Key Files

There are a variety of key files in Splunk Security Essentials which govern app functionality. Here are the most valuable files to review.

Table of Contents

Shared Files

Page Loading

runPageScript.js

Defines the logic for what JS is launched by which scripts.

Generating ShowcaseInfo

generateShowcaseInfo.py ShowcaseInfo.json

The beating heart of SSE. Look for more documentation on this coming soon.

Tile Builder

BuildTile.js

Provides the ability to render an attractive tile for a piece of content.

Config Menu

system_config.js

The config menu in the app.

Common Data

common_data_objects.js

An attempt to centralize some things that are standard across the app (e.g., bookmark status names, versus IDs). Not widely adopted.

Export

export_panel.js

Main export modal, the CSV export, and the Print-to-PDF logic.

buildLilyXLSX.js

The XLSX export.

ManageSnapshots.js

The dialog for handling all snapshots.

ProcessSummaryUI.js

The actual display detail for rendering the Print-to-PDF visuals. Note that this is the same logic used in the search builders themselves – there are some minor tweaks to allow for displaying all accordions by default, removing links, etc.

Viewing Files

pullJSON.py

A rest handler front end for pulling JSON files that allow us to swap content from the kvstore for the raw files (e.g., MITRE), or enrich content (e.g., custom_content into data_inventory.json).

pullCSV.py

Allows us to do a get of a lookup, in a require() statement. Only present for simplicity.

Modals

Modal.js

The core of generating Modals in SSE. A better example for copying into other apps is UnattachedModal.js, which is copied from SA-devforall.

UnattachedModal.js

Only used on data_inventory.js.. it should probably be swapped to Modal.js at this point.

AlertModal.js

Used for the save search dialog (mostly from the MLTK era)

Centralized Functions

dashboard.js

dashboard.js is run for every dashboard in the app – lots of misc logic functions live there (e.g., collectDiag()).

Telemetry

sendTelemetry.js

All telemetry is handled by swa.js, but the SSE wrapper around it is here.

Home Page

home.js intro_content.json

The new home page is run by home.js and all the logic for the guides is stored in intro_content.json

Security Contents

contents.js

The original core of SSE, this JS file contains the logic for the Security Contents page.

Data Inventory

data_inventory.js

This is the core file for the data_inventory dashboard, first introduced in 2.4. It generates the display from data_inventory.json

DrawDataInventoryProducts.js

This contains the UI elements for product configuration.

data_inventory_introspection.js

This contains the introspection logic.

Look for dev docs on the data inventory introspection process coming soon..

data_inventory.json

This contains the raw data inventory configuration. When grabbed through pullJSON it will augment it with any

Bookmarks

bookmarked_content.js

The core logic for the Bookmarked Content dashboard is handled in this file.

MapExistingSearchContent.js

The logic for the correlation search introspection is handled in this file.

Viewing a Detection

showcase_simple_search.js showcase_first_seen_demo.js showcase_standard_deviation.js showcase_phantom.js showcase_custom.js

There are dedicated files for each of the standard search builders, each providing capabilities for the types of searches they need to run.

ProcessSummaryUI.js

Most of the real work for generating the display is actually handled in ProcessSummaryUI.js, allowing for an equivalent display across the different apps.

ES and ESCU and UBA Content

es_use_case.js

Despite its simple name, es_use_case.js is responsible for rendering content from ES, ESCU, and UBA (es_use_case.xml, escu_use_case.xml, uba_use_case.xml).

Data Source Onboarding Guides

data_source.js

This file is based on the SimpleXML Examples app, with some enhancements. All of the HTML for all of the docs are embedded in this

Security Data Journey

securityjourney.js

Renders the Security Journey. Custom JS and CSS, built by Dave Herrald.

Translation

runPageScript.js

The translation logic in SSE is fully implemented, but the JSON files for other languages referenced below do not ship due to concerns over the accuracy of the translation.

sselabels.json htmlpanels.json

JavaScript-handled translations are stored here.

For detail on the transation process in SSE, visit the dedicated Translation page.

Third-Party Capabilities

Highlighting

highlight.pack.js

Syntax Highlighting, particularly around custom / partner content, and the line-by-line SPL.

Search Engine

lunr.js

The search engine used on contents.js and MapExistingSearchContent.js is listed here.

Markdown

showdown.js

Showdown does markdown conversion for the descriptive fields (as documented in the partner integration guide and schema).

Javascript-generated Zips

FileSaver.js

FileSaver allows you to save a generated file with a particular filename.

jszip

jszip allows you to generate zip files in Javascript.

Custom Search Commands

See list at Search Commands