-ESS-AccessProtection, app_name: DA-ESS-AccessProtection, version: 7.3.3
investigation_information index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.investigation_information" create_time: 1744787122, investigation_id: 67ff56b3b3af912aa0085d30, name: Custom Investigation
investigations_overview index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.investigations_overview" create_time: 1481578121, hashed_collaborators: [hash], hashed_creator: [hash], hashed_investigation_name: [hash], investigation_id: 58e1b7afc31ae9da2e3124d0
macro_usage index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.macro_usage" definition: index=windows* sourcetype=WinEventLog source=WinEventLog:Security (eventtype=wineventlog_security OR Channel=security), macro_name: wineventlog_security
vulnerable_systems_percent_vulnerable index="prod_analytics_entcloud" "*vulnerable_systems_percent_vulnerable" percent_vulnerable_systems: ?
unique_threat_object_count index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.unique_threat_object_count" unique_threat_object_count: 0
untriaged_notables_by_domain index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.untriaged_notables_by_domain" Access: 62, Endpoint: 640, Identity: 4, Network: 28649, Threat: 12122854, date: 2025-03-02
threat_artifacts_overview index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.threat_artifacts_overview" count: 12, malware_alias: , source_id: gr-binarydefense-2, source_path: /opt/splunk/etc/apps/SA-ThreatIntelligence/lookups/gr-binarydefense-2.csv, source_type: csv, threat_category: threat_intel, threat_group: gr-binarydefense-2
threat_matches index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.threat_matches" threat_matches: 0

Share threat data in Splunk Enterprise Security

Sharing of telemetry usage data is different from sharing threat data. If you are a Splunk Enterprise Security Hosted Service Offering (cloud) customer with a standard terms contract renewed or created after January 10, 2025, you can refer to Share threat data in Splunk Enterprise Security for details on enhanced data sharing to support improved detection capabilities, update threat intelligence, and operations of our security content offerings.

Last modified on 29 May, 2025
Glossary   Credits

This documentation applies to the following versions of Splunk® Enterprise Security: 8.1.0

Acrobat logo Download manual
Acrobat logo Download this page

Please expect delayed responses to documentation feedback while the team migrates content to a new system. We value your input and thank you for your patience as we work to provide you with an improved content experience!

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters