Share data usage in Splunk Enterprise Security

When Splunk Enterprise Security is deployed on Splunk Enterprise, the Splunk platform sends anonymized usage data to Splunk Inc. ("Splunk") to help improve Splunk Enterprise Security in future releases. For information about how to opt in or out, and how the data is collected, stored, and governed, see Share data in Splunk Enterprise.

How data is collected

Splunk Enterprise Security uses saved searches to collect anonymous usage data. These searches run in the background regardless of whether or not you opt-in to send usage data to Splunk, and do not have any significant impact on performance.

Splunk Enterprise Security also uses FullStory to collect experiential user journey information with the user personally identifiable information redacted.

Splunk collects usage data to improve the design, usability, and experience of the product. Customers may opt-out of sharing AI data including, but not limited to, chats, responses, context, and feedback. To opt out of sharing this AI data, see Opt out of data sharing for the AI Assistant in Splunk Enterprise Security.

What data is collected

Splunk Enterprise Security version 8.2 collects the following basic usage information:

For more information on telemetry information collected by Splunk SOAR, see Share data from Splunk SOAR (Cloud).


Name of telemetry event	Search used to isolate results	Results
drilldown-dashboard	index=prod_analytics_entcloud "drilldown-dashboard"	{ action: click, app: SplunkEnterpriseSecuritySuite, appName: securityUI, component: securityUI.drilldown-dashboard, name: drilldown-dashboard, page: incident_review/, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review/, section: ir-expansion-link, sessionID: ..., type: event }
risk_events_table	index=prod_analytics_entcloud "risk_events_table"	{ action: view, app: SplunkEnterpriseSecuritySuite, appName: securityUI, component: securityUI.risk_events_table, name: risk_events_table, page: incident_review, pathname: ..., sessionID: ..., type: event }
risk-timeline	index=prod_analytics_entcloud "risk-timeline"	{ action: view, app: SplunkEnterpriseSecuritySuite, appName: securityUI, component: securityUI.risk-timeline, name: risk-timeline, page: incident_review, pathname: ..., sessionID: ..., type: event }
threat-topology	index=prod_analytics_entcloud "threat-topology"	{ action: view, app: SplunkEnterpriseSecuritySuite, appName: securityUI, component: securityUI.threat-topology, name: threat-topology, page: incident_review, pathname: ..., sessionID: ..., type: event }
responseTemplateAppliedByType	index=prod_analytics_entcloud "*responseTemplateAppliedByType"	{ app: SplunkEnterpriseSecuritySuite, incidentType: automation, page: incident_review, pathname: ..., sessionID: ..., type: event }
riskEventTimelineViewed	index=prod_analytics_entcloud "*riskEventTimelineViewed"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.riskEventTimelineViewed, eventType: user, score: ..., sessionID: ..., type: event }
aqSidePanelOpened	index=prod_analytics_entcloud "*aqSidePanelOpened"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.aqSidePanelOpened, id: ..., sessionID: ..., type: event }
aqSidePanelClosed	index=prod_analytics_entcloud "*aqSidePanelClosed"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.aqSidePanelClosed, action: close, sessionID: ..., type: event }
imSubscription	index=prod_analytics_entcloud "*imSubscription" data.appName="MissionControl"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.imSubscription, subscribed: false, sessionID: ..., type: event }
feedbackProvided	index=prod_analytics_entcloud "feedbackProvided"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.feedbackProvided, messageId: ..., feedback: {...}, sessionID: ..., type: event }
messageSent	index=prod_analytics_entcloud "messageSent"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.messageSent, message: ..., sessionID: ..., threadId: ..., type: event }
runSPLClicked	index=prod_analytics_entcloud "runSPLClicked"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.runSPLClicked, sessionID: ..., threadId: ..., type: event }
splExecutedWithResults	index=prod_analytics_entcloud "splExecutedWithResults"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.splExecutedWithResults, resultsCount: 42, sessionID: ..., threadId: ..., type: event }
splExecutedWithNoResults	index=prod_analytics_entcloud "splExecutedWithNoResults"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.splExecutedWithNoResults, sessionID: ..., threadId: ..., type: event }
splExecutionFailed	index=prod_analytics_entcloud "splExecutionFailed"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.splExecutionFailed, sessionID: ..., threadId: ..., type: event }
responseReceived	index=prod_analytics_entcloud "responseReceived"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.responseReceived, aiResponse: ..., sessionID: ..., type: event }
newChatStarted	index=prod_analytics_entcloud "newChatStarted"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.newChatStarted, investigationId: ..., sessionID: ..., type: event }
threadCreated	index=prod_analytics_entcloud "threadCreated"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.threadCreated, investigationId: ..., threadId: ..., sessionID: ..., type: event }
ir-analyst-workflow	index=prod_analytics_entcloud "ir-analyst-workflow"	{ app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.ir-analyst-workflow, name: ir-analyst-workflow, page: incident_review, section: ir_views_panel, sessionID: ..., type: event }
filter-dropdown-ueba-app	index=prod_analytics_entcloud "filter-dropdown-ueba-app"	{ app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.filter-dropdown-ueba-app, name: filter-dropdown-ueba-app, selections: ["DA-ESS-UEBA"], sessionID: ..., type: event }
filter-dropdown-cloud-ba-detection-type	index=prod_analytics_entcloud "filter-dropdown-cloud-ba-detection-type"	{ app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.filter-dropdown-cloud-ba-detection-type, name: ..., selections: ["cloud_ba_detections"], sessionID: ..., type: event }
save-detection	index=prod_analytics_entcloud "save-detection"	{ app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.save-detection, name: save-detection, section: event_based_detection, sessionID: ..., type: event }
threat-topology	index=prod_analytics_entcloud "threat-topology"	{ app: SplunkEnterpriseSecuritySuite, page: incident_review, sessionID: ..., type: event }
disposition-required	index=prod_analytics_entcloud "disposition-required"	{ app: SplunkEnterpriseSecuritySuite, page: ess_incident_review_configuration, section: disposition }
disposition-create	index=prod_analytics_entcloud "disposition-create"	{ app: SplunkEnterpriseSecuritySuite, page: ess_incident_review_configuration, section: disposition }
ir-event-timeline	index=prod_analytics_entcloud "ir-event-timeline"	{ app: SplunkEnterpriseSecuritySuite, page: incident_review, section: zoomClick }
diff-view-status	index=prod_analytics_entcloud "diff-view-status"	{ app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.diff-view-status, name: diff-view-status, sessionID: ..., type: event }
change-default-app	index=prod_analytics_entcloud "change-default-app"	{ app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.change-default-app, name: change-default-app, current_app: ..., sessionID: ..., type: event }
event-based detection	index=prod_analytics_entcloud "event-based detection"	{ app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.diff-view-status, name: diff-view-status, sessionID: ..., type: event }
finding-based detection	index=prod_analytics_entcloud "finding-based detection"	{ app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.change-default-detection, name: change-default-detection, sessionID: ..., type: event }
change-default-detection	index=prod_analytics_entcloud "change-default-detection"	{ app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.change-default-detection, name: change-default-detection, current_detection: ..., sessionID: ..., type: event }
open-in-editor	index=prod_analytics_entcloud "open-in-editor"	{ app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.open-in-editor, name: open-in-editor, section: event-based detection, sessionID: ..., type: event }
ba-enable-modal	index=prod_analytics_entcloud "ba-enable-modal"	{ app: SplunkEnterpriseSecuritySuite, page: ess_home, section: remind-me-later }
drilldown-search	index=prod_analytics_entcloud "drilldown-search"	{ app: SplunkEnterpriseSecuritySuite, page: incident_review, section: ir-expansion-link }
risk-analysis-dashboard	index=prod_analytics_entcloud "risk-analysis-dashboard"	{ app: SplunkEnterpriseSecuritySuite, page: risk_analysis, section: viz_risk_score_by_object }
asset-identity-correlation-setup-status	index=prod_analytics_entcloud "asset-identity-correlation-setup-status"	{ app: SplunkEnterpriseSecuritySuite, page: ess_configuration/, section: enabled_for_all_sourcetypes }
ir-enhanced-views-tour	index=prod_analytics_entcloud "ir-enhanced-views-tour"	{ app: SplunkEnterpriseSecuritySuite, page: incident_review, section: showTour }
dlfa-setup-modal	index=prod_analytics_entcloud "dlfa-setup-modal"	{ action: modal closed }
incidentReviewPollingPaused	index=prod_analytics_entcloud "incidentReviewPollingPaused"	{ action: incidentList.polling.paused, app: missioncontrol, page: mc_incident_review, pathname: /en-US/app/missioncontrol/mc_incident_review, sessionID: ... }
incidentReviewPollingUnpaused	index=prod_analytics_entcloud "incidentReviewPollingUnpaused"	{ action: incidentList.polling.unpaused, app: missioncontrol, page: mc_incident_review, pathname: /en-US/app/missioncontrol/mc_incident_review, sessionID: ... }
fileUploadedIncident	index=prod_analytics_entcloud "fileUploadedIncident"	{ app: SplunkEnterpriseSecuritySuite, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, sessionID: ..., size: 172 }
fileUploadedTask	index=prod_analytics_entcloud "fileUploadedTask"	{ app: missioncontrol, page: mc_incident_review, pathname: /en-US/app/missioncontrol/mc_incident_review, sessionID: ..., size: 3094317 }
fileDownloaded	index=prod_analytics_entcloud "fileDownloaded"	{ count: 96, host: ..., source: ..., sourcetype: ... }
manualIncidentCreated	index=prod_analytics_entcloud "manualIncidentCreated"	{ app: missioncontrol, page: mc_incident_review, pathname: /en-US/app/missioncontrol/mc_incident_review, sessionID: ..., incident_type: default }
responsePlanTaskEnded	index=prod_analytics_entcloud "responsePlanTaskEnded"	{ action: taskStatus.ended, app: missioncontrol, page: mc_incident_review, planId: ..., taskId: ..., sessionID: ..., type: event }
responseTemplateSearchCount	index=prod_analytics_entcloud "responseTemplateSearchCount"	{ app: SplunkEnterpriseSecuritySuite, count: 1, name: ..., page: ess_configuration/, pathname: ..., sessionID: ..., status: published }
responsePlanSearchClicked	index=prod_analytics_entcloud "responsePlanSearchClicked"	{ app: SplunkEnterpriseSecuritySuite, page: incident_review, pathname: ..., responseName: ..., sessionID: ..., spl: ... }
responsePlanSoarAutomationClicked	index=prod_analytics_entcloud "responsePlanSoarAutomationClicked"	{ app: missioncontrol, component: app.session.MissionControl, incidentId: ..., page: mc_incident_review, phaseId: ..., sessionID: ..., taskId: ..., type: playbook }
responsePlanAddTaskError	index=prod_analytics_entcloud "responsePlanAddTaskError"	{ errorInfo: { errorType: responsePlanAddTaskError, payload: request payload } }
responseTemplateCreated	index=prod_analytics_entcloud "responseTemplateCreated"	{ app: SplunkEnterpriseSecuritySuite, name: ..., page: ess_configuration/, pathname: ..., sessionID: ..., status: published }
responseTemplateUpdated	index=prod_analytics_entcloud "responseTemplateUpdated"	{ app: SplunkEnterpriseSecuritySuite, name: ..., page: ess_configuration/, pathname: ..., sessionID: ..., status: published }
responseTemplateAppliedManually	index=prod_analytics_entcloud "responseTemplateAppliedManually"	{ app: SplunkEnterpriseSecuritySuite, count: 1, incidentId: ..., page: incident_review, pathname: ..., sessionID: ... }
responseTemplateAppliedByType	index=prod_analytics_entcloud "responseTemplateAppliedByType"	{ app: SplunkEnterpriseSecuritySuite, count: 1, incidentType: automation, page: incident_review, pathname: ..., sessionID: ... }
aqSidePanelBackNextNavigation	index=prod_analytics_entcloud "aqSidePanelBackNextNavigation"	{ direction: next, app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.aqSidePanelBackNextNavigation, name: aqSidePanelBackNextNavigation, page: incident_review, pathname: ..., sessionID: ..., type: event }
aqSidePanelStartInvestigation	index=prod_analytics_entcloud "aqSidePanelStartInvestigation"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.aqSidePanelStartInvestigation, id: ..., name: aqSidePanelStartInvestigation, page: incident_review, pathname: ..., sessionID: ..., type: event }
aqSidePanelUpdateMetadata	index=prod_analytics_entcloud "aqSidePanelUpdateMetadata"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.aqSidePanelUpdateMetadata, field: status, id: ..., name: aqSidePanelUpdateMetadata, value: 5, sessionID: ..., type: event }
fileUploadTooBigError	index=prod_analytics_entcloud "*fileUploadTooBigError"	{ errorMessage: "File upload failed, Please upload a file under 50 MB" }
timRedirectError	index=prod_analytics_entcloud "*timRedirectError"	{ errorInfo: "Failed to get matching Incident for the Notable. Error" }
soarRedirectError	index=prod_analytics_entcloud "*soarRedirectError"	{ errorInfo: "Failed to redirect to Splunk SOAR from the current Enterprise Security Domain" }
soarRedirect	index=prod_analytics_entcloud "*soarRedirect"	{ app: SplunkEnterpriseSecuritySuite, nextPage: /lists, page: soar_redirect, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/soar_redirect }
JSONSyntaxError	index=prod_analytics_entcloud "*JSONSyntaxError"	{ app: missioncontrol, error: "SyntaxError: Bad escaped character in JSON at position 42 (line 1 column 43)", errorType: JSONSyntaxError, page: mc_incident_review, pathname: /en-US/app/missioncontrol/mc_incident_review, sessionID: ..., type: event }
uiError	index=prod_analytics_entcloud "*uiError"	{ app: SplunkEnterpriseSecuritySuite, error: Unauthorized, errorType: riskEventAIStatusError, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, sessionID: ..., type: event }
newChatStarted	index=prod_analytics_entcloud "*newChatStarted"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.newChatStarted, investigationId: ..., name: newChatStarted, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, sessionID: ..., type: event }
threadCreated	index=prod_analytics_entcloud "*threadCreated"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.threadCreated, investigationId: ..., name: threadCreated, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, sessionID: ..., threadId: ..., type: event }
messageSent	index=prod_analytics_entcloud "*messageSent"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.messageSent, investigationId: ..., message: ..., messageSendTime: ..., name: messageSent, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, sessionID: ..., threadId: ..., type: event }
responseReceived	index=prod_analytics_entcloud "*responseReceived"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.responseReceived, investigationId: ..., messageId: ..., name: responseReceived, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, responseReceivedTime: ..., sessionID: ..., threadId: ..., type: event }
feedbackProvided	index=prod_analytics_entcloud "*feedbackProvided"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.feedbackProvided, investigationId: ..., messageId: ..., name: feedbackProvided, optInRequired: 3, page: incident_review, feedback: {...}, responseReceivedTime: ..., sessionID: ..., threadId: ..., type: event }
runSPLClicked	index=prod_analytics_entcloud "*runSPLClicked"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.runSPLClicked, investigationId: ..., messageId: ..., name: runSPLClicked, optInRequired: 3, page: incident_review, responseReceivedTime: ..., sessionID: ..., threadId: ..., type: event }
splExecutedWithResults	index=prod_analytics_entcloud "*splExecutedWithResults"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.splExecutedWithResults, investigationId: ..., messageId: ..., name: splExecutedWithResults, optInRequired: 3, page: incident_review, responseReceivedTime: ..., resultsCount: 42, threadId: ..., type: event }
splExecutedWithNoResults	index=prod_analytics_entcloud "*splExecutedWithNoResults"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.splExecutedWithNoResults, investigationId: ..., messageId: ..., name: splExecutedWithNoResults, optInRequired: 3, page: incident_review, responseReceivedTime: ..., sessionID: ..., threadId: ..., type: event }
splExecutionFailed	index=prod_analytics_entcloud "*splExecutionFailed"	{ app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.splExecutionFailed, investigationId: ..., messageId: ..., name: splExecutionFailed, optInRequired: 3, page: incident_review, responseReceivedTime: ..., sessionID: ..., threadId: ..., type: event }
secaError	index=prod_analytics_entcloud "*secaError"	{ errorInfo: { api: 'getThreadStatus', investigationId: incident?.id, threadId: ..., code: error_code, message: _(Thread run status returned status => ${status} and error code => ${error_code}) } }
ir-analyst-workflow	index=prod_analytics_entcloud "*ir-analyst-workflow" data.appName="enterprise-security"	{ action: ..., app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.ir-analyst-workflow, name: ir-analyst-workflow, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, section: ir_views_panel, sessionID: ..., type: event }
module-federation-mc-remote-entry	index=prod_analytics_entcloud "*module-federation-mc-remote-entry"	{ action: { connected: true }, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.module-federation-mc-remote-entry, name: module-federation-mc-remote-entry, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, section: incident_review, sessionID: ..., type: event }
filter-dropdown-ueba-app	index=prod_analytics_entcloud "*filter-dropdown-ueba-app" data.appName="enterprise-security" data.name="filter-dropdown-ueba-app"	{ action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.filter-dropdown-ueba-app, name: filter-dropdown-ueba-app, optInRequired: 3, page: ess_content_management, pathname: ..., section: cm-filter-dropdown-selection, selections: ["DA-ESS-UEBA"], sessionID: ..., type: event }
filter-dropdown-cloud-ba-detection-type	index=prod_analytics_entcloud "filter-dropdown-cloud-ba-detection-type"	{ action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.filter-dropdown-cloud-ba-detection-type, name: filter-dropdown-cloud-ba-detection-type, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: cm-filter-dropdown-selection, selections: ["cloud_ba_detections"], sessionID: ..., type: event }
save-detection	index=prod_analytics_entcloud "save-detection"	{ action: save, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.save-detection, name: save-detection, optInRequired: 3, page: correlation_search_edit, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/correlation_search_edit, section: event_based_detection, sessionID: ..., type: event }
threat-topology	index=prod_analytics_entcloud "threat-topology"	{ action: view, app: SplunkEnterpriseSecuritySuite, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, sessionID: ... }
disposition-required	index=prod_analytics_entcloud "disposition-required"	{ action: is_not_required, app: SplunkEnterpriseSecuritySuite, page: ess_incident_review_configuration, section: disposition }
disposition-create	index=prod_analytics_entcloud "disposition-create"	{ action: view, app: SplunkEnterpriseSecuritySuite, page: ess_incident_review_configuration, section: disposition }
ir-event-timeline	index=prod_analytics_entcloud "ir-event-timeline"	{ action: click, app: SplunkEnterpriseSecuritySuite, page: incident_review, section: zoomClick }
diff-view-status	index=prod_analytics_entcloud "diff-view-status"	{ action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.diff-view-status, name: diff-view-status, optInRequired: 3, page: correlation_search_edit, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/correlation_search_edit, section: event_based_detection, sessionID: ..., type: event }
change-default-app	index=prod_analytics_entcloud "change-default-app"	{ action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.change-default-app, name: change-default-app, current_app: splunk_investigation_kit, optInRequired: 3, page: ess_configuration/, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_configuration/, section: default_app_settings, sessionID: ..., type: event }
event-based detection	index=prod_analytics_entcloud "event-based detection"	{ action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.event-based detection, name: event-based detection, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: cm-detection-tab, sessionID: ..., type: event }
finding-based detection	index=prod_analytics_entcloud "finding-based detection"	{ action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.finding-based detection, name: finding-based detection, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: cm-detection-tab, sessionID: ..., type: event }
change-default-detection	index=prod_analytics_entcloud "change-default-detection"	{ action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.change-default-detection, name: change-default-detection, current_detection: event_based_detection, optInRequired: 3, page: ess_configuration/, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_configuration/, section: default_app_settings, sessionID: ..., type: event }
open-in-editor	index=prod_analytics_entcloud "open-in-editor"	{ action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.open-in-editor, name: open-in-editor, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: cm-table-open-in-editor, sessionID: ..., type: event }
drilldown-dashboard	index=prod_analytics_entcloud "drilldown-dashboard"	{ action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.drilldown-dashboard, name: drilldown-dashboard, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, section: ir-expansion-link, sessionID: ..., type: event }
ba-enable-modal	index=prod_analytics_entcloud "ba-enable-modal"	{ action: remind-me-later, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.ba-enable-modal, name: ba-enable-modal, optInRequired: 3, page: ess_home, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_home, section: remind-me-later, sessionID: ..., type: event }
drilldown-search	index=prod_analytics_entcloud "drilldown-search"	{ action: view, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.drilldown-search, name: drilldown-search, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, section: ir-expansion-link, sessionID: ..., type: event }
risk-analysis-dashboard	index=prod_analytics_entcloud "risk-analysis-dashboard"	{ action: view, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.risk-analysis-dashboard, name: risk-analysis-dashboard, optInRequired: 3, page: risk_analysis, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/risk_analysis, section: viz_risk_score_by_object, sessionID: ..., type: event }
asset-identity-correlation-setup-status	index=prod_analytics_entcloud "asset-identity-correlation-setup-status"	{ action: view, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.asset-identity-correlation-setup-status, name: asset-identity-correlation-setup-status, optInRequired: 3, page: ess_configuration/, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_configuration/, section: enabled_for_all_sourcetypes, sessionID: ..., type: event }
ir-enhanced-views-tour	index=prod_analytics_entcloud "ir-enhanced-views-tour"	{ action: showTour, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.ir-enhanced-views-tour, name: ir-enhanced-views-tour, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, section: enhanced_views_tour, sessionID: ..., type: event }
dlfa-setup-modal	index=prod_analytics_entcloud "dlfa-setup-modal"	{ action: modal closed, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.dlfa-setup-modal, name: dlfa-setup-modal, optInRequired: 3, page: ess_configuration/, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_configuration/, section: dlfa-setup-modal, sessionID: ..., type: event }
turn-on-versioning-feature	index=prod_analytics_entcloud environment=* "turn-on-versioning-feature"	{ action: enabled, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.turn-on-versioning-feature, name: turn-on-versioning-feature, optInRequired: 3, page: ess_configuration/, pathname: /en-GB/app/SplunkEnterpriseSecuritySuite/ess_configuration/, sessionID: ..., type: event }
change-detection-status	index=prod_analytics_entcloud environment=* "change-detection-status" data.appName="enterprise-security"	{ action: off, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.change-detection-status, name: change-detection-status, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: finding_based_detection, sessionID: ..., type: event }
ir-analyst-workflow	index=prod_analytics_entcloud environment=* "change_current_view" OR "toggle_views_panel"	{ action: { action: change_current_view, filter_set: {...}, is_default: false, is_private: true, table_attributes: [...] }, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.ir-analyst-workflow, name: ir-analyst-workflow, optInRequired: 3, page: incident_review/, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review/, section: ir_views_panel, sessionID: ..., type: event }
editor-clone-detection	index=prod_analytics_entcloud environment=* "editor-clone-detection" data.appName="enterprise-security"	{ action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.editor-clone-detection, name: editor-clone-detection, optInRequired: 3, page: ess_content_management, pathname: /en-GB/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: event_based_detection, sessionID: ..., type: event }
editor-modal-clone-detection	index=prod_analytics_entcloud environment=* "editor-modal-clone-detection" data.appName="enterprise-security"	{ action: cloned, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.editor-modal-clone-detection, name: editor-modal-clone-detection, optInRequired: 3, page: ess_content_management, pathname: /en-GB/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: ebd, sessionID: ..., type: event }
module-federation-ueba-remote-entry	index=prod_analytics_entcloud environment=* "module-federation-ueba-remote-entry"	{ app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.module-federation-ueba-remote-entry, name: module-federation-ueba-remote-entry, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, section: incident_review, sessionID: ..., type: event }
tune-risk-link-cmp-ba-detection	index=prod_analytics_entcloud environment=* "tune-risk-link-cmp-ba-detection" data.appName="enterprise-security"	{ action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.tune-risk-link-cmp-ba-detection, name: tune-risk-link-cmp-ba-detection, page: ess_configuration, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_configuration, section: tune-risk-link-cmp-ba-detection, sessionID: ..., type: event }
cmp-ba-detection-action	index=prod_analytics_entcloud environment=* "*cmp-ba-detection-action"	{ action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.cmp-ba-detection-action, name: cmp-ba-detection-action, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: tune-risk-link-cmp-ba-detection, sessionID: ..., type: event, url: /en-US/app/SplunkEnterpriseSecuritySuite/ess_configuration/#/ueba/risk-exclusion-rules?... }
cm-filter-dropdown-selection	index=prod_analytics_entcloud environment=* "*cm-filter-dropdown-selection"	{ action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.filter-dropdown-ueba-app, name: filter-dropdown-ueba-app, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: cm-filter-dropdown-selection, selections: ["DA-ESS-UEBA"], sessionID: ..., type: event }
filter-dropdown-ba-detection-type	index=prod_analytics_entcloud environment=* "*filter-dropdown-ba-detection-type"	{ action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.filter-dropdown-ba-detection-type, name: filter-dropdown-ba-detection-type, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: filter-dropdown-ba-detection-type, selections: ["DA-ESS-UEBA"], sessionID: ..., type: event }
fetch-ba-detections	index=prod_analytics_entcloud environment=* "*fetch-ba-detections"	{ errorInfo: "failed to fetch CMP UEBA detections details with error" }
Seca.ContextSent	index=prod_analytics_entcloud component="app.MissionControl.Seca.ContextSent"	{ context_type: spl_data_models }
Incident_Create	index=prod_analytics_entcloud component="app.MissionControl.Incident_Create"	{ artifact_count: 0 }
Incident_Update	index=prod_analytics_entcloud component="app.MissionControl.Incident_Update"	{ incident_count: 5, status: 2 }
Event_Add	index=prod_analytics_entcloud component="app.MissionControl.Event_Add"	{ action: add, entity_type: notable, entity_uuid: ..., name: notable, optInRequired: 3, page: investigation/overview, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/investigation/overview, sessionID: ..., type: event }
Added_Children_Incidents	index="prod_analytics_entcloud" component="app.MissionControl.Added_Children_Incidents"	data: { [-] `children_incident_count: 1 incident_count: 1 }`
New_Parent_Child_Incident_Relationship	index="prod_analytics_entcloud" component="app.MissionControl.New_Parent_Child_Incident_Relationship"	data: { [-] `incident_count: 1 }`
CustomField_Create	index="prod_analytics_entcloud" component="app.MissionControl.CustomField_Create"	data: { [-] `customfield_count: 1 name: CustomField_Create }`
ArtifactConfig_Create	index="prod_analytics_entcloud" component="app.MissionControl.ArtifactConfig_Create"	data: { [-] `artifactconfig_count: 1 }`
Seca.MessageSent	index="prod_analytics_entcloud" component="app.MissionControl.Seca.MessageSent"	data: { [-] `investigation_id: 1dda3208-23f8-4969-b689-d088f4ffea61 message: Failed to execute generated spl search index=<index> \| stats count by index, sourcetype. Spl is invalid, spl parse error b'{"messages":[{"type":"FATAL","text":"Error in \'search\' command: Unable to parse the search: Comparator \'>\' is missing a term on the right hand side."}]}' messageSentTime: 2025-04-23 01:03:44 name: Seca.MessageSent thread_id: d1699059-f8a7-4fa2-bd47-4a46174c9090 }`
Event_Delete	index="prod_analytics_entcloud" component="app.MissionControl.Event_Delete"	data: { [-] `event_count: -1 }`
Event_Update	index="prod_analytics_entcloud" component="app.MissionControl.Event_Update"	artifact_count: 0
Event_Create	index="prod_analytics_entcloud" component="app.MissionControl.Event_Create"	artifact_count: 0
Event_List	index="prod_analytics_entcloud" component="app.MissionControl.Event_List"	search_count: 1, search_job_elapsed_time: 1744295613
active_users	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.active_users"	admin_count: 0, analyst_count: 0, count: 0, user_count: 0
annotations_usage	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.annotations_usage"	searches_with_annotations: 1869, searches_with_cis20: 1809, searches_with_kill_chain_phases: 1739, searches_with_mitre_attack: 1779, searches_with_nist: 1809, unique_annotation_count: 977, unique_framework_count: 7
asset_identity_correlation_setup_status	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.asset_identity_correlation_setup_status"	asset_identity_correlation_setup_status: disabled_for_all_sourcetypes
datamodel_distribution	index="prod_analytics_entcloud"	datamodel: Performance
enabled_vulnerability_data_searches	index="prod_analytics_entcloud" "*enabled_vulnerability_data_searches"	annotations: {}, correlation_search_enabled: 0, creates_notable: 0, creates_risk: 0, disabled: 0
feature_usage	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.feature_usage"	avg_spent: 245, count: 1, view: incident_review
identity_manager	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.identity_manager"	asset_blacklist_count: 0, asset_count: 4, asset_custom_count: 2, asset_enabled_count: 2, identity_blacklist_count: 0, identity_count: 3
lookup_usage	index="prod_analytics" "app.SplunkEnterpriseSecuritySuite.lookup_usage"	count: 0, size: 0, transform: threatintel_by_email_subject
search_actions	index="prod_analytics" "app.SplunkEnterpriseSecuritySuite.search_actions"	action: notable, count: 2, is_adaptive_response: 1, total_scheduled: 110
search_execution	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.search_execution"	avg_run_time: 18.63, count: 192, is_realtime: 0, search_alias: Access - Access App Tracker - Lookup Gen
riskfactors_usage	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.riskfactors_usage"	total: 12, fields_info: [dest_priority, other, src, src_category, user, user_category, user_priority, user_watchlist]
risk_riskfactors_impact	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.risk_riskfactors_impact"	distinct_risk_object_count: 231, max_calc_risk_score: 90, max_risk_score: 90, min_calc_risk_score: 20, min_risk_score: 20, risk_object_type: system, risk_factor_add_matches: 866, risk_factor_mult_matches: 866, max_risk_factor_add_matches: 0, max_risk_factor_mult_matches: 1, min_risk_factor_add_matches: 0, min_risk_factor_mult_matches: 1
risk_event_information	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.risk_event_information"	calculated_risk_score: 0, risk_factor_add: 0, risk_factor_mult: 0, risk_object_type: system, risk_score: 0, threat_object_type: signature
risk_notable_information	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.risk_notable_information"	annotations: {"mitre_attack": ""}, notable_type: risk_event, risk_event_count: 18, risk_object_type: other
notable_information	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.notable_information"	annotations: {}, notable_type: notable, search_name: Threat - High Confidence APT, Malware and C2 Matches - Rule, security_domain: threat, severity: medium
notables_percent_suppressed	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.notables_percent_suppressed"	total_notables_count: 137613
notables_assigned_over_time	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.notables_assigned_over_time"	Assigned Notables: 0, Unassigned Notables: 3301336, Date: 2024-12-01
ba_test_information	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.ba_test_information"	risk_score: 45, risk_object_type: user, orig_sourcetype: NA, threat_object_type: NA, annotations: {"analytic_story":["Malicious PowerShell","Active Directory Lateral Movement","Hermetic Wiper","Scheduled Tasks","Data Destruction"],"mitre_attack":["T1021.003","T1053.005","T1059.001","T1021","T1047"],"nist":["DE.CM"],"cis20":["CIS 10"]}
saved_search_information	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.saved_search_information"	creates_notable: 0, creates_risk: 0, disabled: 0, search_name: Bucket Merge Retrieve Conf Settings, annotations: {}
ba_detections	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.ba_detections"	name: Unauthorized Activity Time (Preview), id: c0fbe7ee-57d4-11ee-8c99-0242ac120002, enabled: 1, useRiskIndex: 0, version: 1.15.63, annotations: {"mitre_attack":"T1003", "analytic_story":"Active Directory Lateral Movement", "kill_chain_phases":"Exploitation", "nist":"DE.CM", "cis20":"CIS 10"}
notable_event_status_changes	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.notable_event_status_changes"	disposition_label: Benign Positive - Suspicious But Expected, urgency: informational, status: 5, status_label: Closed, time_modified: 04/22/2025 06:29:37
notable_events_by_urgency	index="prod_analytics_entcloud" "*notable_events_by_urgency"	creates_notable: 0, creates_risk: 0, disabled: 1, search_name: Notable_Events_By_Urgency, annotations: {}
datamodel_dataset_population	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.datamodel_dataset_population"	dataset: All_Changes, model_name: Change, sourcetype: []
splunk_apps	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.splunk_apps"	app_label: DA-ESS-AccessProtection, app_name: DA-ESS-AccessProtection, version: 7.3.3
investigation_information	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.investigation_information"	create_time: 1744787122, investigation_id: 67ff56b3b3af912aa0085d30, name: Custom Investigation
investigations_overview	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.investigations_overview"	create_time: 1481578121, hashed_collaborators: [hash], hashed_creator: [hash], hashed_investigation_name: [hash], investigation_id: 58e1b7afc31ae9da2e3124d0
macro_usage	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.macro_usage"	definition: index=windows* sourcetype=WinEventLog source=WinEventLog:Security (eventtype=wineventlog_security OR Channel=security), macro_name: wineventlog_security
vulnerable_systems_percent_vulnerable	index="prod_analytics_entcloud" "*vulnerable_systems_percent_vulnerable"	percent_vulnerable_systems: ?
unique_threat_object_count	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.unique_threat_object_count"	unique_threat_object_count: 0
untriaged_notables_by_domain	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.untriaged_notables_by_domain"	Access: 62, Endpoint: 640, Identity: 4, Network: 28649, Threat: 12122854, date: 2025-03-02
threat_artifacts_overview	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.threat_artifacts_overview"	count: 12, malware_alias: , source_id: gr-binarydefense-2, source_path: /opt/splunk/etc/apps/SA-ThreatIntelligence/lookups/gr-binarydefense-2.csv, source_type: csv, threat_category: threat_intel, threat_group: gr-binarydefense-2
threat_matches	index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.threat_matches"	threat_matches: 0

Share threat data in Splunk Enterprise Security

Sharing of telemetry usage data is different from sharing threat data. If you are a Splunk Enterprise Security Hosted Service Offering (cloud) customer with a standard terms contract renewed or created after January 10, 2025, you can refer to Share threat data in Splunk Enterprise Security for details on enhanced data sharing to support improved detection capabilities, update threat intelligence, and operations of our security content offerings.