When Splunk Security Essentials is deployed on Splunk Enterprise, the Splunk platform sends aggregated usage data to Splunk Inc. ("Splunk") to help improve Splunk Security Essentials in future releases. For information about how to opt in or out, and how the data is collected, stored, and governed, see Share data in Splunk Enterprise in the Splunk Enterprise Admin Manual.
How data is collected
If you opt in globally on your Splunk Enterprise environment, Splunk Security Essentials enables an internal library to track basic usage and crash information. The library uses browser cookies to track unique visitors to the app, sessions, and sends events to Splunk using XHR in JSON format, with all user or system-identifying data resolved to GUIDs.
What data is collected
Splunk Security Essentials collects the following basic usage information:
| Event | Description | Example |
|---|---|---|
| Example Opened | Reports that an example was opened. | {status: "exampleLoaded", exampleName: "New Interactive Logon from a Service Account", searchName: "New Interactive Logon from a Service Account - Demo"}
|
| SPL Viewed | Reports that the SPL for an example was viewed. | {status: "SPLViewed", name: "New Interactive Logon from a Service Account - Demo"}
|
| Schedule Search (Started) | Reports that an alert was scheduled. | {status: "scheduleAlertStarted", name: "New Interactive Logon from a Service Account - Demo"}
|
| Schedule Search (Finished) | Reports that an alert was scheduled. | {status: "scheduleAlertCompleted", searchName: "New Interactive Logon from a Service Account - Demo"}
|
| Doc Loaded | Reports that an onboarding guide was opened. | {status: "docLoaded", pageName: "Windows Security Logs"}
|
| Filters Updated | Reports that filters were updated to filter for specific examples. | {status: "filtersUpdated", name: "category", value: "Account_Sharing", enabledFilters: ["journey", "usecase", "category", "datasource", "highlight"]}
|
| Selected Intro Use Case | Reports that from the home page, a use case was clicked on. | {status: "selectedIntroUseCase", useCase: "Security Monitoring"}
|
| Added to Bookmark | Reports that an example was bookmarked. | {status: "BookmarkChange", name: "Basic Malware Outbreak", itemStatus: "needData"}
|
| Data Foundation Configuration | Reports that available data sources were either configured or introspected. | {status: "DataStatusChange", category: "DS010NetworkCommunication-ET01Traffic", status: "good", selectionType: "manual"}
|
| Custom Content Created | Reports that custom content was created. | {status: "CustomContentCreated", mitre_technique: "T1046"}
|
| Unexpected Error Occurred | Reports that an error occurred. | {status: "ErrorOcurred", banner: "Got an error while trying to update the kvstore. Your changes may not be saved.", msg: "Access Denied", locale: "en-US", anon_url: "https://……../en-US/app/Splunk_Security_Essentials/contents", page: "contents", splunk_version: "7.3.1"}
|
| Overview of Splunk Security Essentials | Install Splunk Security Essentials |
This documentation applies to the following versions of Splunk® Security Essentials: 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.4.0, 3.5.0, 3.5.1, 3.6.0
Download manual
Feedback submitted, thanks!