Share data usage in Splunk Enterprise Security

When Splunk Enterprise Security is deployed on Splunk Enterprise, the Splunk platform sends anonymized usage data to Splunk Inc. ("Splunk") to help improve Splunk Enterprise Security in future releases. For information about how to opt in or out, and how the data is collected, stored, and governed, see Share data in Splunk Enterprise.

How data is collected

Splunk Enterprise Security uses saved searches to collect anonymous usage data. These searches run in the background regardless of whether or not you opt-in to send usage data to Splunk, and do not have any significant impact on performance.

Splunk Enterprise Security also uses FullStory to collect experiential user journey information with the user personally identifiable information redacted.

Splunk collects usage data to improve the design, usability, and experience of the product. Customers may opt-out of sharing AI data including, but not limited to, chats, responses, context, and feedback. To opt out of sharing this AI data, see Opt out of data sharing for the AI Assistant in Splunk Enterprise Security.

What data is collected

Version 8.3

Splunk Enterprise Security version 8.3 collects the following basic usage information:

For more information on telemetry information collected by Splunk SOAR, see Share data from Splunk SOAR (Cloud).

Component Description Example
app.UEBAContent.DeploymentInfo General information about UEBA CMP deploument.
JSON 
{ 
   app: DA-ESS-UEBAContent
   component: app.UEBAContent.DeploymentInfo
   data: { [-]
     monitored_devices: 10
     monitored_users: 50
   }
   deploymentID: e0cc3c50-1421-524d-a1cf-22fa7f1678c9
   eventID: 82FB15E6-9839-404A-8B3E-00E28BE00A38
   executionID: E72C1C29-D16F-4331-8DD6-1E2501EF8E5A
   optInRequired: 3
   original_event_id: cc2ca97a1869a7000c85e5cbac456b858d42c5e25d61dc97bbd877fc3c364bbf
   original_timestamp: 1760584207
   timestamp: 1760584207
   type: aggregate
   visibility: [ [+]
   ]
}
app.UEBAContent.SearchExecution Information about UEBA Seraches execution times
JSON 
{ 
   app: DA-ESS-UEBAContent
   component: app.UEBAContent.SearchExecution
   data: { [-]
     avg_run_time: 0.56
     count: 22
     search_alias: UEBA - AD Device Access Summarization - Summary Gen
   }
   deploymentID: 2fba8ab1-b4e0-586c-805b-670e371263b1
   eventID: 87675FB5-2CEA-484B-B2ED-D495DB1BB8A5
   executionID: 7992A96B-61EA-4BC2-9290-C363B60E78A5
   optInRequired: 3
   original_event_id: 9401f4a826820d8aba471513f0cfcddaf7ba21149923954232fcf4f292ec175a
   original_timestamp: 1760584203
   timestamp: 1760584203
   type: aggregate
   visibility: [ [+]
   ]
}
app.UEBAContent.DetectionStatus Metrics related to detection execution
JSON 
{
  app: search
  component: app.UEBAContent.DetectionStatus
     data: {
        content_provider: cmp
        correlation_search_name: UEBA - Rare Device Login By Windows User - Rule distinct_entity_count: 2
        enabled_status: Enabled 
        entities_count: 82
        findings_count: 2
        latest_run_time: 2025-10-14 09:48:04 UTC
        next_scheduled_time: 2025-10-15 05:00:00 UTC
}
    deploymentID: d7adc549-486a-552f-9758-aa8058656fbd eventID: DBE581BB-ACC2-4F0A-AFCF-EAB034ABBEBA
    executionID: 42E66F61-E2C5-411A-9813-6A4936291E5E
    optInRequired: 3
    splunkVersion: 9.3.3
    timestamp: 1760437392
    type: event
    userID: c68246bdd481dcd97886882354eabb18f7eb72ebe95800dd041503e0899db302
visibility: [
}
app.UEBAContent.FailedSearches Metrics related to failed UEBA seraches.
JSON 
{ [-]
   app: DA-ESS-UEBAContent
   component: app.UEBAContent.FailedSearches
   data: { [-]
     count: 2
     savedsearch_name: UEBA - AD Rare Microsoft Windows Device Access - Scoring
   }
   deploymentID: 63fd904f-0986-51ca-a4fa-cfefe3822b99
   eventID: 19168A80-1A09-4F21-BA75-BCC1938E2A85
   executionID: 2865F436-0285-41DB-B3AC-8AA526DC4498
   optInRequired: 3
   original_event_id: 3264ef3b88886d7522f7ca5e8f2d55a2eb26558d9f01deced93d1cf50250aa44
   original_timestamp: 1760670604
   timestamp: 1760670604
   type: aggregate
   visibility: [ [+]
   ]
}
app.UEBAContent.SkippedSearches Metrics related to skipped UEBA seraches.
JSON 
{ [-]
   app: DA-ESS-UEBAContent
   component: app.UEBAContent.SkippedSearches
   data: { [-]
     count: 5
     savedsearch_name: UEBA - AD Rare Microsoft Windows Device Access - Scoring
   }
   deploymentID: 63fd904f-0986-51ca-a4fa-cfefe3822b99
   eventID: 19168A80-1A09-4F21-BA75-BCC1938E2A85
   executionID: 2865F436-0285-41DB-B3AC-8AA526DC4498
   optInRequired: 3
   original_event_id: 3264ef3b88886d7522f7ca5e8f2d55a2eb26558d9f01deced93d1cf50250aa44
   original_timestamp: 1760670604
   timestamp: 1760670604
   type: aggregate
   visibility: [ [+]
   ]
}
app.UEBAContent.IndexStatsBySource Index performance statistics.
JSON 
{ [-]
   app: DA-ESS-UEBAContent
   component: app.UEBAContent.IndexStatsBySource
   data: { [-]
     event_count: 888
     events_count_last_24h: 0
     name: unusual_login_authentication_per_user_feature_login
     size_mb: 0.04
   }
   deploymentID: 63fd904f-0986-51ca-a4fa-cfefe3822b99
   eventID: 17574F29-36B7-42B3-AAD6-F81258566D13
   executionID: 2865F436-0285-41DB-B3AC-8AA526DC4498
   optInRequired: 3
   original_event_id: e558cfd39ca58dc7fc55472d7d08921f9e3bfad3eec293e9f0fb78cfef0e49b7
   original_timestamp: 1760670606
   timestamp: 1760670606
   type: aggregate
   visibility: [ [+]
   ]
}
app.UEBAContent.KvStats Performance statistcs related to KV Store collections.
JSON 
{ [-]
   app: DA-ESS-UEBAContent
   component: app.UEBAContent.KvStats
   data: { [-]
     collection_name: brute_force_authentication_device_user_map
     record_count: 266
     size_kb:1123
   }
   deploymentID: 63fd904f-0986-51ca-a4fa-cfefe3822b99
   eventID: 7FD30E9C-964E-4FB3-86C0-30D306AE283B
   executionID: 2865F436-0285-41DB-B3AC-8AA526DC4498
   optInRequired: 3
   original_event_id: 3b502c5a60b3c3c9842a55666b1d4a03e14c8a31d29fbc8e89366fff452adc4a
   original_timestamp: 1760670605
   timestamp: 1760670605
   type: aggregate
   visibility: [ [+]
   ]
}
app.UEBAContent.IndexStats Index performance statistics.
JSON 
{ [-]
   app: DA-ESS-UEBAContent
   component: app.UEBAContent.IndexStats
   data: { [-]
     event_count: 10823170
     name: ueba_summaries
     size_mb: 488.515625
   }
