Share data usage in Splunk Enterprise Security

When Splunk Enterprise Security is deployed on Splunk Enterprise, the Splunk platform sends anonymized usage data to Splunk Inc. ("Splunk") to help improve Splunk Enterprise Security in future releases. For information about how to opt in or out, and how the data is collected, stored, and governed, see Share data in Splunk Enterprise.

How data is collected

Splunk Enterprise Security uses saved searches to collect anonymous usage data. These searches run in the background regardless of whether or not you opt-in to send usage data to Splunk, and do not have any significant impact on performance.

Splunk Enterprise Security also uses FullStory to collect experiential user journey information with the user personally identifiable information redacted.

Splunk collects usage data to improve the design, usability, and experience of the product. Customers may opt-out of sharing AI data including, but not limited to, chats, responses, context, and feedback. To opt out of sharing this AI data, see Opt out of data sharing for the AI Assistant in Splunk Enterprise Security.

What data is collected

Splunk Enterprise Security version 8.5 collects the following basic usage information. This page includes new telemetry components introduced in version 8.5. Splunk Enterprise Security still collects components introduced in earlier versions. Use the version selector to see data collection documentation from earlier versions.

For more information on telemetry information collected by Splunk SOAR, see Share data from Splunk SOAR (Cloud).

Component Description Example
ai-analysis-feedback-submitted Measure usefulness/quality of AI Analysis responses by incident and reason breakdown
JSON 
{
  "component": "AI_ANALYSIS_FEEDBACK_SUBMITTED",
  "data": {
    "feedbackType": "THUMBS_DOWN",
    "feedbackReason": "Incorrect",
    "incidentId": "INC-12345"
  }
}
ai-analysis-nested-section-toggled Understand which sections users engage with most; which tools are surfaced/used
JSON 
{
  "component": "AI_ANALYSIS_NESTED_SECTION_TOGGLED",
  "data": {
    "sectionId": "tools",
    "action": "OPENED",
    "incidentId": "INC-12345",
    "tools": [
      {"app_id": "risk", "app_name": "Risk Analysis"}
    ]
  }
}
ai-analysis-section-toggled Track overall engagement with AI Analysis section visibility
JSON 
{
  "component": "AI_ANALYSIS_SECTION_TOGGLED",
  "data": {
    "action": "COLLAPSED",
    "incidentId": "INC-12345"
  }
}
ai-analysis-view-details-clicked Track deeper investigation intent and feature usage
JSON 
{
  "component": "AI_ANALYSIS_VIEW_DETAILS_CLICKED",
  "data": {
    "incidentId": "INC-12345"
  }
}
ai-suggested-disposition-match Measures AI suggestion adoption / trust signal (how often users accept AI's suggested disposition)
JSON 
{
  "component": "aiSuggestedDispositionMatch",
  "data": {
    "incidentId": "INC-12345",
    "aiSuggestedDisposition": "True Positive",
    "selectedDisposition": "True Positive",
    "dispositionMatches": true
  }
}
detection-status-filter-changed Understand how users filter detections (which states are most used) and UX effectiveness of filtering
JSON 
{
  "component": "detectionStatusFilterChanged",
  "data": {
    "filterValue": "on",
    "previousValue": "off",
    "source": "detections"
  }
}
ai-triage-status-filter-changed Understand how users filter detections by AI triage status and UX effectiveness of filtering
JSON 
{
  "component": "aiTriageStatusFilterChanged",
  "data": {
    "filterValue": "on",
    "previousValue": "off",
    "source": "detections"
  }
}
detections-search-performed Understand search adoption and effectiveness (zero-result searches, common filters paired with searches)
JSON 
{
  "component": "detectionsSearchPerformed",
  "data": {
    "searchQuery": "ransomware",
    "resultCount": 12,
    "detectionStatusFilter": "all",
    "aiTriageStatusFilter": "all",
    "source": "detections"
  }
}
detections-load-error Track reliability issues and identify failing filter combinations / backend problems
JSON 
{
  "component": "detectionsLoadError",
  "data": {
    "errorMessage": "Request failed with status 500",
    "statusCode": 500,
    "filters": {
      "detectionStatus": "All",
      "aiTriageStatus": "All",
      "search": "ransomware"
    },
    "source": "detections"
  }
}
ai-triage-bulk-turned-on Adoption and usage patterns of bulk AI triage; size of bulk operations and which detections are targeted
