After the future removal of the classic playbook editor, your existing classic playbooks will continue to run, However, you will no longer be able to visualize or modify existing classic playbooks.
For details, see:
When Splunk SOAR (On-premises) is deployed, the platform sends usage data to Splunk Inc. ("Splunk") to provide, support, and optimize your deployment and to help improve Splunk SOAR (On-premises) in future releases.
Opt in or opt out of sharing Usage Data
You can change data sharing settings anytime using either the user interface or the command line interface.
Use the Splunk SOAR (On-premises) interface
Modify general Usage Data share settings in the graphical user interface following these steps:
- From the main menu, select Administration.
- Expand the Product Settings drop-down list.
- Select Data Sharing.
- Adjust Usage Data category toggles to the On (opt in) or Off (opt out) position.
Use the command line interface
Modify Rum and FullStory Usage Data share settings using the command line interface and the following management commands:
For Splunk RUM telemetry:
phenv set_preference --rum [{yes,no}]
Use yes to opt in, no to opt out.
For FullStory telemetry:
phenv python -m manage fullstory
How data is collected
Splunk SOAR (On-premises) uses several technologies running in the background to collect usage data.
- Splunk Web Analytics (swa.js)
- Splunk Real User Monitoring (RUM)
- FullStory
Usage Data Telemetry
A Splunk SOAR (On-premises) background task runs at a specified system time to collect telemetry data which is transmitted to Splunk's products-telemetry server.
Each time a user logs in some system settings and license metrics are collected.
FullStory is used to collect experiential user journey information from the Visual Playbook Editor with user personally identifiable information redacted. In the Splunk SOAR (On-premises) interface, FullStory data collection can either be managed from the graphical interface by switching the main Telemetry Usage Data toggle on or off, or alternatively, by discrete command using the command line interface, as described earlier in this article.
For information about the Visual Playbook Editor see Use playbooks to automate analyst workflows in Splunk SOAR (On-premises) in Build Playbooks with the Playbook Editor.
RUM Telemetry
Splunk Real User Monitoring (RUM) connects to a non-PCI-compliant system.
RUM is designed to collect and send information like console errors, JavaScript errors, and page load performance metrics without user-provided values, such as username or email, or any URI or URL parameters that personally identify individual users. See What is Splunk RUM? for more information.
How data is stored
Splunk's retention timeframes for Usage Data are described here and those for Splunk Rum are described here. For more information about Splunk's data collection and privacy practices see the Splunk Privacy Policy and learn how Splunk Protects.
Telemetry impacts on performance
Collecting telemetry data minimally affects database performance and the loading of the Splunk SOAR (On-premises) UI.
General Usage Data
Splunk SOAR (On-premises) telemetry collects the following basic usage information:
Name | Description | Example |
---|---|---|
Items in this section apply to all telemetry objects | ||
|
Either:
And:
Splunk SOAR sends the deploymentID with every event. This change adds either companyID or stackID and licenseNumber, licenseIssueDate, licenseExpirationDate, and licenseInstance wherever deploymentID is currently logged. |
