app.session.enterprise-security.risk-analysis-dashboard |
Reports on the usage of the Risk Timeline visualization on the Risk Analysis dashboard. |
data: { [-]
action: click
app: SplunkEnterpriseSecuritySuite
page: incident_review
section: viz_risk_score_by_object
}
|
app.session.enterprise-security.disposition-required |
Reports whether dispositions are required or not on Incident Review Settings page. |
data: { [-]
action: is_required
app: SplunkEnterpriseSecuritySuite
page: ess_incident_review_configuration
section: disposition
}
|
app.session.enterprise-security.ir-event-timeline |
Reports the usage of the zoom in and zoom out functionality of the Event Timeline visualization on the Incident Review page. |
data: { [-]
action: click
app: SplunkEnterpriseSecuritySuite
page: incident_review
section: zoomClick
}
OR
data: { [-]
action: click
app: SplunkEnterpriseSecuritySuite
page: incident_review
section: zoomOut
}
|
app.session.enterprise-security.incident-review |
- Reports the number of customers who have selected drilldown searches in the expansion row on the Incident Review page.
- Reports the number of times customers have selected drilldown searches in the expansion row on the Incident Review page.
|
{ [-]
component: app.session.enterprise-security.drilldown-search
data: { [-]
action: click
app: SplunkEnterpriseSecuritySuite
page: incident_review
section: ir-expansion-link
}
deploymentID: dd2e7874-098f-549c-af70-0d33636be94d
eventID: dce50f20-e5d6-0229-65b1-61d04ccd7367
experienceID: 668d518b-2b52-e502-78b2-e9f8587cfbdb
optInRequired: 3
splunkVersion: 9.0.1
timestamp: 1669678343
userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a
version: 4
visibility: anonymous,support
}
|
app.session.enterprise-security.drilldown-search |
- Reports the number of customers who have used, added, or removed drilldown searches in the Correlation Search Editor.
- Reports the number of times customers have added or removed drilldown searches in the Correlation Search Editor.
|
{ [-]
component: app.session.enterprise-security.drilldown-search
data: { [-]
action: click
app: SplunkEnterpriseSecuritySuite
page: correlation_search_edit
section: add-drilldown-btn (OR remove-drilldown-btn)
}
deploymentID: dd2e7874-098f-549c-af70-0d33636be94d
eventID: dce50f20-e5d6-0229-65b1-61d04ccd7367
experienceID: 668d518b-2b52-e502-78b2-e9f8587cfbdb
optInRequired: 3
splunkVersion: 9.0.1
timestamp: 1669678343
userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a
version: 4
visibility: anonymous,support
}
|
app.session.enterprise-security.threat-topology |
- Report the number of users who have viewed the threat-topology visualization
- Report the number of times users have rendered the threat-topology visualization
|
{ [-]
component: app.session.enterprise-security.threat-topology
data: { [-]
action: view
app: SplunkEnterpriseSecuritySuite
page: incident_review
}
deploymentID: dd2e7874-098f-549c-af70-0d33636be94d
eventID: 538e4d34-0fbb-a4ea-05b4-0e50445823a1
experienceID: 63a92645-5d53-91f4-15b5-c32c12aac41a
optInRequired: 3
splunkVersion: 9.0.1
timestamp: 1669674829
userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a
version: 4
visibility: anonymous,support
}
|
app.session.enterprise-security.mitre-matrix |
- Report the number of users who have viewed the mitre-matrix component
- Report the number of times users have rendered the mitre-matrix component
|
{ [-]
component: app.session.enterprise-security.mitre-matrix
data: { [-]
action: view
app: SplunkEnterpriseSecuritySuite
page: incident_review
}
deploymentID: dd2e7874-098f-549c-af70-0d33636be94d
eventID: dce50f20-e5d6-0229-65b1-61d04ccd7367
experienceID: 668d518b-2b52-e502-78b2-e9f8587cfbdb
optInRequired: 3
splunkVersion: 9.0.1
timestamp: 1669678343
userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a
version: 4
visibility: anonymous,support
}
|
app.session.enterprise-security.ba-enable-modal |
- Report the number of users who have viewed the mitre-matrix component
- Report the number of times users have rendered the mitre-matrix component
|
