When Splunk Security Essentials is deployed on Splunk Enterprise, the Splunk platform sends aggregated usage data to Splunk Inc. ("Splunk") to help improve Splunk Security Essentials in future releases. For information about how to opt in or out, and how the data is collected, stored, and governed, see Share data in Splunk Enterprise in the Splunk Enterprise Admin Manual.
How data is collected
If you opt in globally on your Splunk Enterprise environment, Splunk Security Essentials activates an internal library to track basic usage and crash information. The library uses browser cookies to track unique visitors to the app, sessions, and sends events to Splunk using XHR in JSON format, with all user or system-identifying data resolved to GUIDs.
What data is collected
Splunk Security Essentials collects the following basic usage information:
| Component | Description | Example |
|---|---|---|
app.session.PageStatus
|
Reports that an example was opened. | {status: "exampleLoaded", exampleName: "New Interactive Logon from a Service Account", searchName: "New Interactive Logon from a Service Account - Demo"}
|
app.session.PageStatus
|
Reports that the SPL for an example was viewed. | {status: "SPLViewed", name: "New Interactive Logon from a Service Account - Demo"}
|
app.session.PageStatus
|
Reports that an alert was scheduled. | {status: "scheduleAlertStarted", name: "New Interactive Logon from a Service Account - Demo"}
|
app.session.PageStatus
|
Reports that an alert was scheduled. | {status: "scheduleAlertCompleted", searchName: "New Interactive Logon from a Service Account - Demo"} |
app.session.PageStatus
|
Reports that an onboarding guide was opened. | {status: "docLoaded", pageName: "Windows Security Logs"}
|
app.session.PageStatus
|
Reports that filters were updated to filter for specific examples. | {status: "filtersUpdated", name: "category", value: "Account_Sharing", enabledFilters: ["journey", "usecase", "category", "datasource", "highlight"]}
|
app.session.PageStatus
|
Reports that from the home page, a use case was clicked on. | {status: "selectedIntroUseCase", useCase: "Security Monitoring"}
|
app.session.BookmarkChange
|
Reports that an example was bookmarked. | {status: "BookmarkChange", name: "Basic Malware Outbreak", itemStatus: "needData"}
|
app.session.DataStatusChange
|
Reports that available data sources were either configured or introspected. | {status: "DataStatusChange", category: "DS010NetworkCommunication-ET01Traffic", status: "good", selectionType: "manual"}
|
app.session.CustomContentCreated
|
Reports that custom content was created. | {status: "CustomContentCreated", mitre_technique: "T1046"}
|
app.session.PageStatus
|
Reports that an error occurred. | {status: "ErrorOcurred", banner: "Got an error while trying to update the kvstore. Your changes may not be saved.", msg: "Access Denied", locale: "en-US", anon_url: "https://……../en-US/app/Splunk_Security_Essentials/contents", page: "contents", splunk_version: "7.3.1"}
|
app.session.DataInventoryIntrospection
|
Reports when Data Inventory configuration started and when it finished. |
Starts {"name": "Introspection", "value": "started", "status": "running", "page": "Data inventory"}
Ends {"name": "Introspection", "value": "completed", "status": "completed", "page": "Data inventory"} |
app.session.ManageBookmarks
|
Reports that a user navigated to the Manage Bookmarks page. | {"status": "opened",
"page": "Manage Bookmarks"}
|
app.session.PageStatus
|
Reports that a user opened a link that led to an external site, such as the Splunk documentation site. | {"status": "opened",
"page": "DYNAMIC",
"event": "clicked",}
|
| Overview of Splunk Security Essentials | Splunk Security Essentials product compatibility matrix |
This documentation applies to the following versions of Splunk® Security Essentials: 3.8.0, 3.8.1
Download manual
Feedback submitted, thanks!