{ "data": { ... "licenseNumber": "0ffff-ffff-fff-fff-ffffff", "licenseIssueDate": "2024-12-22", "licenseExpirationDate": "2024-12-22", "licenseInstance": "12304", }, "timestamp": 1684779074013, "component": "app.session.soar.systemSettings", "deploymentID": "soar-c48ed12b-262f-47e1-99b0-d2ba5b2af6dc", "companyID": "f3f5d1d9aba493153151e468915ca995a3355692da5ddc823e42044333a9deff", "eventID": "a74fd484-8d28-c0e8-c5bf-0b9ebf130665", "experienceID": "0b64f885-637b-9d67-289a-b4d4925e17fe" } { "data": { ... "licenseNumber": "0ffff-ffff-fff-fff-ffffff", "licenseIssueDate": "2024-12-22", "licenseExpirationDate": "2024-12-22", "licenseInstance": "12304", }, "timestamp": 1684779074013, "component": "app.session.soar.systemSettings", "deploymentID": "soar-c48ed12b-262f-47e1-99b0-d2ba5b2af6dc", "companyID": "f3f5d1d9aba493153151e468915ca995a3355692da5ddc823e42044333a9deff", "eventID": "a74fd484-8d28-c0e8-c5bf-0b9ebf130665", "experienceID": "0b64f885-637b-9d67-289a-b4d4925e17fe" } Or { "data": { ... "licenseNumber": "0ffff-ffff-fff-fff-ffffff", "licenseIssueDate": "2024-12-22", "licenseExpirationDate": "2024-12-22", "licenseInstance": "12304", }, "timestamp": 1684779074013, "component": "app.session.soar.systemSettings", "deploymentID": "soar-c48ed12b-262f-47e1-99b0-d2ba5b2af6dc", "stackID": "f3f5d1d9aba493153151e468915ca995a3355692da5ddc823e42044333a9deff", "eventID": "a74fd484-8d28-c0e8-c5bf-0b9ebf130665", "experienceID": "0b64f885-637b-9d67-289a-b4d4925e17fe" } |
app.session. objects
| ||
app.session.soar.apiTime
|
Reports roundtrip time consumption for each API request. | data: { app: soar endpoint: /rest/ph_user/3/permissions method: get page: UNKNOWN_PAGE status: 200 time: 150 soarDeploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca soarUserID: 5d900c28b8d1555745c09908ef386860 } deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca eventID: 551e5c46-4f71-d92a-51ba-30cf97ae3a97 experienceID: 6c2c534b-e750-e1a0-95fd-fcada1a50be0 optInRequired: 3 timestamp: 1574213030362 visibility: anonymous data: { app: phantom endpoint: /rest/ph_user/3/permissions method: get page: UNKNOWN_PAGE status: 200 time: 150 phantomDeploymentID: phantom-a2a983de-38ec-42d7-a179-30087b0ca8ca phantomUserID: 5d900c28b8d1555745c09908ef386860 } deploymentID: phantom-a2a983de-38ec-42d7-a179-30087b0ca8ca eventID: 551e5c46-4f71-d92a-51ba-30cf97ae3a97 experienceID: 6c2c534b-e750-e1a0-95fd-fcada1a50be0 optInRequired: 3 timestamp: 1574213030362 visibility: anonymous |
app.session.soar.error
|
Reports uncaught errors of front-end Splunk SOAR scripts. | data: { app: soar errorMsg: Uncaught ReferenceError: helloworld is not defined file: /inc/swa/swa_enabled.js page: admin.product_settings.telemetry position: 74:1 soarDeploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca soarUserID: 5d900c28b8d1555745c09908ef386860 } deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca eventID: 94efce66-ab89-33ae-f894-1cceb8f68f78 experienceID: 239facf6-261d-dd96-be08-33870c7d3750 optInRequired: 3 timestamp: 1574294947704 visibility: anonymous |
app.session.soar.license
|
Reports license status, limits, and usage information. Sent once per session.
|
{ 'type': 'standard', 'issueDate': 1616371200.0, 'expirationDate': 4769971200.0, 'companyName': 'limits': { 'actions': 'unlimited', (NEW) 'apps': 'unlimited', 'assets': 'unlimited', (NEW) 'events': 'unlimited', 'users': 'unlimited', 'tenants': 1, 'seats': 'unlimited' }, 'productVersion': '10155.0.0.124976', 'usage': { 'recentAppRunCount': 0, 'recentPlaybookRunCount': 0, 'recentDebugRunCount': 0, 'seatCount': 1, 'activeUsersCount': 2, } } |
app.session.soar.pageview
|
Reports which pages are visited by users. | data: { app: soar page: admin.company_settings.info soarDeploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca soarUserID: 5d900c28b8d1555745c09908ef386860 } deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca eventID: 0db11144-7c14-88f7-b3e9-3a999102bfc6 experienceID: 20d4d671-7d18-f74a-c72f-9811b5bee20d optInRequired: 3 timestamp: 1574210581565 visibility: anonymous { data: { app: phantom page: admin.company_settings.info phantomDeploymentID: phantom-a2a983de-38ec-42d7-a179-30087b0ca8ca phantomUserID: 5d900c28b8d1555745c09908ef386860 } eventID: 0db11144-7c14-88f7-b3e9-3a999102bfc6 experienceID: 20d4d671-7d18-f74a-c72f-9811b5bee20d optInRequired: 3 timestamp: 1574210581565 visibility: anonymous } |
app.session.soar. systemSettings
|
Reports the feature on/off settings and product version.