   deploymentID: 63fd904f-0986-51ca-a4fa-cfefe3822b99
   eventID: BC5E8952-9AFF-4A1D-A22D-0A0BABF1DD22
   executionID: 2865F436-0285-41DB-B3AC-8AA526DC4498
   optInRequired: 3
   original_event_id: a5165eccc82f04f8c4fbd67a38a87c69b6dc5d5494e9a18fb58152255c449ae2
   original_timestamp: 1760670604
   timestamp: 1760670604
   type: aggregate
   visibility: [ [+]
   ]
}
app.UEBAContent.DataAvailability Information on data availability for UEBA detections.
JSON 
{ [-]
   app: DA-ESS-UEBAContent
   component: app.UEBAContent.DataAvailability
   data: { [-]
     fields_availability: { [-]
       EventCode: 100
       derived_LoginSourceDeviceName: 100
       derived_LoginTargetDeviceName: 0
       derived_loginSourceDeviceId: 100
       derived_loginTargetDeviceId: 0
       derived_originDeviceId: 100
       derived_rawSourceAddress: 0
       derived_rawTargetAddress: 100
       derived_sourceDomain: 0
      derived_targetAccountName: 100
       derived_targetDomain: 100
       logonProcess: 100
       logonType: 100
       processName: 100
       returnCode: 100
       total_count: 0
     }
     search_name: Rare Device Access in Windows Login Data
   }
   deploymentID: 2fba8ab1-b4e0-586c-805b-670e371263b1
   eventID: 6DBF04FA-1055-4C20-A098-3AC57A37BBA1
   executionID: 7992A96B-61EA-4BC2-9290-C363B60E78A5
   optInRequired: 3
   original_event_id: 9484b1deae3b03c0b756ca846bf57e05f5f31a659566fc1a5ea4947d85a2d3cd
   original_timestamp: 1760584231
   timestamp: 1760584231
   type: aggregate
   visibility: [ [+]
   ]
}
Mission control - bulkUpdateSuccess A successful bulk update request in the Analyst Queue.
JSON 
{
    "type": "MissionControl.bulkUpdateSuccess",
    "data": {
        "action": "Bulk update",
        "totalUpdated": 25,
        "totalSelected": 26,
        "isGlobalSelectionActive": true,
        "appName": "MissionControl",
        "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
        "type": "event",
        "component": "MissionControl.bulkUpdateSuccess",
        "optInRequired": 3,
        "sessionID": "7171cdd1-85e5-4784-b6a4-3fe92d6722ed",
        "name": "bulkUpdateSuccess"
    }
}
Mission control - bulkUpdateGlobalSelectionFailed A failed bulk update request when global selection is active (all items are selected across the entire queue).
JSON 
{
    "type": "MissionControl.bulkUpdateGlobalSelectionFailed",
    "data": {
        "error": "Failed to fetch",
        "appName": "MissionControl",
        "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
        "type": "error",
        "component": "MissionControl.bulkUpdateGlobalSelectionFailed",
        "sessionID": "7171cdd1-85e5-4784-b6a4-3fe92d6722ed",
        "optInRequired": 3,
        "name": "bulkUpdateGlobalSelectionFailed"
    }
}
Enterprise security - aq-global-selection-active Whenever a user clicks the "Select all X findings and investigations" button in the Analyst Queue to active global selection.
JSON 
{
    "type": "enterprise-security.aq-global-selection-active",
    "data": {
        "selectedCount": 34,
        "appName": "enterprise-security",
        "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
        "type": "event",
        "component": "enterprise-security.aq-global-selection-active",
        "optInRequired": 3,
        "sessionID": "7171cdd1-85e5-4784-b6a4-3fe92d6722ed",
        "name": "aq-global-selection-active"
    }
}
Enterprise security - aq-assign-to-me-success A successful request to "Assign to me" in the Analyst Queue.
JSON 
{
    "type": "enterprise-security.aq-assign-to-me-success",
    "data": {
        "count": 34,
        "isGlobalSelectionActive": true,
        "appName": "enterprise-security",
        "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
        "type": "event",
        "component": "enterprise-security.aq-assign-to-me-success",
        "optInRequired": 3,
        "sessionID": "7171cdd1-85e5-4784-b6a4-3fe92d6722ed",
        "name": "aq-assign-to-me-success"
    }
}
Enterprise security - aq-assign-to-me-failed A failed request to "Assign to me" in the Analyst queue.
JSON 
{
    "type": "enterprise-security.aq-assign-to-me-failed",
    "data": {
        "error": "Findings assignment failed: Error: Finding changes could not be saved.",
        "appName": "enterprise-security",
        "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
        "type": "error",
        "component": "enterprise-security.aq-assign-to-me-failed",
        "sessionID": "7171cdd1-85e5-4784-b6a4-3fe92d6722ed",
        "optInRequired": 3,
        "name": "aq-assign-to-me-failed"
    }
}
Enterprise security - aq-global-assign-to-me-failed A failed request to "Assign to me" when global selection is active in the Analyst Queue.
JSON 
{
    "type": "enterprise-security.aq-global-assign-to-me-failed",
    "data": {
        "error": "Findings assignment failed: Error: Finding changes could not be saved.",
        "appName": "enterprise-security",
        "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
        "type": "error",
        "component": "enterprise-security.aq-global-assign-to-me-failed",
        "sessionID": "7171cdd1-85e5-4784-b6a4-3fe92d6722ed",
        "optInRequired": 3,
        "name": "aq-global-assign-to-me-failed"
    }
}

Mission Control - PINNED_FIELDS_AQ_SIDE_PANEL

 Successful pinning of a field in AQ Sidepanel.
JSON 
"data": {
    "action": "pin",
    "fieldKey": "dest",
    "appName": "MissionControl",
    "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
    "type": "event",
    "component": "MissionControl.PINNED_FIELDS_AQ_SIDE_PANEL",
    "optInRequired": 3,
    "sessionID": "a750d471-52ef-4fe1-9440-95f4f700a1b5",
    "name": "PINNED_FIELDS_AQ_SIDE_PANEL",
    "app": "SplunkEnterpriseSecuritySuite",
    "page": "incident_review"
}

Mission Control - PINNED_FIELDS_AQ_SIDE_PANEL

 Successful unpinning of a field in AQ Sidepanel.
JSON 
"data": {
    "action": "unpin",
    "fieldKey": "dest",
    "appName": "MissionControl",
    "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
    "type": "event",
    "component": "MissionControl.PINNED_FIELDS_AQ_SIDE_PANEL",
    "optInRequired": 3,
    "sessionID": "a750d471-52ef-4fe1-9440-95f4f700a1b5",
    "name": "PINNED_FIELDS_AQ_SIDE_PANEL",
    "app": "SplunkEnterpriseSecuritySuite",
    "page": "incident_review"
}

