|
app.session.soar.*
automation.*
automation.summary.*
orchestration.*
|
Either:
- companyID: Splunk SOAR (On-premises), a SHA256 has of the company name as listed in the license, or
- stackID: Splunk SOAR (Cloud), a SHA256 hash of the stack name
And:
- licenseNumber: the license key that was issued to your deployment.
- licenseIssueDate: the date the license was issued.
- licenseExpirationDate: the date the license will expire.
- licenseInstance: Internal Salesforce ticket number to issue the license.
Splunk SOAR sends the deploymentID with every event. This change adds either companyID or stackID and licenseNumber, licenseIssueDate, licenseExpirationDate, and licenseInstance wherever deploymentID is currently logged. |
{
"data": {
...
"licenseNumber": "0ffff-ffff-fff-fff-ffffff",
"licenseIssueDate": "2024-12-22",
"licenseExpirationDate": "2024-12-22",
"licenseInstance": "12304",
},
"timestamp": 1684779074013,
"component": "app.session.soar.systemSettings",
"deploymentID": "soar-c48ed12b-262f-47e1-99b0-d2ba5b2af6dc",
"companyID": "f3f5d1d9aba493153151e468915ca995a3355692da5ddc823e42044333a9deff",
"eventID": "a74fd484-8d28-c0e8-c5bf-0b9ebf130665",
"experienceID": "0b64f885-637b-9d67-289a-b4d4925e17fe"
}
{
"data": {
...
"licenseNumber": "0ffff-ffff-fff-fff-ffffff",
"licenseIssueDate": "2024-12-22",
"licenseExpirationDate": "2024-12-22",
"licenseInstance": "12304",
},
"timestamp": 1684779074013,
"component": "app.session.soar.systemSettings",
"deploymentID": "soar-c48ed12b-262f-47e1-99b0-d2ba5b2af6dc",
"companyID": "f3f5d1d9aba493153151e468915ca995a3355692da5ddc823e42044333a9deff",
"eventID": "a74fd484-8d28-c0e8-c5bf-0b9ebf130665",
"experienceID": "0b64f885-637b-9d67-289a-b4d4925e17fe"
}
Or
{
"data": {
...
"licenseNumber": "0ffff-ffff-fff-fff-ffffff",
"licenseIssueDate": "2024-12-22",
"licenseExpirationDate": "2024-12-22",
"licenseInstance": "12304",
},
"timestamp": 1684779074013,
"component": "app.session.soar.systemSettings",
"deploymentID": "soar-c48ed12b-262f-47e1-99b0-d2ba5b2af6dc",
"stackID": "f3f5d1d9aba493153151e468915ca995a3355692da5ddc823e42044333a9deff",
"eventID": "a74fd484-8d28-c0e8-c5bf-0b9ebf130665",
"experienceID": "0b64f885-637b-9d67-289a-b4d4925e17fe"
}
|
app.session.soar.apiTime
|
Reports roundtrip time consumption for each API request. |
data: {
app: soar
endpoint: /rest/ph_user/3/permissions
method: get
page: UNKNOWN_PAGE
status: 200
time: 150
soarDeploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
soarUserID: 5d900c28b8d1555745c09908ef386860
}
deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
eventID: 551e5c46-4f71-d92a-51ba-30cf97ae3a97
experienceID: 6c2c534b-e750-e1a0-95fd-fcada1a50be0
optInRequired: 3
timestamp: 1574213030362
visibility: anonymous
|
app.session.soar.error |
Reports uncaught errors of front-end Splunk SOAR scripts. |
data: {
app: soar
errorMsg: Uncaught ReferenceError: helloworld is not defined
file: /inc/swa/swa_enabled.js
page: admin.product_settings.telemetry
position: 74:1
soarDeploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
soarUserID: 5d900c28b8d1555745c09908ef386860
}
deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
eventID: 94efce66-ab89-33ae-f894-1cceb8f68f78
experienceID: 239facf6-261d-dd96-be08-33870c7d3750
optInRequired: 3
timestamp: 1574294947704
visibility: anonymous
|
app.session.soar.license
|
Reports license status, limits, and usage information. Sent once per session.
- usage: Usage metrics of user activeUsersCount, a count of users who logged in in the past day.
- app: "soar"
- page: UNKNOWN_PAGE
(this item is not being tracked)
- type: Type of license (standard, community, dev)
- issueDate: timestamp when license issued
- expirationDate: timestamp when license is due to expire
- limits: Maximum usage allowed with the current license
- limit.apps: the maximum number of apps the deployment can have, as set by your license.
- limit.assets: the maximum number of assets the deployment can has, as set by your license.
|
{
'type': 'standard',
'issueDate': 1616371200.0,
'expirationDate': 4769971200.0,
'companyName':
'limits': {
'actions': 'unlimited', (NEW)
'apps': 'unlimited',
'assets': 'unlimited', (NEW)
'events': 'unlimited',
'users': 'unlimited',
'tenants': 1,
'seats': 'unlimited'
},
'productVersion': '10155.0.0.124976',
'usage': {
'recentAppRunCount': 0,
'recentPlaybookRunCount': 0,
'recentDebugRunCount': 0,
'seatCount': 1,
'activeUsersCount': 2,
}
}
|
app.session.soar.pageview
|
Reports which pages are visited by users. |
data: {
app: soar
page: admin.company_settings.info
soarDeploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
soarUserID: 5d900c28b8d1555745c09908ef386860
}
deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
eventID: 0db11144-7c14-88f7-b3e9-3a999102bfc6
experienceID: 20d4d671-7d18-f74a-c72f-9811b5bee20d
optInRequired: 3
timestamp: 1574210581565
visibility: anonymous
|
app.session.soar.
systemSettings
|
Reports the feature on/off settings and product version.
- credentialManager: which credential manager is in use.
- app: "phantom"
- page: UNKNOWN_PAGE (This item is not being tracked)
- isClusteringEnabled
- isMultiTenantEnabled
- numberofClusterNodes
- productVersion: Version number of the Splunk SOAR or Splunk Phantom instance
|
{
"optInRequired": 3,
"original_timestamp": 1684779074013,
"visibility": "anonymous",
"data": {
"cloudWorksEnvironment": "stg",
"isClusteringEnabled": false,
"numOfClusterNodes": 0,
"isMultiTenantEnabled": false,
"nodeGUID": "057f9e04-d54c-4ccc-9ffb-4aa82551b4d6",
"page": "UNKNOWN_PAGE",
"isElasticSearchEnabled": false,
"credential_manager": "hashicorp",
"splunkConfig": {
"searchLocation": "local",
"searchType": "standalone"
},
"app": "soar",
"missionControlDeploymentID": null,
"soarDeploymentID": "soar-c48ed12b-262f-47e1-99b0-d2ba5b2af6dc",
"license": "standard",
"soarUserID": <br/>"5ebe9df18591550e99cd82079e8448a1c14582f0c04cfd84eaa3a254cae8675cc1eb2097c47dcc99c184481d89949492c4b700918c1e20f909f1bc5f4ea400c6",
"productVersion": "10155.0.0.124976"
},
"timestamp": 1684779074013,
"component": "app.session.soar.systemSettings",
"deploymentID": "soar-c48ed12b-262f-47e1-99b0-d2ba5b2af6dc",
"eventID": "a74fd484-8d28-c0e8-c5bf-0b9ebf130665",
"experienceID": "0b64f885-637b-9d67-289a-b4d4925e17fe"
}
|
app.session.session_start |
Reports the browser and OS, along with their versions. |
{
data: {
app: UNKNOWN_APP
browser: Chrome
browserVersion: 78.0.3904.97
device: MacIntel
locale: en-US
os: Mac OS X
osVersion: 10.
page: UNKNOWN_PAGE
splunkVersion: not available
}
eventID: d9ca862c-d48d-83a1-d1bb-f0f25f4b5af8
experienceID: 6c2c534b-e750-e1a0-95fd-fcada1a50be0
optInRequired: 3
timestamp: 1574213029
visibility: anonymous
}
|
app.session.phantom.viewTime |
Reports time spent on a specific page. Only tracked for specific pages. |
{
data: {
app: phantom
page: reports
viewTime: 10223
phantomDeploymentID: phantom-a2a983de-38ec-42d7-a179-30087b0ca8ca
phantomUserID: 5d900c28b8d1555745c09908ef386860
}
eventID: 545fdcfb-ac0d-a11b-da6a-4b9da84b6c2a
experienceID: 85b49544-fb90-a2ef-1b3f-e09339f3abc1
optInRequired: 3
timestamp: 1573690198763
visibility: anonymous
}
|
app.session.soar.vpe
|
Reports:
- VPE version (Classic or Modern)
- The types of blocks in a playbook
- The number of blocks in a playbook
- Which hotkey shortcuts were used while editing a playbook
- Specific Splunk SOAR features used in a playbook
|
component: app.session.soar.vpe
data: {
app: soar
jsonSchemaVersion:"5.0.3"
page: UNKNOWN_PAGE
blocks: {
totalCount: 14
blockTypes: {
action: 2
playbook: 1
code: 1
utility: 1
filter: 1
decision: 1
format: 6
prompt: 1
}
customCodeBlockCount: 3
customCodeBlockTypeCounts: {
start: 0
end: 1
action: 2
playbook: 0
code: 0
utility: 0
filter: 0
decision: 0
format: 0
prompt: 0
}
actions: ["geolocate ip", "whois domain"]
}
hotkeys: {
totalCount: 14
interactions: {
addMiniMenu: 7
addActionBlock: 6
addPlaybookBlock: 0
addCodeBlock: 0
addUtilityBlock: 0
addFilterBlock: 0
addDecisionBlock: 0
addFormatBlock: 1
addPromptBlock: 0
autoArrange: 1
zoomToFit: 1
zoomIn: 0
zoomOut: 0
savePlaybook: 1
deleteNode: 0
toggleEditor: 1
toggleDebugger: 1
toggleSettings: 1
showShortcutModal: 1
}
}
features: {
customConditionLabel: 3
customDatapaths: 2
playbookInputs: {
count: 0
dataTypes: {
"domain": 0
"file id": 0
"file name": 0
"file path": 0
"hash": 0
"host name": 0
"ip": 0
"mac address": 0
"port": 0
"process name": 0
"url": 0
"user name": 0
}
}
playbookOutputs: {
count: 1
dataTypes: {
"domain": 1
"file id": 0
"file name": 0
"file path": 0
"hash": 0
"host name": 0
"ip": 0
"mac address": 0
"port": 0
"process name": 0
"url": 0
"user name": 0
}
dedupeCount: 0
}
}
playbookType: automation
playbookName: 5d900c28b8d1555745c09908ef133337
soarDeploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
soarUserID: 5d900c28b8d1555745c09908ef386860
}
deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
eventID: d4b331e7-3ce3-91b6-7724-bc4d7235bca9
experienceID: 21febb16-c3f6-cbd5-ffac-905f1466c830
optInRequired: 3
timestamp: 1576695256840
visibility: anonymous
{
data: {
app: soar
jsonSchemaVersion:"5.0.3"
page: UNKNOWN_PAGE
blocks: {
totalCount: 14
blockTypes: {
action: 2
playbook: 1
code: 1
utility: 1
filter: 1
decision: 1
format: 6
prompt: 1
}
customCodeBlockCount: 3
customCodeBlockTypeCounts: {
start: 0
end: 1
action: 2
playbook: 0
code: 0
utility: 0
filter: 0
decision: 0
format: 0
prompt: 0
}
actions: ["geolocate ip", "whois domain"]
}
hotkeys: {
totalCount: 14
interactions: {
addMiniMenu: 7
addActionBlock: 6
addPlaybookBlock: 0
addCodeBlock: 0
addUtilityBlock: 0
addFilterBlock: 0
addDecisionBlock: 0
addFormatBlock: 1
addPromptBlock: 0
autoArrange: 1
zoomToFit: 1
zoomIn: 0
zoomOut: 0
savePlaybook: 1
deleteNode: 0
toggleEditor: 1
toggleDebugger: 1
toggleSettings: 1
showShortcutModal: 1
}
}
features: {
customConditionLabel: 3
customDatapaths: 2
playbookInputs: {
count: 0
dataTypes: {
"domain": 0
"file id": 0
"file name": 0
"file path": 0
"hash": 0
"host name": 0
"ip": 0
"mac address": 0
"port": 0
"process name": 0
"url": 0
"user name": 0
}
}
playbookOutputs: {
count: 1
dataTypes: {
"domain": 1
"file id": 0
"file name": 0
"file path": 0
"hash": 0
"host name": 0
"ip": 0
"mac address": 0
"port": 0
"process name": 0
"url": 0
"user name": 0
}
dedupeCount: 0
}
}
playbookType: automation
playbookName: 5d900c28b8d1555745c09908ef133337
soarDeploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
soarUserID: 5d900c28b8d1555745c09908ef386860
}
deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
eventID: d4b331e7-3ce3-91b6-7724-bc4d7235bca9
experienceID: 21febb16-c3f6-cbd5-ffac-905f1466c830
optInRequired: 3
timestamp: 1576695256840
visibility: anonymous
}
|
app.session.soar.vpeTime
|
Reports the time in milliseconds it took for the VPE to load in the browser. |
component: app.session.soar.vpeTime
data: {
app: soar
pageLoadTime: 10298
}
deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
eventID: d4b331e7-3ce3-91b6-7724-bc4d7235bca9
experienceID: 21febb16-c3f6-cbd5-ffac-905f1466c830
optInRequired: 3
timestamp: 1576695256840
visibility: anonymous
{
data: {
app: soar
pageLoadTime: 10298
}
deploymentID: soar-a2a983de-38ec-42d7-a179-30087b0ca8ca
eventID: d4b331e7-3ce3-91b6-7724-bc4d7235bca9
experienceID: 21febb16-c3f6-cbd5-ffac-905f1466c830
optInRequired: 3
timestamp: 1576695256840
visibility: anonymous
}
|
automation.summary.app_summary |
A summary of apps installed on the system.
- app_name: The human-readable name of the app.
- description: A description of what the app does.
- version: The version number of the app.
- product_name: The product name of the app.
- product_vendor: The product vendor of the app.
|
{
'type': 'event',
'component': 'automation.summary.app_summary',
'data': {
'app_name': 'MaxMind',
'description': 'This app provides IP geolocation with the included MaxMind database',
'version': '2.2.5',
'product_name': 'GeoIP2',
'product_vendor': 'MaxMind',
'soarDeploymentID': 'soar-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9',
'license': 'community',
'productVersion': '6.1.0.58',
'missionControlDeploymentID': None,
'cloudWorksEnvironment': 'dev'
},
'deploymentID': 'soar-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9',
'optInRequired': 3,
'version': None,
'timestamp': 1685128654000,
'visibility': [
'anonymous'
]
}
|
automation.summary.
case_summary |
A summary of opened and closed cases in the last 24 hours.
- opened: The number of created cases in the last 24 hours.
- closed: The number of cases closed in the last 24 hours.
- promoted: The number of items promoted to a case in the last 24 hours.
|
{
'type': 'aggregate',
'component': 'automation.summary.case_summary',
'data': {
'opened': 120,
'closed': 87,
'promoted': 12,
'phantomDeploymentID': 'phantom-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9',
'license': 'community',
'productVersion': '6.1.0.58',
'missionControlDeploymentID': None
},
'deploymentID': 'phantom-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9',
'optInRequired': 3,
'version': None,
'timestamp': 1685658250000,
'visibility': [
'anonymous'
],
'indexData': True,
'begin': 1685491200000,
'end': 1685577599000
}
|
automation.summary.
ingestion_status |
Ingestion status and events ingested per Splunk SOAR deployment.
- adhoc: Counts of adhoc ingestion runs by status
- automated: Counts of automated ingestion runs by status
- all: Counts of both ingestion runs by status
- Succesful
- Failed
- Running
- Total
- event_ingested_count: Count of events ingested over the past day
|
{
'type': 'aggregate',
'component': 'automation.summary.ingestion_status',
'data': {
'adhoc': None,
'automated': None,
'all': {
'total': 1,
'success': 1,
'failed': 0,
'running': 0
},
'event_ingested_count': 1,
'soarDeploymentID': 'soar-c48ed12b-262f-47e1-99b0-d2ba5b2af6dc',
'license': 'standard',
'productVersion': '10155.0.0.124976',
'missionControlDeploymentID': None,
'cloudWorksEnvironment': 'stg'
},
'deploymentID': 'soar-c48ed12b-262f-47e1-99b0-d2ba5b2af6dc',
'optInRequired': 3,
'version': None,
'timestamp': 1684358758000,
'visibility': [
'anonymous'
],
'indexData': True,
'begin': 1684281600000,
'end': 1684367999000
}
|
automation.summary.
playbook_names |
A summary of playbooks names and whether or not a playbook is custom.
- community: The list of playbook names that are community playbooks that were updated over the last day.
- custom: The list of playbooks that are custom made by the end user that were updated over the last day.
- custom_count: A count of playbooks that are custom made by the end user that were updated over the last day.
- community_count: A count of playbooks that are community playbooks that were updated over the last day.
|
{
'type': 'aggregate',
'component': 'automation.summary.playbook_names',
'data': {
'community': [
'AD_LDAP_Entity_Attribute_Lookup',
'wannacry_prevent',
'wannacry_remediate',
'zscaler_hunt_and_block_url',
'zscaler_malicious_file_response',
'zscaler_patient_0_parse_email'
],
'community_count': 136,
'custom': [
'testa1'
],
'custom_count': 1,
'phantomDeploymentID': 'phantom-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9',
'license': 'community',
'productVersion': '6.1.0.58',
'missionControlDeploymentID': None
},
'deploymentID': 'phantom-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9',
'optInRequired': 3,
'version': None,
'timestamp': 1685658250000,
'visibility': [
'anonymous'
],
'indexData': True,
'begin': 1685491200000,
'end': 1685577599000
}
|
automation.summary.
playbook_runs.by_trigger |
Counts of playbook runs by trigger, either adhoc or by automation, aggregated over the last day. Emitted once daily. |
begin: 1663891200000
component: automation.summary.playbook_runs.by_trigger
data: {
adhoc: {
failed: 0
running: 0
success: 2
total: 2
}
all: {
failed: 0
running: 0
success: 2
total: 2
}
automated: {
failed: 0
running: 0
success: 0
total: 0
}
cloudWorksEnvironment: dev
missionControlDeploymentID: 917660C8-50E1-407B-86C5-D5061176245C
soarDeploymentID: soar-cd07b53e-125e-4d27-adf7-2dba77b9fa81
productVersion: 10155.0.0.98349
license: standard
}
deploymentID: soar-cd07b53e-125e-4d27-adf7-2dba77b9fa81
end: 1663977599000
indexData: true
optInRequired: 3
timestamp: 1663977609000
type: aggregate
visibility: [
anonymous
]
}
|
automation.summary.
publish_telemetry_time_taken |
Start time, end time, and a the calculated total time of the telemetry publish job.
- start_time: start time of the publish job
- end_time: end time of the publish job
- total_time: total time of the job
(calculated by taking end_time then subtracting start_time)
|
{
'type': 'event',
'component': 'automation.summary.publish_telemetry_time_taken',
'data': {
'start_time': 28244.781,
'end_time': 28244.812,
'total_time': 0.031,
'soarDeploymentID': 'soar-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9',
'license': 'community',
'productVersion': '6.1.0.58',
'missionControlDeploymentID': None,
'cloudWorksEnvironment': 'dev'
},
'deploymentID': 'soar-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9',
'optInRequired': 3,
'version': None,
'timestamp': 1685128654000,
'visibility': [
'anonymous'
],
'indexData': True,
'begin': None,
'end': None
}
|
automation.summary.
workbook_summary |
A summary of opened and closed workbooks.
- opened: statistics for workbook tasks and phases created in the last 24 hours.
- unique_containers
- total_tasks
- total_phases
- started: statistics for workbook tasks and phases started in the last 24 hours.
- unique_containers
- total_tasks
- total_phases
- closed: statistics for workbook tasks and phases closed in the last 24 hours.
- unique_containers
- total_tasks
- total_phases
|
{
'type': 'aggregate',
'component': 'automation.summary.case_summary',
'data': {
'opened': {
'unique_containers': 3,
'total_tasks': 15,
'total_phases': 45,
},
'started': {
'unique_containers': 2,
'total_tasks': 2,
'total_phases': 4,
},
'closed': {
'unique_containers': 2,
'total_tasks': 4,
'total_phases': 12,
},
'phantomDeploymentID': 'phantom-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9',
'license': 'community',
'productVersion': '6.1.0.58',
'missionControlDeploymentID': None
},
'deploymentID': 'phantom-e25f2b02-b4c3-43ae-a40c-acf2e0a936a9',
'optInRequired': 3,
'version': None,
'timestamp': 1685658250000,
'visibility': [
'anonymous'
],
'indexData': True,
'begin': 1685491200000,
'end': 1685577599000
}
|
orchestration.summary.
action_runs.by_trigger |
Counts of action runs by trigger, either adhoc or by automation, aggregated over the last day. Emitted once daily.
adhoc: Counts of adhoc action runs by status
- Succesful
- Failed
- Running
- Pending
- Total
automated: Counts of automated action runs by status
all: Counts of both adhoc and automated playbook runs by status
cloudWorksEnvironment: The environment in which the Splunk SOAR cloud stack is deployed; development (dev), staging (stg), or live (lve).
missionControlDeploymentID: A nullable field identifying the Splunk Mission Control instance paired to the Splunk SOAR instance
soarDeploymentID: Uniquely identifies the Splunk SOAR stack that emitted the metric |
{
begin: 1663891200000
component: orchestration.summary.action_runs.by_trigger
data: {
adhoc: {
failed: 0
pending: 0
running: 0
success: 1
total: 1
}
all: {
failed: 5
pending: 0
running: 0
success: 5
total: 10
}
automated: {
failed: 5
pending: 0
running: 0
success: 4
total: 9
}
cloudWorksEnvironment: dev
missionControlDeploymentID: 917660C8-50E1-407B-86C5-D5061176245C
soarDeploymentID: soar-cd07b53e-125e-4d27-adf7-2dba77b9fa81
productVersion: 10155.0.0.98349
license: standard
}
deploymentID: soar-cd07b53e-125e-4d27-adf7-2dba77b9fa81
end: 1663977599000
indexData: true
optInRequired: 3
timestamp: 1663977609000
type: aggregate
visibility: [
anonymous
]
}
|