|
{ "optInRequired": 3, "original_timestamp": 1684779074013, "visibility": "anonymous", "data": { "cloudWorksEnvironment": "stg", "isClusteringEnabled": false, "numOfClusterNodes": 0, "isMultiTenantEnabled": false, "nodeGUID": "057f9e04-d54c-4ccc-9ffb-4aa82551b4d6", "page": "UNKNOWN_PAGE", "isElasticSearchEnabled": false, "credential_manager": "hashicorp", "splunkConfig": { "searchLocation": "local", "searchType": "standalone" }, "app": "soar", "missionControlDeploymentID": null, "soarDeploymentID": "soar-c48ed12b-262f-47e1-99b0-d2ba5b2af6dc", "license": "standard", "soarUserID": <br/>"5ebe9df18591550e99cd82079e8448a1c14582f0c04cfd84eaa3a254cae8675cc1eb2097c47dcc99c184481d89949492c4b700918c1e20f909f1bc5f4ea400c6", "productVersion": "10155.0.0.124976" }, "timestamp": 1684779074013, "component": "app.session.soar.systemSettings", "deploymentID": "soar-c48ed12b-262f-47e1-99b0-d2ba5b2af6dc", "eventID": "a74fd484-8d28-c0e8-c5bf-0b9ebf130665", "experienceID": "0b64f885-637b-9d67-289a-b4d4925e17fe" } |
app.session.session_start
|
Reports the browser and OS, along with their versions. | { data: { app: UNKNOWN_APP browser: Chrome browserVersion: 78.0.3904.97 device: MacIntel locale: en-US os: Mac OS X osVersion: 10. page: UNKNOWN_PAGE splunkVersion: not available } eventID: d9ca862c-d48d-83a1-d1bb-f0f25f4b5af8 experienceID: 6c2c534b-e750-e1a0-95fd-fcada1a50be0 optInRequired: 3 timestamp: 1574213029 visibility: anonymous } |
app.session.phantom.viewTime
|
Reports time spent on a specific page. Only tracked for specific pages. | { data: { app: phantom page: reports viewTime: 10223 phantomDeploymentID: phantom-a2a983de-38ec-42d7-a179-30087b0ca8ca phantomUserID: 5d900c28b8d1555745c09908ef386860 } eventID: 545fdcfb-ac0d-a11b-da6a-4b9da84b6c2a experienceID: 85b49544-fb90-a2ef-1b3f-e09339f3abc1 optInRequired: 3 timestamp: 1573690198763 visibility: anonymous } |
app.session.soar.vpe
|
Reports:
The classic playbook editor will be deprecated soon, in 2024. For information on converting your playbooks, see Convert classic playbooks to modern playbooks. |
component: app.session.soar.vpe data: { app: soar jsonSchemaVersion:"5.0.3" page: UNKNOWN_PAGE blocks: { totalCount: 14 blockTypes: { action: 2 playbook: 1 code: 1 utility: 1 filter: 1 decision: 1 format: 6 prompt: 1 } customCodeBlockCount: 3 customCodeBlockTypeCounts: { start: 0 end: 1 action: 2 playbook: 0 code: 0 utility: 0 filter: 0 decision: 0 format: 0 prompt: 0 } actions: ["geolocate ip", "whois domain"] } hotkeys: { totalCount: 14 interactions: { addMiniMenu: 7 addActionBlock: 6 addPlaybookBlock: 0 addCodeBlock: 0 addUtilityBlock: 0 addFilterBlock: 0 addDecisionBlock: 0 addFormatBlock: 1 addPromptBlock: 0 autoArrange: 1 zoomToFit: 1 zoomIn: 0 zoomOut: 0 savePlaybook: 1 deleteNode: 0 toggleEditor: 1 toggleDebugger: 1 toggleSettings: 1 showShortcutModal: 1 } } features: { customConditionLabel: 3 customDatapaths: 2 playbookInputs: { count: 0 dataTypes: { "domain": 0 "file id": 0 "file name": 0 "file path": 0 "hash": 0 "host name": 0 "ip": 0 "mac address": 0 "port": 0 "process name": 0 "url": 0 "user name": 0 } } playbookOutputs: { count: 1 dataTypes: { "domain": 1 "file id": 0 "file name": 0 "file path": 0 "hash": 0 "host name": 0 "ip": 0 "mac address": 0 "port": 0 "process name": 0 "url": 0 "user name": 0 } dedupeCount: 0 } } playbookType: automation playbookName: 5d900c28b8d1555745c09908ef133337 soarDeploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca soarUserID: 5d900c28b8d1555745c09908ef386860 } deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca eventID: d4b331e7-3ce3-91b6-7724-bc4d7235bca9 experienceID: 21febb16-c3f6-cbd5-ffac-905f1466c830 optInRequired: 3 timestamp: 1576695256840 visibility: anonymous { data: { app: soar jsonSchemaVersion:"5.0.3" page: UNKNOWN_PAGE blocks: { totalCount: 14 blockTypes: { action: 2 playbook: 1 code: 1 utility: 1 filter: 1 decision: 1 format: 6 prompt: 1 } customCodeBlockCount: 3 customCodeBlockTypeCounts: { start: 0 end: 1 action: 2 playbook: 0 code: 0 utility: 0 filter: 0 decision: 0 format: 0 prompt: 0 } actions: ["geolocate ip", "whois domain"] } hotkeys: { totalCount: 14 interactions: { addMiniMenu: 7 addActionBlock: 6 addPlaybookBlock: 0 addCodeBlock: 0 addUtilityBlock: 0 addFilterBlock: 0 addDecisionBlock: 0 addFormatBlock: 1 addPromptBlock: 0 autoArrange: 1 zoomToFit: 1 zoomIn: 0 zoomOut: 0 savePlaybook: 1 deleteNode: 0 toggleEditor: 1 toggleDebugger: 1 toggleSettings: 1 showShortcutModal: 1 } } features: { customConditionLabel: 3 customDatapaths: 2 playbookInputs: { count: 0 dataTypes: { "domain": 0 "file id": 0 "file name": 0 "file path": 0 "hash": 0 "host name": 0 "ip": 0 "mac address": 0 "port": 0 "process name": 0 "url": 0 "user name": 0 } } playbookOutputs: { count: 1 dataTypes: { "domain": 1 "file id": 0 "file name": 0 "file path": 0 "hash": 0 "host name": 0 "ip": 0 "mac address": 0 "port": 0 "process name": 0 "url": 0 "user name": 0 } dedupeCount: 0 } } playbookType: automation playbookName: 5d900c28b8d1555745c09908ef133337 soarDeploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca soarUserID: 5d900c28b8d1555745c09908ef386860 } deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca eventID: d4b331e7-3ce3-91b6-7724-bc4d7235bca9 experienceID: 21febb16-c3f6-cbd5-ffac-905f1466c830 optInRequired: 3 timestamp: 1576695256840 visibility: anonymous } |
app.session.soar.vpeTime
|
Reports the time in milliseconds it took for the VPE to load in the browser. | component: app.session.soar.vpeTime data: { app: soar pageLoadTime: 10298 } deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca eventID: d4b331e7-3ce3-91b6-7724-bc4d7235bca9 experienceID: 21febb16-c3f6-cbd5-ffac-905f1466c830 optInRequired: 3 timestamp: 1576695256840 visibility: anonymous { data: { app: soar pageLoadTime: 10298 } deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca eventID: d4b331e7-3ce3-91b6-7724-bc4d7235bca9 experienceID: 21febb16-c3f6-cbd5-ffac-905f1466c830 optInRequired: 3 timestamp: 1576695256840 visibility: anonymous } |
automation.summary objects
| ||
automation.summary.app_summary
|
A summary of apps installed on the system.
|
{ 'type': 'event', 'component': 'automation.summary.app_summary', 'data': { 'app_name': 'MaxMind', 'description': 'This app provides IP geolocation with the included MaxMind database', 'version': '2.2.5', 'product_name': 'GeoIP2', 'product_vendor': 'MaxMind', 'soarDeploymentID': 'soar-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9', 'license': 'community', 'productVersion': '6.1.0.58', 'missionControlDeploymentID': None, 'cloudWorksEnvironment': 'dev' }, 'deploymentID': 'soar-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9', 'optInRequired': 3, 'version': None, 'timestamp': 1685128654000, 'visibility': [ 'anonymous' ] } |
automation.summary. case_summary
|
A summary of opened and closed cases in the last 24 hours.
|
{ 'type': 'aggregate', 'component': 'automation.summary.case_summary', 'data': { 'opened': 120, 'closed': 87, 'promoted': 12, 'phantomDeploymentID': 'phantom-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9', 'license': 'community', 'productVersion': '6.1.0.58', 'missionControlDeploymentID': None }, 'deploymentID': 'phantom-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9', 'optInRequired': 3, 'version': None, 'timestamp': 1685658250000, 'visibility': [ 'anonymous' ], 'indexData': True, 'begin': 1685491200000, 'end': 1685577599000 } |
automation.summary. ingestion_status
|
Ingestion status and events ingested per Splunk SOAR deployment.
|
{ 'type': 'aggregate', 'component': 'automation.summary.ingestion_status', 'data': { 'adhoc': None, 'automated': None, 'all': { 'total': 1, 'success': 1, 'failed': 0, 'running': 0 }, 'event_ingested_count': 1, 'soarDeploymentID': 'soar-c48ed12b-262f-47e1-99b0-d2ba5b2af6dc', 'license': 'standard', 'productVersion': '10155.0.0.124976', 'missionControlDeploymentID': None, 'cloudWorksEnvironment': 'stg' }, 'deploymentID': 'soar-c48ed12b-262f-47e1-99b0-d2ba5b2af6dc', 'optInRequired': 3, 'version': None, 'timestamp': 1684358758000, 'visibility': [ 'anonymous' ], 'indexData': True, 'begin': 1684281600000, 'end': 1684367999000 } |
automation.summary. playbook_names
|
A summary of playbooks names and whether or not a playbook is custom.
|
{ 'type': 'aggregate', 'component': 'automation.summary.playbook_names', 'data': { 'community': [ 'AD_LDAP_Entity_Attribute_Lookup', 'wannacry_prevent', 'wannacry_remediate', 'zscaler_hunt_and_block_url', 'zscaler_malicious_file_response', 'zscaler_patient_0_parse_email' ], 'community_count': 136, 'custom': [ 'testa1' ], 'custom_count': 1, 'phantomDeploymentID': 'phantom-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9', 'license': 'community', 'productVersion': '6.1.0.58', 'missionControlDeploymentID': None }, 'deploymentID': 'phantom-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9', 'optInRequired': 3, 'version': None, 'timestamp': 1685658250000, 'visibility': [ 'anonymous' ], 'indexData': True, 'begin': 1685491200000, 'end': 1685577599000 } |
automation.summary. playbook_runs.by_trigger
|
Counts of playbook runs by trigger, either adhoc or by automation, aggregated over the last day. Emitted once daily. | begin: 1663891200000 component: automation.summary.playbook_runs.by_trigger data: { adhoc: { failed: 0 running: 0 success: 2 total: 2 } all: { failed: 0 running: 0 success: 2 total: 2 } automated: { failed: 0 running: 0 success: 0 total: 0 } cloudWorksEnvironment: dev missionControlDeploymentID: 917660C8-50E1-407B-86C5-D5061176245C soarDeploymentID: soar-cd07b53e-125e-4d27-adf7-2dba77b9fa81 productVersion: 10155.0.0.98349 license: standard } deploymentID: soar-cd07b53e-125e-4d27-adf7-2dba77b9fa81 end: 1663977599000 indexData: true optInRequired: 3 timestamp: 1663977609000 type: aggregate visibility: [ anonymous ] } |
automation.summary. publish_telemetry_time_taken
|
Start time, end time, and a the calculated total time of the telemetry publish job.