Mission Control - PINNED_FIELDS_AQ_SIDE_PANEL

 Successful reordering of a pinned field in AQ Sidepanel.
JSON 
"data": {
    "action": "reorder",
    "fieldKey": "create_time",
    "fromIndex": 0,
    "toIndex": 1,
    "appName": "MissionControl",
    "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
    "type": "event",
    "component": "MissionControl.PINNED_FIELDS_AQ_SIDE_PANEL",
    "optInRequired": 3,
    "sessionID": "a750d471-52ef-4fe1-9440-95f4f700a1b5",
    "name": "PINNED_FIELDS_AQ_SIDE_PANEL",
    "app": "SplunkEnterpriseSecuritySuite",
    "page": "incident_review"
},

Mission Control - PINNED_FIELDS_INVESTIGATION_OVERVIEW

 Successful pinning of a field in Investigation Overview.
JSON 
"data": {
    "action": "pin",
    "fieldKey": "dest",
    "appName": "MissionControl",
    "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
    "type": "event",
    "component": "MissionControl.PINNED_FIELDS_INVESTIGATION_OVERVIEW",
    "optInRequired": 3,
    "sessionID": "a750d471-52ef-4fe1-9440-95f4f700a1b5",
    "name": "PINNED_FIELDS_INVESTIGATION_OVERVIEW",
    "app": "SplunkEnterpriseSecuritySuite",
    "page": "incident_review"
}

Mission Control - PINNED_FIELDS_INVESTIGATION_OVERVIEW

 Successful unpinning of a field in Investigation Overview.
JSON 
"data": {
    "action": "unpin",
    "fieldKey": "dest",
    "appName": "MissionControl",
    "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
    "type": "event",
    "component": "MissionControl.PINNED_FIELDS_INVESTIGATION_OVERVIEW",
    "optInRequired": 3,
    "sessionID": "a750d471-52ef-4fe1-9440-95f4f700a1b5",
    "name": "PINNED_FIELDS_INVESTIGATION_OVERVIEW",
    "app": "SplunkEnterpriseSecuritySuite",
    "page": "incident_review"
}

Mission Control - PINNED_FIELDS_INVESTIGATION_OVERVIEW

 Successful reordering of a pinned field in Investigation Overview.
JSON 
"data": {
    "action": "reorder",
    "fieldKey": "create_time",
    "fromIndex": 0,
    "toIndex": 1,
    "appName": "MissionControl",
    "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
    "type": "event",
    "component": "MissionControl.PINNED_FIELDS_INVESTIGATION_OVERVIEW",
    "optInRequired": 3,
    "sessionID": "a750d471-52ef-4fe1-9440-95f4f700a1b5",
    "name": "PINNED_FIELDS_INVESTIGATION_OVERVIEW",
    "app": "SplunkEnterpriseSecuritySuite",
    "page": "incident_review"
},

Mission Control - PINNED_FIELDS_INVESTIGATION_SIDE_PANEL

 Successful pinning of a field in Investigation Overview Sidepanel.
JSON 
"data": {
    "action": "pin",
    "fieldKey": "dest",
    "appName": "MissionControl",
    "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
    "type": "event",
    "component": "MissionControl.PINNED_FIELDS_INVESTIGATION_SIDE_PANEL",
    "optInRequired": 3,
    "sessionID": "a750d471-52ef-4fe1-9440-95f4f700a1b5",
    "name": "PINNED_FIELDS_INVESTIGATION_SIDE_PANEL",
    "app": "SplunkEnterpriseSecuritySuite",
    "page": "incident_review"
}
Enterprise security - aq-analyst-workflow Sort AQ table by Entity name.
JSON 
appName: 'enterprise-security',
component: 'aq-analyst-workflow',
data: {
  action: 'click',
  section: 'sort-aq-table-by-entity-name',
}
Enterprise security - aq-analyst-workflow Sort AQ table by Entity risk score.
JSON 
appName: 'enterprise-security',
component: 'aq-analyst-workflow',
data: {
  action: 'click',
  section: 'sort-aq-table-by-entity-risk-score',
}
Enterprise security - aq-analyst-workflow Sort AQ table by Finding score.
JSON 
appName: 'enterprise-security',
component: 'aq-analyst-workflow',
data: {
  action: 'click',
  section: 'sort-aq-table-by-finding-score',
}
Enterprise security - aq-analyst-workflow View all nested findings/ finding groups in AQ table item.
JSON 
appName: 'enterprise-security',
component: 'aq-analyst-workflow',
data: {
    section: 'aq_nested_findings',
    action: 'view_all_findinggroups_findings',
    isInvestigation: true,
    totalCount: 11,
}
Mission Control - SIDEPANEL_INCLUDED_FINDINGS_TABLE View all nested findings/ finding groups in AQ Sidepanel.
JSON 
data: {
    appName: 'MissionControl',
    component: 'MissionControl.SIDEPANEL_INCLUDED_FINDINGS_TABLE',
    action: 'view_all_findinggroups_findings'
    isInvestigation: true,
    totalCount: 11,
}
Mission Control - SIDEPANEL_INCLUDED_FINDINGS_TABLE View all nested findings when a finding group is expanded under Included Findings Table in AQ Sidepanel.
JSON 
data: {
    appName: 'MissionControl',
    component: 'MissionControl.SIDEPANEL_INCLUDED_FINDINGS_TABLE',
    action: 'view_all_findings'
}
Mission Control - SIDEPANEL_DETAILS_BREADCRUMBS Ability to navigate using breadcrumbs at the top of AQ Sidepanel.
JSON 
data: {
    appName: 'MissionControl',
    component: 'MissionControl.SIDEPANEL_DETAILS_BREADCRUMBS',
    action: 'breadcrumb_clicked',
    type: 'finding_group',
    breadcrumbLevel: 2,
    totalBreadcrumbs: 3
}
Mission Control - FINDINGS_SIDE_PANEL Show more findings/ finding groups in the findings side panel of Investigation Overview.
JSON 
data: {
    appName: 'MissionControl',
    component: 'MissionControl.FINDINGS_SIDE_PANEL',
    action: 'show_more_findinggroups_findings',
    currentPage: 2
}
Mission Control - FINDINGS_SIDE_PANEL Show more findings within a finding group in the findings side panel of Investigation Overview.
JSON 
data: {
    appName: 'MissionControl',
    component: 'MissionControl.FINDINGS_SIDE_PANEL',
    action: 'show_more_findings',
    currentPage: 2
}
Mission Control - NESTED_DRILLDOWN_VIEW Show the viewing duration on the nested drilldown view.
JSON 
{
    "appName":"enterprise-security",
    "component":"nested_drilldown_view_duration",
    "data":{
         "duration":"42.30",
         "type":"finding_group"
    }
}
Mission Control - NESTED_DRILLDOWN_VIEW Show the action performed in the nested drilldown view.
JSON 
{
    "appName":"enterprise-security",
    "component":"nested_drilldown_view_duration",
    "data":{
         "action":"SORT",
    }
}

Mission Control -

associatedFindingsCheckbox

 Show the associated findings checkbox is checked or not.
JSON 
{
"appName":"MissionControl",
"component":"associatedFindingsCheckbox",
    "data":{
         "action":"clicked",
         "type":"checked"
    }
  }
Enterprise security - legacy-investigation-list Legacy investigation list has been loaded.
JSON 
{
    "appName":"enterprise-security",
    "component":"legacy-investigation-list",
    "data":{
         "action":"loaded",
         "section":"success"
    }
  }
Enterprise security - legacy-investigation Legacy investigation has been loaded.
JSON 
{
    "appName":"enterprise-security",
    "component":"legacy-investigation",
    "data":{
         "action":"loaded"
    }
  }
Enterprise security - select-add-app-to-versioning On Configure → General Settings → Versioning, emits event when an app is selected.
JSON 
{
  appName: "enterprise-security",
  component: "select-add-app-to-versioning",
  data: {
      action: "select-app",
      apps: [{"name": "mycustomapp", "author": "david", "version": "1.0.0"}],
  },
}
Enterprise security - confirm-add-app-to-versioning On Configure → General Settings → Versioning, emits event when the confirm button is clicked on add apps.
JSON 
{
    appName: "enterprise-security",
    component: "confirm-add-app-to-versioning",
    data: {
        action: "confirm-add-apps",
        result: "success",
        appCount: 1,
        appNames: ["myCustomApp"],
    },
}

Version 8.2

Splunk Enterprise Security version 8.2 collects the following basic usage information:

For more information on telemetry information collected by Splunk SOAR, see Share data from Splunk SOAR (Cloud).

Name of telemetry event Search used to isolate results Results
drilldown-dashboard index=prod_analytics_entcloud "drilldown-dashboard" { action: click, app: SplunkEnterpriseSecuritySuite, appName: securityUI, component: securityUI.drilldown-dashboard, name: drilldown-dashboard, page: incident_review/, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review/, section: ir-expansion-link, sessionID: ..., type: event }
risk_events_table index=prod_analytics_entcloud "risk_events_table" { action: view, app: SplunkEnterpriseSecuritySuite, appName: securityUI, component: securityUI.risk_events_table, name: risk_events_table, page: incident_review, pathname: ..., sessionID: ..., type: event }
risk-timeline index=prod_analytics_entcloud "risk-timeline" { action: view, app: SplunkEnterpriseSecuritySuite, appName: securityUI, component: securityUI.risk-timeline, name: risk-timeline, page: incident_review, pathname: ..., sessionID: ..., type: event }
threat-topology index=prod_analytics_entcloud "threat-topology" { action: view, app: SplunkEnterpriseSecuritySuite, appName: securityUI, component: securityUI.threat-topology, name: threat-topology, page: incident_review, pathname: ..., sessionID: ..., type: event }
responseTemplateAppliedByType index=prod_analytics_entcloud "*responseTemplateAppliedByType" { app: SplunkEnterpriseSecuritySuite, incidentType: automation, page: incident_review, pathname: ..., sessionID: ..., type: event }
riskEventTimelineViewed index=prod_analytics_entcloud "*riskEventTimelineViewed" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.riskEventTimelineViewed, eventType: user, score: ..., sessionID: ..., type: event }
aqSidePanelOpened index=prod_analytics_entcloud "*aqSidePanelOpened" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.aqSidePanelOpened, id: ..., sessionID: ..., type: event }
aqSidePanelClosed index=prod_analytics_entcloud "*aqSidePanelClosed" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.aqSidePanelClosed, action: close, sessionID: ..., type: event }
imSubscription index=prod_analytics_entcloud "*imSubscription" data.appName="MissionControl" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.imSubscription, subscribed: false, sessionID: ..., type: event }
feedbackProvided index=prod_analytics_entcloud "feedbackProvided" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.feedbackProvided, messageId: ..., feedback: {...}, sessionID: ..., type: event }
messageSent index=prod_analytics_entcloud "messageSent" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.messageSent, message: ..., sessionID: ..., threadId: ..., type: event }
runSPLClicked index=prod_analytics_entcloud "runSPLClicked" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.runSPLClicked, sessionID: ..., threadId: ..., type: event }
splExecutedWithResults index=prod_analytics_entcloud "splExecutedWithResults" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.splExecutedWithResults, resultsCount: 42, sessionID: ..., threadId: ..., type: event }
splExecutedWithNoResults index=prod_analytics_entcloud "splExecutedWithNoResults" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.splExecutedWithNoResults, sessionID: ..., threadId: ..., type: event }
splExecutionFailed index=prod_analytics_entcloud "splExecutionFailed" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.splExecutionFailed, sessionID: ..., threadId: ..., type: event }
responseReceived index=prod_analytics_entcloud "responseReceived" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.responseReceived, aiResponse: ..., sessionID: ..., type: event }
newChatStarted index=prod_analytics_entcloud "newChatStarted" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.newChatStarted, investigationId: ..., sessionID: ..., type: event }
threadCreated index=prod_analytics_entcloud "threadCreated" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.threadCreated, investigationId: ..., threadId: ..., sessionID: ..., type: event }
ir-analyst-workflow index=prod_analytics_entcloud "ir-analyst-workflow" { app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.ir-analyst-workflow, name: ir-analyst-workflow, page: incident_review, section: ir_views_panel, sessionID: ..., type: event }
filter-dropdown-ueba-app index=prod_analytics_entcloud "filter-dropdown-ueba-app" { app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.filter-dropdown-ueba-app, name: filter-dropdown-ueba-app, selections: ["DA-ESS-UEBA"], sessionID: ..., type: event }
filter-dropdown-cloud-ba-detection-type index=prod_analytics_entcloud "filter-dropdown-cloud-ba-detection-type" { app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.filter-dropdown-cloud-ba-detection-type, name: ..., selections: ["cloud_ba_detections"], sessionID: ..., type: event }
save-detection index=prod_analytics_entcloud "save-detection" { app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.save-detection, name: save-detection, section: event_based_detection, sessionID: ..., type: event }
threat-topology index=prod_analytics_entcloud "threat-topology" { app: SplunkEnterpriseSecuritySuite, page: incident_review, sessionID: ..., type: event }
disposition-required index=prod_analytics_entcloud "disposition-required" { app: SplunkEnterpriseSecuritySuite, page: ess_incident_review_configuration, section: disposition }
disposition-create index=prod_analytics_entcloud "disposition-create" { app: SplunkEnterpriseSecuritySuite, page: ess_incident_review_configuration, section: disposition }
ir-event-timeline index=prod_analytics_entcloud "ir-event-timeline" { app: SplunkEnterpriseSecuritySuite, page: incident_review, section: zoomClick }
diff-view-status index=prod_analytics_entcloud "diff-view-status" { app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.diff-view-status, name: diff-view-status, sessionID: ..., type: event }
change-default-app index=prod_analytics_entcloud "change-default-app" { app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.change-default-app, name: change-default-app, current_app: ..., sessionID: ..., type: event }
event-based detection index=prod_analytics_entcloud "event-based detection" { app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.diff-view-status, name: diff-view-status, sessionID: ..., type: event }
finding-based detection index=prod_analytics_entcloud "finding-based detection" { app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.change-default-detection, name: change-default-detection, sessionID: ..., type: event }
change-default-detection index=prod_analytics_entcloud "change-default-detection" { app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.change-default-detection, name: change-default-detection, current_detection: ..., sessionID: ..., type: event }
open-in-editor index=prod_analytics_entcloud "open-in-editor" { app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.open-in-editor, name: open-in-editor, section: event-based detection, sessionID: ..., type: event }
ba-enable-modal index=prod_analytics_entcloud "ba-enable-modal" { app: SplunkEnterpriseSecuritySuite, page: ess_home, section: remind-me-later }
drilldown-search index=prod_analytics_entcloud "drilldown-search" { app: SplunkEnterpriseSecuritySuite, page: incident_review, section: ir-expansion-link }
risk-analysis-dashboard index=prod_analytics_entcloud "risk-analysis-dashboard" { app: SplunkEnterpriseSecuritySuite, page: risk_analysis, section: viz_risk_score_by_object }
asset-identity-correlation-setup-status index=prod_analytics_entcloud "asset-identity-correlation-setup-status" { app: SplunkEnterpriseSecuritySuite, page: ess_configuration/, section: enabled_for_all_sourcetypes }
ir-enhanced-views-tour index=prod_analytics_entcloud "ir-enhanced-views-tour" { app: SplunkEnterpriseSecuritySuite, page: incident_review, section: showTour }
dlfa-setup-modal index=prod_analytics_entcloud "dlfa-setup-modal" { action: modal closed }
incidentReviewPollingPaused index=prod_analytics_entcloud "incidentReviewPollingPaused" { action: incidentList.polling.paused, app: missioncontrol, page: mc_incident_review, pathname: /en-US/app/missioncontrol/mc_incident_review, sessionID: ... }
incidentReviewPollingUnpaused index=prod_analytics_entcloud "incidentReviewPollingUnpaused" { action: incidentList.polling.unpaused, app: missioncontrol, page: mc_incident_review, pathname: /en-US/app/missioncontrol/mc_incident_review, sessionID: ... }
fileUploadedIncident index=prod_analytics_entcloud "fileUploadedIncident" { app: SplunkEnterpriseSecuritySuite, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, sessionID: ..., size: 172 }
fileUploadedTask index=prod_analytics_entcloud "fileUploadedTask" { app: missioncontrol, page: mc_incident_review, pathname: /en-US/app/missioncontrol/mc_incident_review, sessionID: ..., size: 3094317 }
fileDownloaded index=prod_analytics_entcloud "fileDownloaded" { count: 96, host: ..., source: ..., sourcetype: ... }
manualIncidentCreated index=prod_analytics_entcloud "manualIncidentCreated" { app: missioncontrol, page: mc_incident_review, pathname: /en-US/app/missioncontrol/mc_incident_review, sessionID: ..., incident_type: default }
responsePlanTaskEnded index=prod_analytics_entcloud "responsePlanTaskEnded" { action: taskStatus.ended, app: missioncontrol, page: mc_incident_review, planId: ..., taskId: ..., sessionID: ..., type: event }