JSON 
{
  "component": "aiTriageBulkTurnedOn",
  "data": {
    "detectionCount": 3,
    "detections": [...],
    "source": "detections"
  }
}
ai-triage-bulk-turned-off Adoption and usage patterns of bulk AI triage; size of bulk operations and which detections are targeted
JSON 
{
  "component": "aiTriageBulkTurnedOff",
  "data": {
    "detectionCount": 3,
    "detections": [...],
    "source": "detections"
  }
}
rbac-team-queue (permissions-updated) Capture role counts for each permission in a queue when save is hit; tracks usage of granular permission settings
JSON 
{
  "component": "rbac-team-queue",
  "data": {
    "section": "rbac-team-queue-permissions-updated",
    "action": {
      "queueId": "some-random-queue-id",
      "teamQueuePermissionCount": {
        "create": 10, "edit": 12,
        "read": 15, "delete": 8, "execute": 2
      }
    }
  }
}
rbac-team-queue (retention-period-configured) Captures the difference between queue-specific and global investigation retention period in days; only fires when global policy is enabled and queue retention is updated
JSON 
{
  "component": "rbac-team-queue",
  "data": {
    "section": "create_queue",
    "action": "rbac-team-queue-retention-period-configured",
    "retentionPeriodDifference": 35
  }
}
live-test-mode (status-change-attempt) Measure Live Test adoption rates, aggregate by detection types, track errors during status transition
JSON 
{
  "component": "live-test-mode",
  "data": {
    "action": "status-change-attempt",
    "detection_id": "some-detection-id",
    "app_name": "SplunkEnterpriseSecuritySuite",
    "version": "2.1",
    "detection_type": "ebd",
    "from_state": "off",
    "to_state": "live_test",
    "is_successful": true,
    "error_message": ""
  }
}
live-test-mode (inventory-snapshot) Measure how many detections and versions are being tested in Live Test mode at once
JSON 
{
  "component": "live-test-mode",
  "data": {
    "action": "inventory-snapshot",
    "live-test-mode-detections-count": 2,
    "live-test-mode-versions-count": 3
  }
}
sint-local-source (create) Measure how many local sources are created
JSON 
{
  "component": "SINT_LOCAL_SOURCE",
  "data": {
    "action": "create",
    "name": "my source",
    "sourceType": "lineOriented"
  }
}
sint-local-source (update) Measure how many local sources are updated
JSON 
{
  "component": "SINT_LOCAL_SOURCE",
  "data": {
    "action": "update",
    "name": "my source",
    "sourceType": "lineOriented"
  }
}
sint-local-source (delete) Measure how many local sources are deleted
JSON 
{
  "component": "SINT_LOCAL_SOURCE",
  "data": {
    "action": "delete",
    "name": "my source"
  }
}
sint-local-source (activate) Measure how many local sources are activated
JSON 
{
  "component": "SINT_LOCAL_SOURCE",
  "data": {
    "action": "activate",
    "name": "my source"
  }
}
sint-local-source (deactivate) Measure how many local sources are deactivated
JSON 
{
  "component": "SINT_LOCAL_SOURCE",
  "data": {
    "action": "deactivate",
    "name": "my source"
  }
}
sint-cloud-source (subscribe) Measure how many cloud sources are subscribed
JSON 
{
  "component": "SINT_CLOUD_SOURCE",
  "data": {
    "action": "subscribe",
    "name": "cloud source"
  }
}
sint-cloud-source (unsubscribe) Measure how many cloud sources are unsubscribed
JSON 
{
  "component": "SINT_CLOUD_SOURCE",
  "data": {
    "action": "unsubscribe",
    "name": "cloud source"
  }
}
sint-threatlist (create) Measure how many threatlists are created
JSON 
{
  "component": "SINT_THREATLIST",
  "data": {
    "action": "create",
    "name": "my threatlist"
  }
}
sint-threatlist (update) Measure how many threatlists are updated
JSON 
{
  "component": "SINT_THREATLIST",
  "data": {
    "action": "update",
    "name": "my threatlist"
  }
}
sint-threatlist (delete) Measure how many threatlists are deleted
JSON 
{
  "component": "SINT_THREATLIST",
  "data": {
    "action": "delete",
    "name": "my threatlist"
  }
}
sint-threatlist (activate) Measure how many threatlists are activated
JSON 
{
  "component": "SINT_THREATLIST",
  "data": {
    "action": "activate",
    "name": "my threatlist"
  }
}
sint-safelist (create) Measure how many safelists are created
JSON 
{
  "component": "SINT_SAFELIST",
  "data": {
    "action": "create",
    "name": "my safelist"
  }
}
sint-safelist (delete) Measure how many safelists are deleted
