Share data in Splunk Security Essentials

When Splunk Security Essentials is deployed on Splunk Enterprise, the Splunk platform sends aggregated usage data to Splunk Inc. ("Splunk") to help improve Splunk Security Essentials in future releases. For information about how to opt in or out, and how the data is collected, stored, and governed, see Share data in Splunk Enterprise in the Splunk Enterprise Admin Manual.

How data is collected

If you opt in globally on your Splunk Enterprise environment, Splunk Security Essentials activates an internal library to track basic usage and crash information. The library uses browser cookies to track unique visitors to the app, sessions, and sends events to Splunk using XHR in JSON format, with all user or system-identifying data resolved to GUIDs.

What data is collected

Splunk Security Essentials collects the following basic usage information:

Component Description Example
app.session.PageStatus Reports that an example was opened. 
{status: "exampleLoaded", exampleName: "New Interactive Logon from a Service Account", searchName: "New Interactive Logon from a Service Account - Demo"}
app.session.PageStatus Reports that the SPL for an example was viewed. 
{status: "SPLViewed", name: "New Interactive Logon from a Service Account - Demo"}
app.session.PageStatus Reports that an alert was scheduled. 
{status: "scheduleAlertStarted", name: "New Interactive Logon from a Service Account - Demo"}
app.session.PageStatus Reports that an alert was scheduled. 
{status: "scheduleAlertCompleted", searchName: "New Interactive Logon from a Service Account - Demo"}
app.session.PageStatus Reports that an onboarding guide was opened. 
{status: "docLoaded", pageName: "Windows Security Logs"}
app.session.PageStatus Reports that filters were updated to filter for specific examples. 
{status: "filtersUpdated", name: "category", value: "Account_Sharing", enabledFilters: ["journey", "usecase", "category", "datasource", "highlight"]}
app.session.PageStatus Reports that from the home page, a use case was clicked on. 
{status: "selectedIntroUseCase", useCase: "Security Monitoring"}
app.session.BookmarkChange Reports that an example was bookmarked. 
{status: "BookmarkChange", name: "Basic Malware Outbreak", itemStatus: "needData"}
app.session.DataStatusChange Reports that available data sources were either configured or introspected. 
{status: "DataStatusChange", category: "DS010NetworkCommunication-ET01Traffic", status: "good", selectionType: "manual"}
app.session.CustomContentCreated Reports that custom content was created. 
{status: "CustomContentCreated", mitre_technique: "T1046"}
app.session.PageStatus Reports that an error occurred. 
{status: "ErrorOcurred", banner: "Got an error while trying to update the kvstore. Your changes may not be saved.", msg: "Access Denied", locale: "en-US", anon_url: "https://……../en-US/app/Splunk_Security_Essentials/contents", page: "contents", splunk_version: "7.3.1"}
app.session.DataInventoryIntrospection Reports when Data Inventory configuration started and when it finished.

Starts 

{"name": "Introspection", "value": "started", "status": "running", "page": "Data inventory"}

Ends 

{"name": "Introspection", "value": "completed", "status": "completed", "page": "Data inventory"}
app.session.ManageBookmarks Reports that a user navigated to the Manage Bookmarks page. 
{"status": "opened",
"page": "Manage Bookmarks"}
app.session.PageStatus Reports that a user opened a link that led to an external site, such as the Splunk documentation site. 
{"status": "opened",
"page": "DYNAMIC",
"event": "clicked",}