responseTemplateSearchCount index=prod_analytics_entcloud "responseTemplateSearchCount" { app: SplunkEnterpriseSecuritySuite, count: 1, name: ..., page: ess_configuration/, pathname: ..., sessionID: ..., status: published }
responsePlanSearchClicked index=prod_analytics_entcloud "responsePlanSearchClicked" { app: SplunkEnterpriseSecuritySuite, page: incident_review, pathname: ..., responseName: ..., sessionID: ..., spl: ... }
responsePlanSoarAutomationClicked index=prod_analytics_entcloud "responsePlanSoarAutomationClicked" { app: missioncontrol, component: app.session.MissionControl, incidentId: ..., page: mc_incident_review, phaseId: ..., sessionID: ..., taskId: ..., type: playbook }
responsePlanAddTaskError index=prod_analytics_entcloud "responsePlanAddTaskError" { errorInfo: { errorType: responsePlanAddTaskError, payload: request payload } }
responseTemplateCreated index=prod_analytics_entcloud "responseTemplateCreated" { app: SplunkEnterpriseSecuritySuite, name: ..., page: ess_configuration/, pathname: ..., sessionID: ..., status: published }
responseTemplateUpdated index=prod_analytics_entcloud "responseTemplateUpdated" { app: SplunkEnterpriseSecuritySuite, name: ..., page: ess_configuration/, pathname: ..., sessionID: ..., status: published }
responseTemplateAppliedManually index=prod_analytics_entcloud "responseTemplateAppliedManually" { app: SplunkEnterpriseSecuritySuite, count: 1, incidentId: ..., page: incident_review, pathname: ..., sessionID: ... }
responseTemplateAppliedByType index=prod_analytics_entcloud "responseTemplateAppliedByType" { app: SplunkEnterpriseSecuritySuite, count: 1, incidentType: automation, page: incident_review, pathname: ..., sessionID: ... }
aqSidePanelBackNextNavigation index=prod_analytics_entcloud "aqSidePanelBackNextNavigation" { direction: next, app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.aqSidePanelBackNextNavigation, name: aqSidePanelBackNextNavigation, page: incident_review, pathname: ..., sessionID: ..., type: event }
aqSidePanelStartInvestigation index=prod_analytics_entcloud "aqSidePanelStartInvestigation" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.aqSidePanelStartInvestigation, id: ..., name: aqSidePanelStartInvestigation, page: incident_review, pathname: ..., sessionID: ..., type: event }
aqSidePanelUpdateMetadata index=prod_analytics_entcloud "aqSidePanelUpdateMetadata" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.aqSidePanelUpdateMetadata, field: status, id: ..., name: aqSidePanelUpdateMetadata, value: 5, sessionID: ..., type: event }
fileUploadTooBigError index=prod_analytics_entcloud "*fileUploadTooBigError" { errorMessage: "File upload failed, Please upload a file under 50 MB" }
timRedirectError index=prod_analytics_entcloud "*timRedirectError" { errorInfo: "Failed to get matching Incident for the Notable. Error" }
soarRedirectError index=prod_analytics_entcloud "*soarRedirectError" { errorInfo: "Failed to redirect to Splunk SOAR from the current Enterprise Security Domain" }
soarRedirect index=prod_analytics_entcloud "*soarRedirect" { app: SplunkEnterpriseSecuritySuite, nextPage: /lists, page: soar_redirect, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/soar_redirect }
JSONSyntaxError index=prod_analytics_entcloud "*JSONSyntaxError" { app: missioncontrol, error: "SyntaxError: Bad escaped character in JSON at position 42 (line 1 column 43)", errorType: JSONSyntaxError, page: mc_incident_review, pathname: /en-US/app/missioncontrol/mc_incident_review, sessionID: ..., type: event }
uiError index=prod_analytics_entcloud "*uiError" { app: SplunkEnterpriseSecuritySuite, error: Unauthorized, errorType: riskEventAIStatusError, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, sessionID: ..., type: event }
newChatStarted index=prod_analytics_entcloud "*newChatStarted" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.newChatStarted, investigationId: ..., name: newChatStarted, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, sessionID: ..., type: event }
threadCreated index=prod_analytics_entcloud "*threadCreated" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.threadCreated, investigationId: ..., name: threadCreated, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, sessionID: ..., threadId: ..., type: event }
messageSent index=prod_analytics_entcloud "*messageSent" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.messageSent, investigationId: ..., message: ..., messageSendTime: ..., name: messageSent, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, sessionID: ..., threadId: ..., type: event }
responseReceived index=prod_analytics_entcloud "*responseReceived" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.responseReceived, investigationId: ..., messageId: ..., name: responseReceived, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, responseReceivedTime: ..., sessionID: ..., threadId: ..., type: event }
feedbackProvided index=prod_analytics_entcloud "*feedbackProvided" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.feedbackProvided, investigationId: ..., messageId: ..., name: feedbackProvided, optInRequired: 3, page: incident_review, feedback: {...}, responseReceivedTime: ..., sessionID: ..., threadId: ..., type: event }
runSPLClicked index=prod_analytics_entcloud "*runSPLClicked" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.runSPLClicked, investigationId: ..., messageId: ..., name: runSPLClicked, optInRequired: 3, page: incident_review, responseReceivedTime: ..., sessionID: ..., threadId: ..., type: event }
splExecutedWithResults index=prod_analytics_entcloud "*splExecutedWithResults" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.splExecutedWithResults, investigationId: ..., messageId: ..., name: splExecutedWithResults, optInRequired: 3, page: incident_review, responseReceivedTime: ..., resultsCount: 42, threadId: ..., type: event }
splExecutedWithNoResults index=prod_analytics_entcloud "*splExecutedWithNoResults" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.splExecutedWithNoResults, investigationId: ..., messageId: ..., name: splExecutedWithNoResults, optInRequired: 3, page: incident_review, responseReceivedTime: ..., sessionID: ..., threadId: ..., type: event }
splExecutionFailed index=prod_analytics_entcloud "*splExecutionFailed" { app: SplunkEnterpriseSecuritySuite, appName: MissionControl, component: MissionControl.splExecutionFailed, investigationId: ..., messageId: ..., name: splExecutionFailed, optInRequired: 3, page: incident_review, responseReceivedTime: ..., sessionID: ..., threadId: ..., type: event }
secaError index=prod_analytics_entcloud "*secaError" { errorInfo: { api: 'getThreadStatus', investigationId: incident?.id, threadId: ..., code: error_code, message: _(Thread run status returned status => ${status} and error code => ${error_code}) } }
ir-analyst-workflow index=prod_analytics_entcloud "*ir-analyst-workflow" data.appName="enterprise-security" { action: ..., app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.ir-analyst-workflow, name: ir-analyst-workflow, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, section: ir_views_panel, sessionID: ..., type: event }
module-federation-mc-remote-entry index=prod_analytics_entcloud "*module-federation-mc-remote-entry" { action: { connected: true }, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.module-federation-mc-remote-entry, name: module-federation-mc-remote-entry, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, section: incident_review, sessionID: ..., type: event }
filter-dropdown-ueba-app index=prod_analytics_entcloud "*filter-dropdown-ueba-app" data.appName="enterprise-security" data.name="filter-dropdown-ueba-app" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.filter-dropdown-ueba-app, name: filter-dropdown-ueba-app, optInRequired: 3, page: ess_content_management, pathname: ..., section: cm-filter-dropdown-selection, selections: ["DA-ESS-UEBA"], sessionID: ..., type: event }
filter-dropdown-cloud-ba-detection-type index=prod_analytics_entcloud "filter-dropdown-cloud-ba-detection-type" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.filter-dropdown-cloud-ba-detection-type, name: filter-dropdown-cloud-ba-detection-type, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: cm-filter-dropdown-selection, selections: ["cloud_ba_detections"], sessionID: ..., type: event }
save-detection index=prod_analytics_entcloud "save-detection" { action: save, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.save-detection, name: save-detection, optInRequired: 3, page: correlation_search_edit, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/correlation_search_edit, section: event_based_detection, sessionID: ..., type: event }
threat-topology index=prod_analytics_entcloud "threat-topology" { action: view, app: SplunkEnterpriseSecuritySuite, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, sessionID: ... }
disposition-required index=prod_analytics_entcloud "disposition-required" { action: is_not_required, app: SplunkEnterpriseSecuritySuite, page: ess_incident_review_configuration, section: disposition }
disposition-create index=prod_analytics_entcloud "disposition-create" { action: view, app: SplunkEnterpriseSecuritySuite, page: ess_incident_review_configuration, section: disposition }
ir-event-timeline index=prod_analytics_entcloud "ir-event-timeline" { action: click, app: SplunkEnterpriseSecuritySuite, page: incident_review, section: zoomClick }
