Splunk Enterprise Security 7

Splunk Observability Cloud Splunk IT Service Intelligence Splunk Cloud Platform Splunk Enterprise Data Management Splunk Enterprise Security 8 Splunk Enterprise Security 7 Splunk SOAR Security Offerings AppDynamics SaaS About This Site Community Support Supported Add-ons

Splunk Observability Cloud Splunk IT Service Intelligence Splunk Cloud Platform Splunk Enterprise Data Management Splunk Enterprise Security 8 Splunk Enterprise Security 7 Splunk SOAR Security Offerings AppDynamics SaaS About This Site Community Support Supported Add-ons

Documentation

Splunk Enterprise Security 7

Splunk Enterprise Security 7 Contents

Install

7.3

Administer

User Guide

Risk-Based Alerting

Tutorials and Use Cases

API Reference

Release Notes and Resources

Mission Control

Security Content Update

Splunk Security Essentials

Splunk App for Fraud Analytics

Splunk App for PCI Compliance

Common Information Model

Splunk Machine Learning Toolkit

Share data in Splunk Enterprise Security

When Splunk Enterprise Security is deployed on Splunk Enterprise, the Splunk platform sends anonymized usage data to Splunk Inc. ("Splunk") to help improve Splunk Enterprise Security in future releases. For information about how to opt in or out, and how the data is collected, stored, and governed, see Share data in Splunk Enterprise.

How data is collected

Splunk Enterprise Security uses saved searches to collect anonymous usage data. These searches run in the background regardless of whether or not you opt-in to send usage data to Splunk, and do not have any significant impact on performance.

What data is collected

Splunk Enterprise Security collects the following basic usage information:


Name	Description	Example
`app.session.enterprise-security.drilldown-dashboard`	Reports on the telemetry for every notable event that is created such as the severity of the notable, the assets and identities that generated the notable, and so on.	data: { [-] _time: 1662596119 notable_type: notable search_name: ESCU - Detecting Foo using Bar - Rule annotations: {"_time": 1698688688, "notable_type": "notable", "search_name": "ESCU - Detect Regasm with no Command Line Arguments - Rule", "annotations": "{\"analytic_story\": [\"Suspicious Regsvcs Regasm Activity\", \"Living Off The Land\"], \"cis20\": [\"CIS 10\"], \"confidence\": 70, \"impact\": 70, \"kill_chain_phases\": [\"Exploitation\"], \"mitre_attack\": [\"T1218\", \"T1218.009\"], \"nist\": [\"DE.CM\"]}" security_domain: endpoint severity: high event_id: 94DB953F-825B-4885-B630-DCDEFDC2A260@@notable@@377f7cd1c5cd18a287ef62392052b327 org_sourcetype: N/A hashed_user: 2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae hashed_src_user: 2c26b46b68ffc68ff99b453c1d30413413422d706483bfa0f98a5e886266e7ae hashed_src: 12ca17b49af2289436f303e0166030a21e525d266e209267433801a8fd4071a0 hashed_dest: 12ca17b49af2289436f303e0166030a21e525d266e209267433801a8fd4071a0 hashed_dvc: 12ca17b49af2289436f303e0166030a21e525d266e209267433801a8fd4071a0 hashed_orig_host: 12ca17b49af2289436f303e0166030a21e525d266e209267433801a8fd4071a0 hashed_process_name: c65bd1e40e7af5766f76c5ee912ab472658a86d20f2bcaf90e3ee572cfdbc22a hashed_object: 49960de5880e8c687434170f6476605b8fe4aeb9a28632c7995cf3ba831d9763 } deploymentID: dd2e7874-098f-549c-af70-0d33636be94d eventID: dce50f20-e5d6-0229-65b1-61d04ccd7367 experienceID: 668d518b-2b52-e502-78b2-e9f8587cfbdb optInRequired: 3 splunkVersion: 9.0.1 timestamp: 1669678343 userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a version: 4 visibility: anonymous,support }
`app.session.enterprise-security.risk-analysis-dashboard`	Reports on the usage of the Risk Timeline visualization on the Risk Analysis dashboard.	`data: { [-] action: click app: SplunkEnterpriseSecuritySuite page: incident_review section: viz_risk_score_by_object }`
`app.session.enterprise-security.disposition-required`	Reports whether dispositions are required or not on Incident Review Settings page.	`data: { [-] action: is_required app: SplunkEnterpriseSecuritySuite page: ess_incident_review_configuration section: disposition }`
`app.session.enterprise-security.ir-event-timeline`	Reports the usage of the zoom in and zoom out functionality of the Event Timeline visualization on the Incident Review page.	`data: { [-] action: click app: SplunkEnterpriseSecuritySuite page: incident_review section: zoomClick }` OR `data: { [-] action: click app: SplunkEnterpriseSecuritySuite page: incident_review section: zoomOut }`
`app.session.enterprise-security.incident-review`	Reports the number of customers who have selected drilldown searches in the expansion row on the Incident Review page. Reports the number of times customers have selected drilldown searches in the expansion row on the Incident Review page.	{ [-] component: app.session.enterprise-security.drilldown-search data: { [-] action: click app: SplunkEnterpriseSecuritySuite page: incident_review section: ir-expansion-link } deploymentID: dd2e7874-098f-549c-af70-0d33636be94d eventID: dce50f20-e5d6-0229-65b1-61d04ccd7367 experienceID: 668d518b-2b52-e502-78b2-e9f8587cfbdb optInRequired: 3 splunkVersion: 9.0.1 timestamp: 1669678343 userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a version: 4 visibility: anonymous,support }
`app.session.enterprise-security.drilldown-search`	Reports the number of customers who have used, added, or removed drilldown searches in the Correlation Search Editor. Reports the number of times customers have added or removed drilldown searches in the Correlation Search Editor.	{ [-] component: app.session.enterprise-security.drilldown-search data: { [-] action: click app: SplunkEnterpriseSecuritySuite page: correlation_search_edit section: add-drilldown-btn (OR remove-drilldown-btn) } deploymentID: dd2e7874-098f-549c-af70-0d33636be94d eventID: dce50f20-e5d6-0229-65b1-61d04ccd7367 experienceID: 668d518b-2b52-e502-78b2-e9f8587cfbdb optInRequired: 3 splunkVersion: 9.0.1 timestamp: 1669678343 userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a version: 4 visibility: anonymous,support }
`app.session.enterprise-security.threat-topology`	Report the number of users who have viewed the threat-topology visualization Report the number of times users have rendered the threat-topology visualization	{ [-] component: app.session.enterprise-security.threat-topology data: { [-] action: view app: SplunkEnterpriseSecuritySuite page: incident_review } deploymentID: dd2e7874-098f-549c-af70-0d33636be94d eventID: 538e4d34-0fbb-a4ea-05b4-0e50445823a1 experienceID: 63a92645-5d53-91f4-15b5-c32c12aac41a optInRequired: 3 splunkVersion: 9.0.1 timestamp: 1669674829 userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a version: 4 visibility: anonymous,support }
`app.session.enterprise-security.mitre-matrix`	Report the number of users who have viewed the mitre-matrix component Report the number of times users have rendered the mitre-matrix component	{ [-] component: app.session.enterprise-security.mitre-matrix data: { [-] action: view app: SplunkEnterpriseSecuritySuite page: incident_review } deploymentID: dd2e7874-098f-549c-af70-0d33636be94d eventID: dce50f20-e5d6-0229-65b1-61d04ccd7367 experienceID: 668d518b-2b52-e502-78b2-e9f8587cfbdb optInRequired: 3 splunkVersion: 9.0.1 timestamp: 1669678343 userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a version: 4 visibility: anonymous,support }
`app.session.enterprise-security.ba-enable-modal`	Report the number of users who have viewed the mitre-matrix component Report the number of times users have rendered the mitre-matrix component	{ [-] component: app.session.enterprise-security.ba-enable-modal data: { [-] action: click app: SplunkEnterpriseSecuritySuite page: ess_home section: submit-ticket } deploymentID: dd2e7874-098f-549c-af70-0d33636be94d eventID: de6b5a51-d15a-27de-6015-97c818a41757 experienceID: 8ec2c25a-8edd-5438-95b7-ae009c1db2aa optInRequired: 3 splunkVersion: 9.0.1 timestamp: 1669756275 userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a version: 4 visibility: anonymous,support }
`app.SplunkEnterpriseSecuritySuite.active_users`	Report the number of active users.	`{ "version": "1.0", "end": 1521483766, "begin": 1521396000, "data": { "analyst_count": 0, "count": 1, "admin_count": 1, "user_count": 0 } }`
`app.SplunkEnterpriseSecuritySuite.annotations_usage`	Report the number of users that enable and start using annotations in correlation searches for the risk framework.	`{ "data": { "unique_annotation_count": 86, "unique_framework_count": 4, "searches_with_cis20": 200, "searches_with_kill_chain_phases": 176, "searches_with_mitre_attack": 119, "searches_with_nist": 199, "searches_with_annotations": 213 }, "version": "1.0" }`
`app.SplunkEnterpriseSecuritySuite.datamodel_distribution`	Performs a data model audit to determine which models are the most heavily used.	`{ "data": { "size": 2265088, "datamodel": "Change_Analysis", "perc": 49.33 }, "version": "1.0" }`
`app.SplunkEnterpriseSecuritySuite.feature_usage`	Reports the amount of time it takes for a page to load. Reports data about feature usage.	`{ "end": 1521483766, "begin": 1521396000, "version": "1.0", "data": { "count": 1, "avg_spent": 515, "view": "ess_home" } }`
`app.SplunkEnterpriseSecuritySuite.datamodel_dataset_population`	Reports which sourcetypes are populating data models and data sets.	{ [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.datamodel_dataset_population data: { [-] count: 3510 dataset: Authentication model_name: Authentication sourcetype: XmlWinEventLog } deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1 eventID: 9416AAD3-7DE3-4985-80E5-D8EACF7373AC executionID: 31D2B8E6-1679-4041-91A8-D9955A2B2544 optInRequired: 3 timestamp: 1662700871 type: event userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4 visibility: [ [+] ] }
`app.SplunkEnterpriseSecuritySuite.identity_manager`	Reports statistics pertaining to the usage of the Assets and Identities Framework.	{ "data": { [-] "asset_blacklist_count": 0, "asset_count": 3, "asset_custom_count": 1, "asset_custom_fields": 0, "asset_enabled_count": 1, "asset_ldap_count": 0, "asset_search_count": 0, "identity_blacklist_count": 0, "identity_count": 3, "identity_custom_count": 0, "identity_custom_fields": 0, "identity_enabled_count": 2, "identity_ldap_count": 0, "identity_search_count": 0, "total_blacklist_count": 0, "total_count": 6, "total_custom_count": 1, "total_enabled_count": 3, "total_ldap_count": 0, "total_search_count": 0 }, "version": 1.0 }