JSON 
{
  "component": "SINT_SAFELIST",
  "data": {
    "action": "delete",
    "name": "my safelist"
  }
}
sint-safelist-entry (update) Measure how many safelist entries are updated
JSON 
{
  "component": "SINT_SAFELIST_ENTRY",
  "data": {
    "action": "update",
    "name": "my safelist entry"
  }
}
sint-safelist-entry (delete) Measure how many safelist entries are deleted
JSON 
{
  "component": "SINT_SAFELIST_ENTRY",
  "data": {
    "action": "delete",
    "safelistId": "my safelistId",
    "termID": "termId"
  }
}
detection-in-editor-testing (diet-test-launch) Tracks how many detection tests are being run
JSON 
{
  "component": "detection-in-editor-testing",
  "data": {
    "action": "diet-test-launch",
    "mode": "findings",
    "time_preset": "24h"
  }
}
detection-in-editor-testing (diet-test-cancel) Tracks how many times results loading is canceled
JSON 
{
  "component": "detection-in-editor-testing",
  "data": {
    "action": "diet-test-cancel",
    "mode": "findings",
    "time_preset": "24h"
  }
}
detection-in-editor-testing (diet-versioning-test-launch) Tracks how many version comparison tests are being run
JSON 
{
  "component": "detection-in-editor-testing",
  "data": {
    "action": "diet-versioning-test-launch",
    "mode": "findings",
    "time_preset": "24h"
  }
}
detection-in-editor-testing (diet-test-versioning-cancel) Tracks how many times results loading for version comparison is canceled
JSON 
{
  "component": "detection-in-editor-testing",
  "data": {
    "action": "diet-test-versioning-cancel",
    "mode": "findings",
    "time_preset": "24h"
  }
}
detection-in-editor-testing (diet-results / success) Tracks how many times results fetch was successful for user
JSON 
{
  "component": "detection-in-editor-testing",
  "data": {
    "action": "diet-results",
    "result": "success",
    "precision": "count",
    "mode": "findings"
  }
}
detection-in-editor-testing (diet-warning / partial) Tracks how many times results shown were partial
JSON 
{
  "component": "detection-in-editor-testing",
  "data": {
    "action": "diet-warning",
    "type": "partialResults",
    "precision": "count",
    "mode": "findings"
  }
}
detection-in-editor-testing (diet-error) Tracks how many times results fetch was not successful and the reason for it
JSON 
{
  "component": "detection-in-editor-testing",
  "data": {
    "action": "diet-error",
    "type": "activeDetection",
    "message": "Something went wrong"
  }
}
aqSidePanelLayoutChanged Determines whether users are leveraging the new streamlined two-column redesign experience in the AQ side panel
JSON 
{
  "appName": "MissionControl",
  "component": "aqSidePanelLayoutChange",
  "data": {
    "columns": 2
  }
}
collapsibleSectionToggled Determines what information sections in the AQ sidepanel and investigation overview users persist for daily usage
JSON 
{
  "appName": "MissionControl",
  "component": "collapsibleSectionToggled",
  "data": {
    "sectionId": "sidepanel_response_history",
    "isOpen": true
  }
}
fieldGroupSelectionChanged Determines what field groups the analyst deems important for investigation/triage
JSON 
{
  "appName": "MissionControl",
  "component": "fieldGroupSelectionChanged",
  "data": {
    "selectedGroups": "metadata, mitre_attack, pinned",
    "source": "mc.details-section-groups.sidepanel"
  }
}
viewCompleteAnalysis Determines how often the analyst uses the new Threat analysis tab in the investigation page to view full job details
JSON 
{
  "appName": "MissionControl",
  "component": "viewCompleteAnalysis",
  "data": undefined
}
saa-invocation Track SAA API reliability and adoption — success/failure rates per endpoint, identify unreliable endpoints, measure overall SAA feature usage volume
JSON 
{
  "component": "saa-invocation",
  "metadata": {
    "endpoint": "submit_url_job",
    "job_id": "abc-123",
    "success": true,
    "status_code": 200
  }
}

Share threat data in Splunk Enterprise Security

Sharing of telemetry usage data is different from sharing threat data. If you are a Splunk Enterprise Security Hosted Service Offering (cloud) customer with a standard terms contract renewed or created after January 10, 2025, you can refer to Share threat data in Splunk Enterprise Security for details on enhanced data sharing to support improved detection capabilities, update threat intelligence, and operations of our security content offerings.