diff-view-status index=prod_analytics_entcloud "diff-view-status" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.diff-view-status, name: diff-view-status, optInRequired: 3, page: correlation_search_edit, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/correlation_search_edit, section: event_based_detection, sessionID: ..., type: event }
change-default-app index=prod_analytics_entcloud "change-default-app" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.change-default-app, name: change-default-app, current_app: splunk_investigation_kit, optInRequired: 3, page: ess_configuration/, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_configuration/, section: default_app_settings, sessionID: ..., type: event }
event-based detection index=prod_analytics_entcloud "event-based detection" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.event-based detection, name: event-based detection, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: cm-detection-tab, sessionID: ..., type: event }
finding-based detection index=prod_analytics_entcloud "finding-based detection" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.finding-based detection, name: finding-based detection, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: cm-detection-tab, sessionID: ..., type: event }
change-default-detection index=prod_analytics_entcloud "change-default-detection" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.change-default-detection, name: change-default-detection, current_detection: event_based_detection, optInRequired: 3, page: ess_configuration/, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_configuration/, section: default_app_settings, sessionID: ..., type: event }
open-in-editor index=prod_analytics_entcloud "open-in-editor" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.open-in-editor, name: open-in-editor, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: cm-table-open-in-editor, sessionID: ..., type: event }
drilldown-dashboard index=prod_analytics_entcloud "drilldown-dashboard" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.drilldown-dashboard, name: drilldown-dashboard, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, section: ir-expansion-link, sessionID: ..., type: event }
ba-enable-modal index=prod_analytics_entcloud "ba-enable-modal" { action: remind-me-later, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.ba-enable-modal, name: ba-enable-modal, optInRequired: 3, page: ess_home, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_home, section: remind-me-later, sessionID: ..., type: event }
drilldown-search index=prod_analytics_entcloud "drilldown-search" { action: view, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.drilldown-search, name: drilldown-search, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, section: ir-expansion-link, sessionID: ..., type: event }
risk-analysis-dashboard index=prod_analytics_entcloud "risk-analysis-dashboard" { action: view, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.risk-analysis-dashboard, name: risk-analysis-dashboard, optInRequired: 3, page: risk_analysis, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/risk_analysis, section: viz_risk_score_by_object, sessionID: ..., type: event }
asset-identity-correlation-setup-status index=prod_analytics_entcloud "asset-identity-correlation-setup-status" { action: view, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.asset-identity-correlation-setup-status, name: asset-identity-correlation-setup-status, optInRequired: 3, page: ess_configuration/, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_configuration/, section: enabled_for_all_sourcetypes, sessionID: ..., type: event }
ir-enhanced-views-tour index=prod_analytics_entcloud "ir-enhanced-views-tour" { action: showTour, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.ir-enhanced-views-tour, name: ir-enhanced-views-tour, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, section: enhanced_views_tour, sessionID: ..., type: event }
dlfa-setup-modal index=prod_analytics_entcloud "dlfa-setup-modal" { action: modal closed, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.dlfa-setup-modal, name: dlfa-setup-modal, optInRequired: 3, page: ess_configuration/, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_configuration/, section: dlfa-setup-modal, sessionID: ..., type: event }
turn-on-versioning-feature index=prod_analytics_entcloud environment=* "turn-on-versioning-feature" { action: enabled, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.turn-on-versioning-feature, name: turn-on-versioning-feature, optInRequired: 3, page: ess_configuration/, pathname: /en-GB/app/SplunkEnterpriseSecuritySuite/ess_configuration/, sessionID: ..., type: event }
change-detection-status index=prod_analytics_entcloud environment=* "change-detection-status" data.appName="enterprise-security" { action: off, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.change-detection-status, name: change-detection-status, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: finding_based_detection, sessionID: ..., type: event }
ir-analyst-workflow index=prod_analytics_entcloud environment=* "*change_current_view" OR "*toggle_views_panel" { action: { action: change_current_view, filter_set: {...}, is_default: false, is_private: true, table_attributes: [...] }, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.ir-analyst-workflow, name: ir-analyst-workflow, optInRequired: 3, page: incident_review/, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review/, section: ir_views_panel, sessionID: ..., type: event }
editor-clone-detection index=prod_analytics_entcloud environment=* "editor-clone-detection" data.appName="enterprise-security" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.editor-clone-detection, name: editor-clone-detection, optInRequired: 3, page: ess_content_management, pathname: /en-GB/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: event_based_detection, sessionID: ..., type: event }
editor-modal-clone-detection index=prod_analytics_entcloud environment=* "editor-modal-clone-detection" data.appName="enterprise-security" { action: cloned, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.editor-modal-clone-detection, name: editor-modal-clone-detection, optInRequired: 3, page: ess_content_management, pathname: /en-GB/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: ebd, sessionID: ..., type: event }
module-federation-ueba-remote-entry index=prod_analytics_entcloud environment=* "module-federation-ueba-remote-entry" { app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.module-federation-ueba-remote-entry, name: module-federation-ueba-remote-entry, optInRequired: 3, page: incident_review, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/incident_review, section: incident_review, sessionID: ..., type: event }
tune-risk-link-cmp-ba-detection index=prod_analytics_entcloud environment=* "tune-risk-link-cmp-ba-detection" data.appName="enterprise-security" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.tune-risk-link-cmp-ba-detection, name: tune-risk-link-cmp-ba-detection, page: ess_configuration, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_configuration, section: tune-risk-link-cmp-ba-detection, sessionID: ..., type: event }
cmp-ba-detection-action index=prod_analytics_entcloud environment=* "*cmp-ba-detection-action" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.cmp-ba-detection-action, name: cmp-ba-detection-action, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: tune-risk-link-cmp-ba-detection, sessionID: ..., type: event, url: /en-US/app/SplunkEnterpriseSecuritySuite/ess_configuration/#/ueba/risk-exclusion-rules?... }
cm-filter-dropdown-selection index=prod_analytics_entcloud environment=* "*cm-filter-dropdown-selection" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.filter-dropdown-ueba-app, name: filter-dropdown-ueba-app, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: cm-filter-dropdown-selection, selections: ["DA-ESS-UEBA"], sessionID: ..., type: event }
filter-dropdown-ba-detection-type index=prod_analytics_entcloud environment=* "*filter-dropdown-ba-detection-type" { action: click, app: SplunkEnterpriseSecuritySuite, appName: enterprise-security, component: enterprise-security.filter-dropdown-ba-detection-type, name: filter-dropdown-ba-detection-type, optInRequired: 3, page: ess_content_management, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/ess_content_management, section: filter-dropdown-ba-detection-type, selections: ["DA-ESS-UEBA"], sessionID: ..., type: event }
fetch-ba-detections index=prod_analytics_entcloud environment=* "*fetch-ba-detections" { errorInfo: "failed to fetch CMP UEBA detections details with error" }
Seca.ContextSent index=prod_analytics_entcloud component="app.MissionControl.Seca.ContextSent" { context_type: spl_data_models }
Incident_Create index=prod_analytics_entcloud component="app.MissionControl.Incident_Create" { artifact_count: 0 }
Incident_Update index=prod_analytics_entcloud component="app.MissionControl.Incident_Update" { incident_count: 5, status: 2 }
Event_Add index=prod_analytics_entcloud component="app.MissionControl.Event_Add" { action: add, entity_type: notable, entity_uuid: ..., name: notable, optInRequired: 3, page: investigation/overview, pathname: /en-US/app/SplunkEnterpriseSecuritySuite/investigation/overview, sessionID: ..., type: event }