`app.SplunkEnterpriseSecuritySuite.investigation_information`	Report on the length of investigations in Splunk Enterprise Security.	{ [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.saved_search_information data: { [-] investigation_id: 3392852E-71F0-43DD-B826-F155BE830660 name: TestInvestigation status_name: In Progress create_time: 1662700236 status_time: 1662700236 } deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1 eventID: 3392852E-71F0-43DD-B826-F155BE830660 executionID: D35401ED-3320-4F4B-8542-BC1068F93454 optInRequired: 3 timestamp: 1662700236 type: event userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4 visibility: [ [+] ] }
`app.SplunkEnterpriseSecuritySuite.lookup_usage`	Reports statistics pertaining to the usage of the Asset & Identity Manager, such as lookup table size and number of entries.	`{ "data": { "count": 0, "size": 22, "transform": "access_app_tracker" }, "version": "1.0" }`
`app.SplunkEnterpriseSecuritySuite.notable_event_status_changes`	Reports the efficacy of the detections. Reports how long the notable events are in progress.	{ [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.saved_search_information data: { [-] time: {} event_id: DA-ESS-NetworkProtection search_name: Traffic - Traffic Over Time By Transport Protocol status_label: In Progress disposition_label: NA urgency: 0 } deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1 eventID: 3392852E-71F0-43DD-B826-F155BE830660 executionID: D35401ED-3320-4F4B-8542-BC1068F93454 optInRequired: 3 timestamp: 1662700236 type: event userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4 visibility: [ [+] ] }
`app.SplunkEnterpriseSecuritySuite.macro_usage`	Reports on how users use ESCU output filers for their content.	{ [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.macro_usage data: { [-] macro_name: wmi_permanent_event_subscription___sysmon_filter definition: search * } deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1 eventID: 3392852E-71F0-43DD-B826-F155BE830660 executionID: D35401ED-3320-4F4B-8542-BC1068F93454 optInRequired: 3 timestamp: 1662700236 type: event userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4 visibility: [ [+] ] }
`app.SplunkEnterpriseSecuritySuite.risk_event_information`	Reports the specific searches that create risk events in customer environments. Reports the annotations that create risk events. Reports how risk scores are associated with annotations.	{ { [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.risk_event_information data: { [-] _time: 1662673793 annotations: {"analytic_story": ["Hermetic Wiper", "Malicious PowerShell"], "confidence": 100, "context": ["Source:Endpoint", "Stage:Recon"], "impact": 30, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "observable": [{"name": "Computer", "role": ["Victim"], "type": "Endpoint"}, {"name": "User", "role": ["Victim"], "type": "User"}]} calculated_risk_score: 30 risk_factor_add: 0 risk_factor_mult: 1 hashed_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368 hashed_normalized_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368 risk_object_type: system risk_score: 30 search_name: ESCU - WMI Recon Running Process Or Services - Rule orig_sourcetype: NA } deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1 eventID: 51708359-68B8-40D8-A789-011C8544DA92 executionID: A11AB986-2A75-406D-8405-A65D6D83AADE optInRequired: 3 timestamp: 1662702322 type: event userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4 visibility: [ [+] ] }
`app.SplunkEnterpriseSecuritySuite.risk_notable_information`	Reports the specific searches that create risk notables in customer environments. Reports the risk events that create risk notables. Reports how risk notables are associated with annotations.	{ [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.risk_notable_information data: { [-] _time: 1662596119 annotations: {"mitre_attack": "T1587.003", "analytic_story": "Splunk Vulnerabilities", "cis20": ["CIS 16", "CIS 3", "CIS 5"], "kill_chain_phases": "Exploitation", "nist": "DE.CM", "context": "Source:Endpoint", "observable": "{\"name\":\"splunk_server\",\"role\":[\"Victim\"],\"type\":\"Hostname\"}"} event_id: 1D3F1BA5-1EDB-43DB-A9BA-92C62607E589@@notable@@56ceb57a41ca64f8960a7c1ae5eec67c notable_type: risk_event risk_object_type: system hashed_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368 hashed_normalized_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368 hashed_all_risk_objects: ['62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368'] risk_score: 1750 risk_search: ESCU - Splunk Digital Certificates Infrastructure Version - Rule risk_event_count: 50 search_name: Risk - 24 Hour Risk Threshold Exceeded - Rule security_domain: threat source_count: 1 orig_sourcetype: NA } deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1 eventID: 04FB2258-FDEA-47E3-AFFA-0ECACBE79A5F executionID: 33F085CD-98E3-433A-AF4C-716A85D952A8 optInRequired: 3 timestamp: 1662702627 type: event userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4 visibility: [ [+] ] }
`app.SplunkEnterpriseSecuritySuite.ba_detections`	Reports on which behavioral analytics detections are enabled in customer environments. Reports on how customers are using the test and risk indexes.	{ [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.ba_detections data: { [-] name: Applications Spawning cmd.exe annotations: {"mitre_attack": ["T1106"]} enabled: 0 useRiskIndex: 0 version: 1.0 id: e332f45a-e332f45a-e332f45a } deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1 eventID: 3392852E-71F0-43DD-B826-F155BE830660 executionID: D35401ED-3320-4F4B-8542-BC1068F93454 optInRequired: 3 timestamp: 1662700236 type: event userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4 visibility: [ [+] ] }
`app.SplunkEnterpriseSecuritySuite.ba_test_information`	Reports the behavioral analytics searches that create risk events in customer environments. Reports the annotations that create behavioral analytics risk events.	{ [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.ba_Test_information data: { [-] _time: 1662673793 annotations: {"analytic_story": ["Hermetic Wiper", "Malicious PowerShell"], "confidence": 100, "context": ["Source:Endpoint", "Stage:Recon"], "impact": 30, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "observable": [{"name": "Computer", "role": ["Victim"], "type": "Endpoint"}, {"name": "User", "role": ["Victim"], "type": "User"}]} hashed_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368 risk_object_type: system risk_score: 30 search_name: ESCU - WMI Recon Running Process Or Services - Rule } deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1 eventID: 51708359-68B8-40D8-A789-011C8544DA92 executionID: A11AB986-2A75-406D-8405-A65D6D83AADE optInRequired: 3 timestamp: 1662702322 type: event userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4 visibility: [ [+] ] }
`app.SplunkEnterpriseSecuritySuite.riskfactors_usage`	Reports how customers use the risk framework.	{ { [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.riskfactors_usage data: { [-] fields_info: [ [-] {"fields_used": "dest_priority", "count": 1} {"fields_used": "user_category", "count": 2} {"fields_used": "user_priority", "count": 2} {"fields_used": "user_watchlist", "count": 1} ] total: 5 } deploymentID: 464150eb-1b95-528e-85ca-272ba19d113f eventID: AB7AC804-8711-459C-A649-0A2DD8962299 executionID: 1E895CC2-5C46-456F-9A79-86CC0ED05036 optInRequired: 3 timestamp: 1603825511 type: aggregate visibility: [ [+] ] }
`app.SplunkEnterpriseSecuritySuite.risk_riskfactors_impact`	Reports how the customers engage with risk framework.	{ [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.risk_riskfactors_impact data: { [-] distinct_risk_object_count: 2 max_calc_risk_score: 100 max_risk_factor_add_matches: 0 max_risk_factor_mult_matches: 1 max_risk_score: 100 min_calc_risk_score: 100 min_risk_factor_add_matches: 0 min_risk_factor_mult_matches: 1 min_risk_score: 100 risk_factor_add_matches: 0 risk_factor_mult_matches: 0 risk_object_type: system } deploymentID: 3db462ee-7955-54b0-9a94-24bc19f352a8 eventID: 84949E43-2964-43CC-AA04-50F2C4082674 executionID: 27E5957D-41F4-4C83-A1F1-DCF5C9D324DC optInRequired: 3 timestamp: 1603851828 type: aggregate visibility: [ [+] ] }
`app.SplunkEnterpriseSecuritySuite.saved_search_information`	Reports what searches are enabled in customer environments. Reports the desired outcome of the search. Reports the use of SPL	{ [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.saved_search_information data: { [-] annotations: {} app_name: DA-ESS-NetworkProtection creates_notable: 0 creates_risk: 0 uses_suppression: 0 description: disabled: 0 search: \| `tstats` count from datamodel=Network_Traffic.All_Traffic by _time,All_Traffic.transport span=10m \| timechart minspan=10m useother=`useother` count by All_Traffic.transport \| `drop_dm_object_name("All_Traffic")` search_name: Traffic - Traffic Over Time By Transport Protocol } deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1 eventID: 3392852E-71F0-43DD-B826-F155BE830660 executionID: D35401ED-3320-4F4B-8542-BC1068F93454 optInRequired: 3 timestamp: 1662700236 type: event userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4 visibility: [ [+] ] }
`app.SplunkEnterpriseSecuritySuite.search_actions`	Reports what was searched for.	`{ "data": { "total_scheduled": 70, "action": "output_message", "is_adaptive_response": 1, "count": 6 }, "version": "1.0" }`
`app.SplunkEnterpriseSecuritySuite.search_execution`	Reports average run time by search to help gauge performance.	`{ "end": 1521483766, "begin": 1521396000, "data": { "avg_run_time": 0.75, "count": 2, "search_alias": "Access - Authentication Tracker - Lookup Gen" }, "version": "1.0", }`
`data.context`	Reports how many times a given workbench panel was used and the distribution of fields drilled into from workflow actions.	{ component: app.session.rum.mark data: { app: SplunkEnterpriseSecuritySuite context: { field: lokloklok panels: [ f2c5c990f8fbf4f173ed8ae17ac3463c53e674e10494ea6ae331f25d410c7647 f2c5c990f8fbf4f173ed8ae17ac3463c53e674e10494ea6ae331f25d410c7647 a7f1eed1b49d2391fbe7f6b6cb91a3c146a4e905e536be8e3d5581f15f90248c ] } hero: embedded workbench panel page page: ess_workbench_panel sourceLocation: controller mounted timeSinceOrigin: 17539.599999785423 transactionId: 9eb149d0-84d9-11ea-9a01-6da37c4190ff } deploymentID: 90dacf53-e620-5a99-8cd4-15225d4fafc3 eventID: 19c90580-816d-2dc5-13a8-5af783596253 experienceID: 6aa4e746-c8f0-234b-35b2-dff0e1b2fbab optInRequired: 3 timestamp: 1587588081 userID: 953b11dd9ec6593a941245c43738a191110c7e42f8e81b75fd6a18452a2755bb version: 3 visibility: anonymous,support }
`app.SplunkEnterpriseSecuritySuite.splunk_apps`	Reports what apps are installed along with Splunk Enterprise Security	{ [-] app: SplunkEnterpriseSecuritySuite component: app.SplunkEnterpriseSecuritySuite.splunk_apps data: { [-] app_label: Splunk Add-on for UEBA app_name: Splunk_TA_ueba version: 3.1.0 } deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1 eventID: 74F06225-D7EA-4EA8-B097-847679513164 executionID: 9614FCEF-ACD0-42D7-9B26-3FAFC7DF28E9 optInRequired: 3 timestamp: 1662701117 type: event userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4 visibility: [ [+] ]
`app.session.rum.measure`	Reports performance metrics around API calls.	{ [-] component: app.session.rum.mark data: { [-] app: SplunkEnterpriseSecuritySuite context: { [-] } hero: data/transforms/managed_lookups page: ess_content_management_new sourceLocation: { [-] size: 234962 bytes status: 200 success: true } timeSinceOrigin: 13765.400000035763 transactionId: 9db527a0-f349-11ec-ba71-d51f5aafc42d } deploymentID: 9aa97b42-ff6d-5381-b1d3-a80ad934fbce eventID: cde8c736-b7f9-0c84-8d34-0d8d3f99bf3e experienceID: d0a6bfc4-4c5e-00f0-a302-b9a38ae05590 optInRequired: 3 splunkVersion: 8.2.2201 timestamp: 1656025808 userID: 923d6d128a7f8bfbb1950cc0be471b9251b0209477ad236e91f31debddd99699 version: 4 visibility: anonymous,support }

ON THIS PAGE

How data is collected
What data is collected

Installation Manuals

Splunk Enterprise Security

Last updated: April 15, 2025

Explore Topics

Splunk Observability Cloud

Splunk IT Service Intelligence

Splunk Cloud Platform

Splunk Enterprise

Data Management

Splunk Enterprise Security 8

Splunk Enterprise Security 7

Splunk SOAR

Security Offerings

AppDynamics SaaS

About This Site

Community Support

Supported Add-ons

©2005-2025 Splunk Inc. All rights reserved.