KV Store collections in Splunk Enterprise Security
Core KV Store collections in Splunk Enterprise Security
The following table describes common KV Store collections in Splunk Enterprise Security and the data they store. These KV Store collections are search-head copies of data replicated from the Threat Intelligence Management (TIM) service. Records removed from these KV Store collections are not archived to the KV retention index before deletion because the data is maintained by TIM.
| KV Store collection | Description | Key fields | KV Store backed up |
|---|---|---|---|
missioncontrol.findings |
Stores detection findings and intermediate findings from automated detections. | finding_id, severity, status, assigned_to, entities, created_time |
Yes |
missioncontrol.investigations |
Stores all current and closed investigations for case management. | investigation_id, title, status, assigned_to, created_time, closed_time |
Yes |
missioncontrol.im_threat_indicators |
Stores indicators of compromise (IOCs) that are ingested using Threat Intelligence Management. | indicator_value, indicator_type, confidence, expiration_time |
No |
missioncontrol.tim_iocs |
Stores additional threat IOCs such as IP addresses, domain, file hashes, and so on. | ioc_value, ioc_type, confidence, expiration_time |
No |
Threat intelligence KV Store collections (da-ess-threatintelligence)
The following table describes KV Store collections for threat intelligence in Splunk Enterprise Security and the data they store.
| KV Store collection | Description | Key fields | KVStore backed up |
|---|---|---|---|
da-ess-threatintelligence.certificate_intel |
Tracks and enriches file-based threat intelligence such as hash, name, threat details, and so on. | certificate_hash, issuer, valid_to, weight |
Yes |
da-ess-threatintelligence.email_intel |
Email-based threat intelligence indicators | email, weight, confidence, description |
Yes |
da-ess-threatintelligence.file_intel |
File hash threat intelligence indicators | file_hash, file_name, hash_type, weight |
Yes |
da-ess-threatintelligence.http_intel |
URL and domain threat intelligence indicators | url, domain, weight |
Yes |
da-ess-threatintelligence.ip_intel |
IP address threat intelligence indicators | ip, cidr, confidence, weight |
Yes |
da-ess-threatintelligence.process_intel |
Process-based threat intelligence indicators | process_name, process_hash, weight |
Yes |
da-ess-threatintelligence.registry_intel |
Registry-based threat intelligence indicators | registry_path, registry_value, weight |
Yes |
da-ess-threatintelligence.service_intel |
Service-related threat intelligence indicators | service_name, weight |
Yes |
da-ess-threatintelligence.user_intel |
User-related threat intelligence indicators | user, weight, confidence |
Yes |
Network protection KV Store collections
The following table describes KV Store collections for network protection in Splunk Enterprise Security and the data they store.
| KV Store collection | Description | Key fields | KVStore backed up |
|---|---|---|---|
da-ess-networkprotection.vulnerability_tracker |
Stores network vulnerability and threat enrichment data for security use cases. | vulnerability_id, asset, severity, first_seen, last_seen |
Yes |
da-ess-networkprotection.whois_tracker |
Persists WHOIS enrichment data to enable network investigation. | domain, whois_record, created_date, _time |
Yes |
Security analytics add-on KV Store collections sa-*
The following table describes KV Store collections for security analytics in Splunk Enterprise Security and the data they store.
| KV Store collection | Description | Key fields | KVStore backed up |
|---|---|---|---|
sa-accessprotection.access_tracker |
Tracks unique user-to-destination access patterns for change detection. | user, asset, access_type, last_seen |
Yes |
sa-endpointprotection.listeningports_tracker |
Baselines active listening ports on endpoints for anomaly detection. | host, port, protocol, process |
Yes |
sa-endpointprotection.localprocesses_tracker |
Stores process inventory/trends to support rare process and host anomaly detection. | host, process_name, process_hash, last_seen |
Yes |
sa-endpointprotection.malware_tracker |
Captures malware detection records for endpoints persistently. | host, file_hash, malware_name, severity |
Yes |
sa-endpointprotection.useraccounts_tracker |
Tracks user-to-host account activity (logins, session state, anomalies). | host, user, account_status |
Yes |
sa-identitymanagement.assets_by_str |
Merges string-based asset inventory from multiple normalized asset sources. | asset, identity, priority, owner |
Yes |
sa-networkprotection.ids_attack_tracker |
Persists IDS attack detections for network incident correlation. | signature, source_ip, dest_ip, severity |
Yes |
sa-threatintelligence.incident_review |
Logs incident workflow data including status, assignee, and transitions. | incident_id, status, owner, urgency |
Yes |