Added_Children_Incidents index="prod_analytics_entcloud" component="app.MissionControl.Added_Children_Incidents" data: { [-]
CODE 
children_incident_count: 1
    incident_count: 1
  }
New_Parent_Child_Incident_Relationship index="prod_analytics_entcloud" component="app.MissionControl.New_Parent_Child_Incident_Relationship" data: { [-]
CODE 
incident_count: 1
  }
CustomField_Create index="prod_analytics_entcloud" component="app.MissionControl.CustomField_Create" data: { [-]
CODE 
customfield_count: 1
    name: CustomField_Create
  }
ArtifactConfig_Create index="prod_analytics_entcloud" component="app.MissionControl.ArtifactConfig_Create" data: { [-]
CODE 
artifactconfig_count: 1
  }
Seca.MessageSent index="prod_analytics_entcloud" component="app.MissionControl.Seca.MessageSent" data: { [-]
JSON 
investigation_id: 1dda3208-23f8-4969-b689-d088f4ffea61
    message: Failed to execute generated spl search index=<index> | stats count by index, sourcetype. Spl is invalid, spl parse error b'{"messages":[{"type":"FATAL","text":"Error in \'search\' command: Unable to parse the search: Comparator \'>\' is missing a term on the right hand side."}]}'
    messageSentTime: 2025-04-23 01:03:44
    name: Seca.MessageSent
    thread_id: d1699059-f8a7-4fa2-bd47-4a46174c9090
  }
Event_Delete index="prod_analytics_entcloud" component="app.MissionControl.Event_Delete" data: { [-]
CODE 
event_count: -1
  }
Event_Update index="prod_analytics_entcloud" component="app.MissionControl.Event_Update" artifact_count: 0
Event_Create index="prod_analytics_entcloud" component="app.MissionControl.Event_Create" artifact_count: 0
Event_List index="prod_analytics_entcloud" component="app.MissionControl.Event_List" search_count: 1, search_job_elapsed_time: 1744295613
active_users index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.active_users" admin_count: 0, analyst_count: 0, count: 0, user_count: 0
annotations_usage index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.annotations_usage" searches_with_annotations: 1869, searches_with_cis20: 1809, searches_with_kill_chain_phases: 1739, searches_with_mitre_attack: 1779, searches_with_nist: 1809, unique_annotation_count: 977, unique_framework_count: 7
asset_identity_correlation_setup_status index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.asset_identity_correlation_setup_status" asset_identity_correlation_setup_status: disabled_for_all_sourcetypes
datamodel_distribution index="prod_analytics_entcloud" datamodel: Performance
enabled_vulnerability_data_searches index="prod_analytics_entcloud" "*enabled_vulnerability_data_searches" annotations: {}, correlation_search_enabled: 0, creates_notable: 0, creates_risk: 0, disabled: 0
feature_usage index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.feature_usage" avg_spent: 245, count: 1, view: incident_review
identity_manager index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.identity_manager" asset_blacklist_count: 0, asset_count: 4, asset_custom_count: 2, asset_enabled_count: 2, identity_blacklist_count: 0, identity_count: 3
lookup_usage index="prod_analytics" "app.SplunkEnterpriseSecuritySuite.lookup_usage" count: 0, size: 0, transform: threatintel_by_email_subject
search_actions index="prod_analytics" "app.SplunkEnterpriseSecuritySuite.search_actions" action: notable, count: 2, is_adaptive_response: 1, total_scheduled: 110
search_execution index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.search_execution" avg_run_time: 18.63, count: 192, is_realtime: 0, search_alias: Access - Access App Tracker - Lookup Gen
riskfactors_usage index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.riskfactors_usage" total: 12, fields_info: [dest_priority, other, src, src_category, user, user_category, user_priority, user_watchlist]
risk_riskfactors_impact index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.risk_riskfactors_impact" distinct_risk_object_count: 231, max_calc_risk_score: 90, max_risk_score: 90, min_calc_risk_score: 20, min_risk_score: 20, risk_object_type: system, risk_factor_add_matches: 866, risk_factor_mult_matches: 866, max_risk_factor_add_matches: 0, max_risk_factor_mult_matches: 1, min_risk_factor_add_matches: 0, min_risk_factor_mult_matches: 1
risk_event_information index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.risk_event_information" calculated_risk_score: 0, risk_factor_add: 0, risk_factor_mult: 0, risk_object_type: system, risk_score: 0, threat_object_type: signature
risk_notable_information index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.risk_notable_information" annotations: {"mitre_attack": ""}, notable_type: risk_event, risk_event_count: 18, risk_object_type: other
notable_information index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.notable_information" annotations: {}, notable_type: notable, search_name: Threat - High Confidence APT, Malware and C2 Matches - Rule, security_domain: threat, severity: medium
notables_percent_suppressed index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.notables_percent_suppressed" total_notables_count: 137613
notables_assigned_over_time index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.notables_assigned_over_time" Assigned Notables: 0, Unassigned Notables: 3301336, Date: 2024-12-01
ba_test_information index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.ba_test_information" risk_score: 45, risk_object_type: user, orig_sourcetype: NA, threat_object_type: NA, annotations: {"analytic_story":["Malicious PowerShell","Active Directory Lateral Movement","Hermetic Wiper","Scheduled Tasks","Data Destruction"],"mitre_attack":["T1021.003","T1053.005","T1059.001","T1021","T1047"],"nist":["DE.CM"],"cis20":["CIS 10"]}
saved_search_information index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.saved_search_information" creates_notable: 0, creates_risk: 0, disabled: 0, search_name: Bucket Merge Retrieve Conf Settings, annotations: {}
ba_detections index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.ba_detections" name: Unauthorized Activity Time (Preview), id: c0fbe7ee-57d4-11ee-8c99-0242ac120002, enabled: 1, useRiskIndex: 0, version: 1.15.63, annotations: {"mitre_attack":"T1003", "analytic_story":"Active Directory Lateral Movement", "kill_chain_phases":"Exploitation", "nist":"DE.CM", "cis20":"CIS 10"}
notable_event_status_changes index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.notable_event_status_changes" disposition_label: Benign Positive - Suspicious But Expected, urgency: informational, status: 5, status_label: Closed, time_modified: 04/22/2025 06:29:37
notable_events_by_urgency index="prod_analytics_entcloud" "*notable_events_by_urgency" creates_notable: 0, creates_risk: 0, disabled: 1, search_name: Notable_Events_By_Urgency, annotations: {}
datamodel_dataset_population index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.datamodel_dataset_population" dataset: All_Changes, model_name: Change, sourcetype: []
splunk_apps index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.splunk_apps" app_label: DA-ESS-AccessProtection, app_name: DA-ESS-AccessProtection, version: 7.3.3
investigation_information index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.investigation_information" create_time: 1744787122, investigation_id: 67ff56b3b3af912aa0085d30, name: Custom Investigation
investigations_overview index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.investigations_overview" create_time: 1481578121, hashed_collaborators: [hash], hashed_creator: [hash], hashed_investigation_name: [hash], investigation_id: 58e1b7afc31ae9da2e3124d0
macro_usage index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.macro_usage" definition: index=windows* sourcetype=WinEventLog source=WinEventLog:Security (eventtype=wineventlog_security OR Channel=security), macro_name: wineventlog_security
vulnerable_systems_percent_vulnerable index="prod_analytics_entcloud" "*vulnerable_systems_percent_vulnerable" percent_vulnerable_systems: ?
unique_threat_object_count index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.unique_threat_object_count" unique_threat_object_count: 0
untriaged_notables_by_domain index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.untriaged_notables_by_domain" Access: 62, Endpoint: 640, Identity: 4, Network: 28649, Threat: 12122854, date: 2025-03-02
threat_artifacts_overview index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.threat_artifacts_overview" count: 12, malware_alias: , source_id: gr-binarydefense-2, source_path: /opt/splunk/etc/apps/SA-ThreatIntelligence/lookups/gr-binarydefense-2.csv, source_type: csv, threat_category: threat_intel, threat_group: gr-binarydefense-2
threat_matches index="prod_analytics_entcloud" "app.SplunkEnterpriseSecuritySuite.threat_matches" threat_matches: 0

Share threat data in Splunk Enterprise Security

Sharing of telemetry usage data is different from sharing threat data. If you are a Splunk Enterprise Security Hosted Service Offering (cloud) customer with a standard terms contract renewed or created after January 10, 2025, you can refer to Share threat data in Splunk Enterprise Security for details on enhanced data sharing to support improved detection capabilities, update threat intelligence, and operations of our security content offerings.