{ [-]
component: app.session.enterprise-security.ba-enable-modal
data: { [-]
action: click
app: SplunkEnterpriseSecuritySuite
page: ess_home
section: submit-ticket
}
deploymentID: dd2e7874-098f-549c-af70-0d33636be94d
eventID: de6b5a51-d15a-27de-6015-97c818a41757
experienceID: 8ec2c25a-8edd-5438-95b7-ae009c1db2aa
optInRequired: 3
splunkVersion: 9.0.1
timestamp: 1669756275
userID: 5d040a73e82459dd2ac8c58d50e6f37f6072a99a5ba0f84bacc4e496a3579a1a
version: 4
visibility: anonymous,support
}
|
app.SplunkEnterpriseSecuritySuite.active_users |
Report the number of active users. |
{
"version": "1.0",
"end": 1521483766,
"begin": 1521396000,
"data": {
"analyst_count": 0,
"count": 1,
"admin_count": 1,
"user_count": 0
}
}
|
app.SplunkEnterpriseSecuritySuite.annotations_usage |
Report the number of users that enable and start using annotations in correlation searches for the risk framework. |
{
"data": {
"unique_annotation_count": 86,
"unique_framework_count": 4,
"searches_with_cis20": 200,
"searches_with_kill_chain_phases": 176,
"searches_with_mitre_attack": 119,
"searches_with_nist": 199,
"searches_with_annotations": 213
},
"version": "1.0"
}
|
app.SplunkEnterpriseSecuritySuite.datamodel_
distribution
|
Performs a data model audit to determine which models are the most heavily used. |
{
"data": {
"size": 2265088,
"datamodel": "Change_Analysis",
"perc": 49.33
},
"version": "1.0"
}
|
app.SplunkEnterpriseSecuritySuite.feature_usage |
- Reports the amount of time it takes for a page to load.
- Reports data about feature usage.
|
{
"end": 1521483766,
"begin": 1521396000,
"version": "1.0",
"data": {
"count": 1,
"avg_spent": 515,
"view": "ess_home"
}
}
|
app.SplunkEnterpriseSecuritySuite.datamodel_dataset_population |
Reports which sourcetypes are populating data models and data sets. |
{ [-]
app: SplunkEnterpriseSecuritySuite
component: app.SplunkEnterpriseSecuritySuite.datamodel_dataset_population
data: { [-]
count: 3510
dataset: Authentication
model_name: Authentication
sourcetype: XmlWinEventLog
}
deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
eventID: 9416AAD3-7DE3-4985-80E5-D8EACF7373AC
executionID: 31D2B8E6-1679-4041-91A8-D9955A2B2544
optInRequired: 3
timestamp: 1662700871
type: event
userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
visibility: [ [+]
]
}
|
app.SplunkEnterpriseSecuritySuite.identity_manager |
Reports statistics pertaining to the usage of the Assets and Identities Framework. |
{
"data": { [-]
"asset_blacklist_count": 0,
"asset_count": 3,
"asset_custom_count": 1,
"asset_custom_fields": 0,
"asset_enabled_count": 1,
"asset_ldap_count": 0,
"asset_search_count": 0,
"identity_blacklist_count": 0,
"identity_count": 3,
"identity_custom_count": 0,
"identity_custom_fields": 0,
"identity_enabled_count": 2,
"identity_ldap_count": 0,
"identity_search_count": 0,
"total_blacklist_count": 0,
"total_count": 6,
"total_custom_count": 1,
"total_enabled_count": 3,
"total_ldap_count": 0,
"total_search_count": 0
},
"version": 1.0
}
|
app.SplunkEnterpriseSecuritySuite.investigation_information |
Report on the length of investigations in Splunk Enterprise Security. |
{ [-]
app: SplunkEnterpriseSecuritySuite
component: app.SplunkEnterpriseSecuritySuite.saved_search_information
data: { [-]
investigation_id: 3392852E-71F0-43DD-B826-F155BE830660
name: TestInvestigation
status_name: In Progress
create_time: 1662700236
status_time: 1662700236
}
deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
eventID: 3392852E-71F0-43DD-B826-F155BE830660
executionID: D35401ED-3320-4F4B-8542-BC1068F93454
optInRequired: 3
timestamp: 1662700236
type: event
userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
visibility: [ [+]
]
}
|
app.SplunkEnterpriseSecuritySuite.lookup_usage |
Reports statistics pertaining to the usage of the Asset & Identity Manager, such as lookup table size and number of entries. |
{
"data": {
"count": 0,
"size": 22,
"transform": "access_app_tracker"
},
"version": "1.0"
}
|
app.SplunkEnterpriseSecuritySuite.notable_event_status_changes |
- Reports the efficacy of the detections.
- Reports how long the notable events are in progress.
|
{ [-]
app: SplunkEnterpriseSecuritySuite
component: app.SplunkEnterpriseSecuritySuite.saved_search_information
data: { [-]
time: {}
event_id: DA-ESS-NetworkProtection
search_name: Traffic - Traffic Over Time By Transport Protocol
status_label: In Progress
disposition_label: NA
urgency: 0
}
deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
eventID: 3392852E-71F0-43DD-B826-F155BE830660
executionID: D35401ED-3320-4F4B-8542-BC1068F93454
optInRequired: 3
timestamp: 1662700236
type: event
userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
visibility: [ [+]
]
}
|
app.SplunkEnterpriseSecuritySuite.macro_usage |
Reports on how users use ESCU output filers for their content. |
{ [-]
app: SplunkEnterpriseSecuritySuite
component: app.SplunkEnterpriseSecuritySuite.macro_usage
data: { [-]
macro_name: wmi_permanent_event_subscription___sysmon_filter
definition: search *
}
deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
eventID: 3392852E-71F0-43DD-B826-F155BE830660
executionID: D35401ED-3320-4F4B-8542-BC1068F93454
optInRequired: 3
timestamp: 1662700236
type: event
userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
visibility: [ [+]
]
}
|
app.SplunkEnterpriseSecuritySuite.risk_event_information |
- Reports the specific searches that create risk events in customer environments.
- Reports the annotations that create risk events.
- Reports how risk scores are associated with annotations.
|
{
{ [-]
app: SplunkEnterpriseSecuritySuite
component: app.SplunkEnterpriseSecuritySuite.risk_event_information
data: { [-]
_time: 1662673793
annotations: {"analytic_story": ["Hermetic Wiper", "Malicious PowerShell"], "confidence": 100, "context": ["Source:Endpoint", "Stage:Recon"], "impact": 30, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "observable": [{"name": "Computer", "role": ["Victim"], "type": "Endpoint"}, {"name": "User", "role": ["Victim"], "type": "User"}]}
calculated_risk_score: 30
risk_factor_add: 0
risk_factor_mult: 1
hashed_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368
hashed_normalized_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368
risk_object_type: system
risk_score: 30
search_name: ESCU - WMI Recon Running Process Or Services - Rule
orig_sourcetype: NA
}
deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
eventID: 51708359-68B8-40D8-A789-011C8544DA92
executionID: A11AB986-2A75-406D-8405-A65D6D83AADE
optInRequired: 3
timestamp: 1662702322
type: event
userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
visibility: [ [+]
]
}
|
app.SplunkEnterpriseSecuritySuite.risk_notable_information |
- Reports the specific searches that create risk notables in customer environments.
- Reports the risk events that create risk notables.
- Reports how risk notables are associated with annotations.
|
{ [-]
app: SplunkEnterpriseSecuritySuite
component: app.SplunkEnterpriseSecuritySuite.risk_notable_information
data: { [-]
_time: 1662596119
annotations: {"mitre_attack": "T1587.003", "analytic_story": "Splunk Vulnerabilities", "cis20": ["CIS 16", "CIS 3", "CIS 5"], "kill_chain_phases": "Exploitation", "nist": "DE.CM", "context": "Source:Endpoint", "observable": "{\"name\":\"splunk_server\",\"role\":[\"Victim\"],\"type\":\"Hostname\"}"}
event_id: 1D3F1BA5-1EDB-43DB-A9BA-92C62607E589@@notable@@56ceb57a41ca64f8960a7c1ae5eec67c
notable_type: risk_event
risk_object_type: system
hashed_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368
hashed_normalized_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368
hashed_all_risk_objects: ['62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368']
risk_score: 1750
risk_search: ESCU - Splunk Digital Certificates Infrastructure Version - Rule
risk_event_count: 50
search_name: Risk - 24 Hour Risk Threshold Exceeded - Rule
security_domain: threat
source_count: 1
orig_sourcetype: NA
}
deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
eventID: 04FB2258-FDEA-47E3-AFFA-0ECACBE79A5F
executionID: 33F085CD-98E3-433A-AF4C-716A85D952A8
optInRequired: 3
timestamp: 1662702627
type: event
userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
visibility: [ [+]
]
}
|
app.SplunkEnterpriseSecuritySuite.ba_detections |
- Reports on which behavioral analytics detections are enabled in customer environments.
- Reports on how customers are using the test and risk indexes.
|
{ [-]
app: SplunkEnterpriseSecuritySuite
component: app.SplunkEnterpriseSecuritySuite.ba_detections
data: { [-]
name: Applications Spawning cmd.exe
annotations: {"mitre_attack": ["T1106"]}
enabled: 0
useRiskIndex: 0
version: 1.0
id: e332f45a-e332f45a-e332f45a
}
deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
eventID: 3392852E-71F0-43DD-B826-F155BE830660
executionID: D35401ED-3320-4F4B-8542-BC1068F93454
optInRequired: 3
timestamp: 1662700236
type: event
userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
visibility: [ [+]
]
}
|
app.SplunkEnterpriseSecuritySuite.ba_test_information |
- Reports the behavioral analytics searches that create risk events in customer environments.
- Reports the annotations that create behavioral analytics risk events.
|
{ [-]
app: SplunkEnterpriseSecuritySuite
component: app.SplunkEnterpriseSecuritySuite.ba_Test_information
data: { [-]
_time: 1662673793
annotations: {"analytic_story": ["Hermetic Wiper", "Malicious PowerShell"], "confidence": 100, "context": ["Source:Endpoint", "Stage:Recon"], "impact": 30, "kill_chain_phases": ["Reconnaissance"], "mitre_attack": ["T1592"], "observable": [{"name": "Computer", "role": ["Victim"], "type": "Endpoint"}, {"name": "User", "role": ["Victim"], "type": "User"}]}
hashed_risk_object: 62f6f8455743c8614847162d03453acaa1ae0b0cdcd5593ff0a2db1e92cf3368
risk_object_type: system
risk_score: 30
search_name: ESCU - WMI Recon Running Process Or Services - Rule
}
deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
eventID: 51708359-68B8-40D8-A789-011C8544DA92
executionID: A11AB986-2A75-406D-8405-A65D6D83AADE
optInRequired: 3
timestamp: 1662702322
type: event
userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
visibility: [ [+]
]
}
|
app.SplunkEnterpriseSecuritySuite.riskfactors_usage |
Reports how customers use the risk framework. |
{
{ [-]
app: SplunkEnterpriseSecuritySuite
component: app.SplunkEnterpriseSecuritySuite.riskfactors_usage
data: { [-]
fields_info: [ [-]
{"fields_used": "dest_priority", "count": 1}
{"fields_used": "user_category", "count": 2}
{"fields_used": "user_priority", "count": 2}
{"fields_used": "user_watchlist", "count": 1}
]
total: 5
}
deploymentID: 464150eb-1b95-528e-85ca-272ba19d113f
eventID: AB7AC804-8711-459C-A649-0A2DD8962299
executionID: 1E895CC2-5C46-456F-9A79-86CC0ED05036
optInRequired: 3
timestamp: 1603825511
type: aggregate
visibility: [ [+]
]
}
|
app.SplunkEnterpriseSecuritySuite.risk_riskfactors_impact |
Reports how the customers engage with risk framework. |
{ [-]
app: SplunkEnterpriseSecuritySuite
component: app.SplunkEnterpriseSecuritySuite.risk_riskfactors_impact
data: { [-]
distinct_risk_object_count: 2
max_calc_risk_score: 100
max_risk_factor_add_matches: 0
max_risk_factor_mult_matches: 1
max_risk_score: 100
min_calc_risk_score: 100
min_risk_factor_add_matches: 0
min_risk_factor_mult_matches: 1
min_risk_score: 100
risk_factor_add_matches: 0
risk_factor_mult_matches: 0
risk_object_type: system
}
deploymentID: 3db462ee-7955-54b0-9a94-24bc19f352a8
eventID: 84949E43-2964-43CC-AA04-50F2C4082674
executionID: 27E5957D-41F4-4C83-A1F1-DCF5C9D324DC
optInRequired: 3
timestamp: 1603851828
type: aggregate
visibility: [ [+]
]
}
|
app.SplunkEnterpriseSecuritySuite.saved_search_information |
- Reports what searches are enabled in customer environments.
- Reports the desired outcome of the search.
- Reports the use of SPL
|
{ [-]
app: SplunkEnterpriseSecuritySuite
component: app.SplunkEnterpriseSecuritySuite.saved_search_information
data: { [-]
annotations: {}
app_name: DA-ESS-NetworkProtection
creates_notable: 0
creates_risk: 0
uses_suppression: 0
description:
disabled: 0
search: | `tstats` count from datamodel=Network_Traffic.All_Traffic by _time,All_Traffic.transport span=10m | timechart minspan=10m useother=`useother` count by All_Traffic.transport | `drop_dm_object_name("All_Traffic")`
search_name: Traffic - Traffic Over Time By Transport Protocol
}
deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
eventID: 3392852E-71F0-43DD-B826-F155BE830660
executionID: D35401ED-3320-4F4B-8542-BC1068F93454
optInRequired: 3
timestamp: 1662700236
type: event
userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
visibility: [ [+]
]
}
|
app.SplunkEnterpriseSecuritySuite.search_actions |
Reports what was searched for. |
{
"data": {
"total_scheduled": 70,
"action": "output_message",
"is_adaptive_response": 1,
"count": 6
},
"version": "1.0"
}
|
app.SplunkEnterpriseSecuritySuite.search_execution |
Reports average run time by search to help gauge performance. |
{
"end": 1521483766,
"begin": 1521396000,
"data": {
"avg_run_time": 0.75,
"count": 2,
"search_alias": "Access - Authentication Tracker - Lookup Gen"
},
"version": "1.0",
}
|
data.context |
Reports how many times a given workbench panel was used and the distribution of fields drilled into from workflow actions. |
{
component: app.session.rum.mark
data: {
app: SplunkEnterpriseSecuritySuite
context: {
field: lokloklok
panels: [
f2c5c990f8fbf4f173ed8ae17ac3463c53e674e10494ea6ae331f25d410c7647
f2c5c990f8fbf4f173ed8ae17ac3463c53e674e10494ea6ae331f25d410c7647
a7f1eed1b49d2391fbe7f6b6cb91a3c146a4e905e536be8e3d5581f15f90248c
]
}
hero: embedded workbench panel page
page: ess_workbench_panel
sourceLocation: controller mounted
timeSinceOrigin: 17539.599999785423
transactionId: 9eb149d0-84d9-11ea-9a01-6da37c4190ff
}
deploymentID: 90dacf53-e620-5a99-8cd4-15225d4fafc3
eventID: 19c90580-816d-2dc5-13a8-5af783596253
experienceID: 6aa4e746-c8f0-234b-35b2-dff0e1b2fbab
optInRequired: 3
timestamp: 1587588081
userID: 953b11dd9ec6593a941245c43738a191110c7e42f8e81b75fd6a18452a2755bb
version: 3
visibility: anonymous,support
}
|
app.SplunkEnterpriseSecuritySuite.splunk_apps |
Reports what apps are installed along with Splunk Enterprise Security |
{ [-]
app: SplunkEnterpriseSecuritySuite
component: app.SplunkEnterpriseSecuritySuite.splunk_apps
data: { [-]
app_label: Splunk Add-on for UEBA
app_name: Splunk_TA_ueba
version: 3.1.0
}
deploymentID: e332f45a-ce63-5385-8b03-5ddda41edca1
eventID: 74F06225-D7EA-4EA8-B097-847679513164
executionID: 9614FCEF-ACD0-42D7-9B26-3FAFC7DF28E9
optInRequired: 3
timestamp: 1662701117
type: event
userID: 7af36e5c388cd68886c069c341ea67b2a553c8ec89091f71d4ad652f9c632ad4
visibility: [ [+]
]
|
app.session.rum.measure |
Reports performance metrics around API calls. |
{ [-]
component: app.session.rum.mark
data: { [-]
app: SplunkEnterpriseSecuritySuite
context: { [-]
}
hero: data/transforms/managed_lookups
page: ess_content_management_new
sourceLocation: { [-]
size: 234962 bytes
status: 200
success: true
}
timeSinceOrigin: 13765.400000035763
transactionId: 9db527a0-f349-11ec-ba71-d51f5aafc42d
}
deploymentID: 9aa97b42-ff6d-5381-b1d3-a80ad934fbce
eventID: cde8c736-b7f9-0c84-8d34-0d8d3f99bf3e
experienceID: d0a6bfc4-4c5e-00f0-a302-b9a38ae05590
optInRequired: 3
splunkVersion: 8.2.2201
timestamp: 1656025808
userID: 923d6d128a7f8bfbb1950cc0be471b9251b0209477ad236e91f31debddd99699
version: 4
visibility: anonymous,support
}
|