|
{ 'type': 'event', 'component': 'automation.summary.publish_telemetry_time_taken', 'data': { 'start_time': 28244.781, 'end_time': 28244.812, 'total_time': 0.031, 'soarDeploymentID': 'soar-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9', 'license': 'community', 'productVersion': '6.1.0.58', 'missionControlDeploymentID': None, 'cloudWorksEnvironment': 'dev' }, 'deploymentID': 'soar-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9', 'optInRequired': 3, 'version': None, 'timestamp': 1685128654000, 'visibility': [ 'anonymous' ], 'indexData': True, 'begin': None, 'end': None } |
automation.summary. workbook_summary
|
A summary of opened and closed workbooks.
|
{ 'type': 'aggregate', 'component': 'automation.summary.case_summary', 'data': { 'opened': { 'unique_containers': 3, 'total_tasks': 15, 'total_phases': 45, }, 'started': { 'unique_containers': 2, 'total_tasks': 2, 'total_phases': 4, }, 'closed': { 'unique_containers': 2, 'total_tasks': 4, 'total_phases': 12, }, 'phantomDeploymentID': 'phantom-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9', 'license': 'community', 'productVersion': '6.1.0.58', 'missionControlDeploymentID': None }, 'deploymentID': 'phantom-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9', 'optInRequired': 3, 'version': None, 'timestamp': 1685658250000, 'visibility': [ 'anonymous' ], 'indexData': True, 'begin': 1685491200000, 'end': 1685577599000 } |
orchestration. objects
| ||
orchestration.summary. action_runs.by_trigger
|
Counts of action runs by trigger, either adhoc or by automation, aggregated over the last day. Emitted once daily.
adhoc: Counts of adhoc action runs by status
automated: Counts of automated action runs by status all: Counts of both adhoc and automated playbook runs by status cloudWorksEnvironment: The environment in which the Splunk SOAR cloud stack is deployed; development (dev), staging (stg), or live (lve). missionControlDeploymentID: A nullable field identifying the Splunk Mission Control instance paired to the Splunk SOAR instance soarDeploymentID: Uniquely identifies the Splunk SOAR stack that emitted the metric |
{ begin: 1663891200000 component: orchestration.summary.action_runs.by_trigger data: { adhoc: { failed: 0 pending: 0 running: 0 success: 1 total: 1 } all: { failed: 5 pending: 0 running: 0 success: 5 total: 10 } automated: { failed: 5 pending: 0 running: 0 success: 4 total: 9 } cloudWorksEnvironment: dev missionControlDeploymentID: 917660C8-50E1-407B-86C5-D5061176245C soarDeploymentID: soar-cd07b53e-125e-4d27-adf7-2dba77b9fa81 productVersion: 10155.0.0.98349 license: standard } deploymentID: soar-cd07b53e-125e-4d27-adf7-2dba77b9fa81 end: 1663977599000 indexData: true optInRequired: 3 timestamp: 1663977609000 type: aggregate visibility: [ anonymous ] } |
Assess app and asset connectivity and ingestion |
This documentation applies to the following versions of Splunk® SOAR (On-premises): 6.1.1, 6.2.0, 6.2.1, 6.2.2, 6.3.0
Feedback submitted, thanks!