There are a variety of key files in Splunk Security Essentials which govern app functionality. Here are the most valuable files to review.
Table of Contents
Defines the logic for what JS is launched by which scripts.
The beating heart of SSE. Look for more documentation on this coming soon.
Provides the ability to render an attractive tile for a piece of content.
The config menu in the app.
An attempt to centralize some things that are standard across the app (e.g., bookmark status names, versus IDs). Not widely adopted.
Main export modal, the CSV export, and the Print-to-PDF logic.
The XLSX export.
The dialog for handling all snapshots.
The actual display detail for rendering the Print-to-PDF visuals. Note that this is the same logic used in the search builders themselves – there are some minor tweaks to allow for displaying all accordions by default, removing links, etc.
A rest handler front end for pulling JSON files that allow us to swap content from the kvstore for the raw files (e.g., MITRE), or enrich content (e.g., custom_content into data_inventory.json).
Allows us to do a get of a lookup, in a require() statement. