Share data usage in Splunk Enterprise Security

When Splunk Enterprise Security is deployed on Splunk Enterprise, the Splunk platform sends anonymized usage data to Splunk Inc. ("Splunk") to help improve Splunk Enterprise Security in future releases. For information about how to opt in or out, and how the data is collected, stored, and governed, see Share data in Splunk Enterprise.

How data is collected

Splunk Enterprise Security uses saved searches to collect anonymous usage data. These searches run in the background regardless of whether or not you opt-in to send usage data to Splunk, and do not have any significant impact on performance.

What data is collected

Splunk Enterprise Security version 8.0 collects the following basic usage information:

For information on telemetry information collected by Splunk Mission Control, see Share Splunk Mission Control data usage in Splunk Enterprise Security.

For information on telemetry information collected by Splunk SOAR, see Share data from Splunk SOAR (Cloud).

Name Description Example
app.SplunkEnterpriseSecuritySuite Reports on the name of the dispositions. 
data: { [-]
     action: test2
     app: SplunkEnterpriseSecuritySuite
     page: ess_incident_review_configuration
     section: disposition
   }
app.session.MissionControl.aqSidePanelOpenedapp.session.MissionControl.aqSidePanelClosedapp.session.MissionControl.aqSidePanelBackNextNavigationapp.session.MissionControl.aqSidePanelStartInvestigationapp.session.MissionControl.aqSidePanelUpdateMetadatasplSearchDoneSuccessapp.session.MissionControl.splRessultsSuccessapp.session.MissionControl.splResultsErrorapp.session.MissionControl.incidentReviewPollingPausedapp.session.MissionControl.incidentReviewPollingUnpausedapp.session.MissionControl.threat-topologyapp.session.MissionControl.drilldown-searchapp.session.MissionControl.Event_Delete Reports on the following information from the Analyst queue.
  • Search - input for searching findings and investigations
  • Search timeframe - time range drop-down when searching findings and investigations
  • Saved views - drop down selection of saved view
  • Charts - expand charts in the analyst queue
  • Timeline - expand and show timeline view in the analyst queue
  • Add new finding - manually create a finding to add to the queue
  • Refresh - refresh the analyst queue
  • Auto-refresh - toggle auto-refresh on or off
  • Queue limit - from the drop-down select show 20, 50, or 100
  • Table density - set to default or fit to length
  • Table settings - configure columns that appear on the analyst queue
  • Select all - select all findings/investigations in queue to edit, add to investigation, or run playbook
  • Edit selected - bulk edit findings/investigations in queue
  • Open side panel - selecting a finding or investigation opens the side panel with additional context and actions
  • Start investigation - convert a finding to an investigation
  • Owner - select an owner for the investigation or finding
  • Status - update the status of the finding or investigation
  • Urgency - select an urgency for the investigation or finding
  • Sensitivity - select a sensitivity for the investigation or finding
  • Disposition - select a disposition for the investigation or finding
  • Detection - open the rule configured for the detection
  • Action - string tracked in telemetry
  • Search macro - the SPL query used
  • Run time - the amount of time it took
  • Section - the expansion link in drilldown search
  • Event count - event count set to -1 when it becomes deleted
 
aqSidePanelOpened - opening a finding or investigation in the side panel

data:{[-]
id:15a31804-400d-414a-9bae-5bebd86255cf
}
aqSidePanelClosed - closing the side panel

no additional data fields collected.
aqSidePanelBackNextNavigation - using back or next navigation in side panel

data:{[-]
direction:back
}
aqSidePanelStartInvestigation - start an investigation from a finding via "Start investigation" button

data:{[-]
id:15a31804-400d-414a-9bae-5bebd86255cf
}
aqSidePanelUpdateMetadata - update metadata (dropdown fields) of a finding or investigation from the side panel

data:{[-]
id:15a31804-400d-414a-9bae-5bebd86255cf
field:urgency
value:High
}
splSearchDoneSuccess - tracks execution time for SPL searches
{
  action:'searchExecution.finished',
  searchMacro:params?.search||'',
  executionTime,
}
splRessultsSuccess - tracks time till results from splSearchDoneSuccess has a response
{
    action: 'searchResults.load',
    searchMacro: params?.search || '',
    executionTime,
}
splResultsError - tracks error if no results are found as well as execution time
{
    action: 'searchResults.error',
    searchMacro: params?.search || '',
    executionTime,
}
incidentReviewPollingPaused - tracks the incident list polling when it becomes paused.

{ action: 'incidentList.polling.paused' }
incidentReviewPollingUnpaused - tracks the incident list polling when it becomes unpaused.

{ action: 'incidentList.polling.unpaused' }
threat-topology - tracks the threat-topology tab click to indicate it has been viewed

{
action: 'view',
}
drilldown-search - tracks the drilldown search expansion link being clicked

{
action: 'click',
section: 'ir-expansion-link',
}
Event_Delete - Delete Event for incident

{"event_count": -1}
app.session.MissionControl.filterClick Reports on information when filtering the Analyst queue such as updating a filter, applying a filter, or clearing a filter. 
data: { [-]
     action: filterIncidentReviewTabl-e.click
   }
app.session.MissionControl.soarRedirectError Reports when pairing with SOAR. 
soarRedirectError - tracks redirection error during handshake 

{
fetchJWTError,
missingSoarHost: !!data && !soarHost,
missingSoarToken: !!data && !soarToken,
}
soarRedirect - tracks when SOAR becomes redirected

{ nextPage: redirectURL.split('?')[0] }
app.session.enterprise-security.turn-on-versioning-feature Reports when detection versioning is turned on. 
{ [-]
component: app.session.enterprise-security.turn-on-versioning-feature
data: ( [+]
}
deploymentID: ece11b7b-152c-551-9615-6b88319deded eventID: 23ac34e8-504a-78a1-9778-df50888f6461
experienceID: 78ed95c7-ea3e-4b93-1c4f-9f48f6962065
optInRequired: 3
original_event_id: 24d9888d1bdfdb05e6beee8f13208a434300162302a88c68cddd7def7f0b630
original_timestamp: 1720808246
splunkVersion: 9.2.1
timestamp: 1720808246
userID: d8a3c6a8cb2ce3185b989857043cd71a7451e502cd38002a2682eca0439a207e
version: 4
visibility: anonymous
}
app.session.enterprise-security.change-detection-status Reports when any version of the detection is turned on or turned off. 
{ [-]
component: app.session.enterprise-security.change-detection-status
data: { [-] action: on app: SplunkEnterpriseSecuritySuite page: finding_based_detection section: finding_based_detection
deploymentID: ece11b7b-152c-55e1-9615-6b88319deded eventID: 40c0450e-181f-13cc-92d4-f0f1fcbd3f0c
experienceID: 415c2b23-a769-6ce6-bfb7-d8599e34ec4c
optInRequired: 3
original_event_id: 1a4cd5afd0edb67a0c9e19d319776fdebd5c2760742be2156124149811cd6703
original_timestamp: 1721077418
splunkVersion: 9.2.1
timestamp: 1721077418
userID: d8a3c6a8cb2ce3185b989857043cd71a7451e502cd38002a2682eca0439a207e
version: 4
visibility: anonymous
}
app.session.enterprise-security.click-clone-detection Reports when cloning a detection. 
{ [-]
component: app.session.enterprise-security.click-clone-detection
data: { [-]
action: click app: SplunkEnterpriseSecuritySuite page: finding_based_detection section: finding_based_detection
deploymentID: ece11b7b-152c-55e1-9615-6b88319deded eventID: 08e15867-18ea-4e84-7770-806b0ee6fc05
experienceID: 116b0f1d-63fd-682a-de59-384a11c4295c optInRequired: 3
original_event_id: 3ad9fad94205829ba21adf632a8d2c4e2665f5a5c3be5797208eca50782e85b2
original_timestamp: 1721323830
splunkVersion: 9.2.1
timestamp: 1721323830
userID: d8a3c6a8cb2ce3185b989857043cd71a7451e502cd38002a2682eca0439a207e
version: 4
visibility: anonymous
}
app.session.enterprise-security.clone-detection Reports when cloning a detection is completed. 
component: app.session.enterprise-security.clone-detection
data: { [-]
action: cloned
app: SplunkEnterpriseSecuritySuite page: finding_based_detection
section: finding_based_detection
deploymentID: ece11b7b-152c-55e1-9615-6b88319deded
eventID: 265814b6-1738-074c-f496-f9aea50d6f81
experienceID: 116b0f1d-63fd-682a-de59-384a11c4295c
opt InRequired: 3
original_event_id: c864d57f553df0e3bfd409153b92ab1c8a0543d579a76e81f333586ac179eeb7
original_timestamp: 1721323842
splunkVersion: 9.2.1
timestamp: 1721323842
userID: d8a3c6a8cb2ce3185b989857043cd71a7451e502cd38002a2682eca0439a207e
version: 4
visibility: anonymous
}
app.session.enterprise-security.save-detection Reports when a new version of a detection is saved. 
{ [-]
component: app.session.enterprise-security.save-detection
data: { [-] action: save app: SplunkEnterpriseSecuritySuite page: finding_based_detection section: finding_based_detection
}
deploymentID: ece11b7b-152c-551-9615-6b88319deded eventID: 2083c707-88a0-2e50-3e50-f6479bdc81df
experienceID: 169f32dd-a05c-9b86-de66-c2fe6e62d238
optInRequired: 3
original_event_id: 315c44b4e192ba411f0d643ad168b7bea1743cd75e5a4b23148335f628fa4bcd
original_timestamp: 1721423295
splunkVersion: 9.2.1
timestamp: 1721423295
userID: d8a3c6a8cb2ce3185b989857043cd71a7451e502cd38002a2682eca0439a207e
version: 4
visibility: anonymous
}
app.session.MissionControl.imSubscription Reports on the intelligence management configuration and and checks if the user is subscribed. 
imSubscription
{
    subscribed: 0 or 1
}
app.session.MissionControl.imcorrelationsearchstatusapp.session.MissionControl.imparsemodinputstatusapp.session.MissionControl.imretrievemodinputstatus
  • Reports on the status of a crucial correlation search for setting up intelligence management features.
  • Reports on the status of "parse_im_indicators_files" modular input, which is critical for TIM features.
  • Reports on the status of "retrieve_im_indicators" modular input, which is critical for TIM features.
 
imcorrelationsearchstatus
data: { [-]
     app: SplunkEnterpriseSecuritySuite
     csearch_label: _TW_Threat Activity Detected
     csearch_name: Threat - _TW_Threat Activity Detected - Rule
     description: Alerts when any activity matching threat intelligence is detected.
     disabled: 0
     is_scheduled: 1
     schedule: 10 * * * *
     security_domain: threat
  }
imparsemodinputstatus
data: { [-]
     parse_mod_disabled: 0
   }
imretrievemodinputstatus 
data: { [-]
     retrieve_mod_disabled: 0
}
app.session.MissionControl.responseTemplateSearchCountapp.session.MissionControl.responsePlanSearchClickedapp.session.MissionControl.responsePlanAddTaskError
  • Reports on the number of searches defined in a new template.
  • Reports on the search action in the response plan.
  • Reports on the error of adding a task in the response plan's phases.
 
responseTemplateSearchCount

{    name:hashString(responseData.name),
    status:responseData.template_status,
    count:getSearchCount(responseData),
}
responsePlanSearchClicked

{
responseName: hashString(responseName),
spl: hashString(spl),
}
responsePlanAddTaskError
{
errorType: telemetryEvents.RESPONSE_PLAN_ADD_ADHOC_TASK_ERROR,
errorMessage: apiErrorMessage,
payload: requestPayload,
}
JSONSyntaxError - tracks the JSON Syntax error

{
errorType: JSONSyntaxError
}
app.session.MissionControl.fileUploadTooBigError Reports on the error messages if the size of the uploaded file exceeds a threshold. 
data: { [-]
     errorMessage: error
   }

Share threat data in Splunk Enterprise Security

Sharing of telemetry usage data is different from sharing threat data. If you are a Splunk Enterprise Security Hosted Service Offering (cloud) customer with a standard terms contract renewed or created after January 10, 2025, you can refer to Share threat data in Splunk Enterprise Security for details on enhanced data sharing to support improved detection capabilities, update threat intelligence, and operations of our security content offerings.