Splunk® Security Essentials

Install and Configure Splunk Security Essentials

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Security Essentials. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Share data in Splunk Security Essentials

When Splunk Security Essentials is deployed on Splunk Enterprise, the Splunk platform sends aggregated usage data to Splunk Inc. ("Splunk") to help improve Splunk Security Essentials in future releases. For information about how to opt in or out, and how the data is collected, stored, and governed, see Share data in Splunk Enterprise in the Splunk Enterprise Admin Manual.

How data is collected

If you opt in globally on your Splunk Enterprise environment, Splunk Security Essentials enables an internal library to track basic usage and crash information. The library uses browser cookies to track unique visitors to the app, sessions, and sends events to Splunk using XHR in JSON format, with all user or system-identifying data resolved to GUIDs.

What data is collected

Splunk Security Essentials collects the following basic usage information:

Event Description Example
Example Opened Reports that an example was opened. {status: "exampleLoaded", exampleName: "New Interactive Logon from a Service Account", searchName: "New Interactive Logon from a Service Account - Demo"}
SPL Viewed Reports that the SPL for an example was viewed. {status: "SPLViewed", name: "New Interactive Logon from a Service Account - Demo"}
Schedule Search (Started) Reports that an alert was scheduled. {status: "scheduleAlertStarted", name: "New Interactive Logon from a Service Account - Demo"}
Schedule Search (Finished) Reports that an alert was scheduled. {status: "scheduleAlertCompleted", searchName: "New Interactive Logon from a Service Account - Demo"}
Doc Loaded Reports that an onboarding guide was opened. {status: "docLoaded", pageName: "Windows Security Logs"}
Filters Updated Reports that filters were updated to filter for specific examples. {status: "filtersUpdated", name: "category", value: "Account_Sharing", enabledFilters: ["journey", "usecase", "category", "datasource", "highlight"]}
Selected Intro Use Case Reports that from the home page, a use case was clicked on. {status: "selectedIntroUseCase", useCase: "Security Monitoring"}
Added to Bookmark Reports that an example was bookmarked. {status: "BookmarkChange", name: "Basic Malware Outbreak", itemStatus: "needData"}
Data Foundation Configuration Reports that available data sources were either configured or introspected. {status: "DataStatusChange", category: "DS010NetworkCommunication-ET01Traffic", status: "good", selectionType: "manual"}
Custom Content Created Reports that custom content was created. {status: "CustomContentCreated", mitre_technique: "T1046"}
Unexpected Error Occurred Reports that an error occurred. {status: "ErrorOcurred", banner: "Got an error while trying to update the kvstore. Your changes may not be saved.", msg: "Access Denied", locale: "en-US", anon_url: "https://……../en-US/app/Splunk_Security_Essentials/contents", page: "contents", splunk_version: "7.3.1"}
Last modified on 01 February, 2024
PREVIOUS
Overview of Splunk Security Essentials 		  NEXT
Install Splunk Security Essentials

This documentation applies to the following versions of Splunk® Security Essentials: 3.3.0, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.4.0, 3.5.0, 3.5.1, 3.6.0

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters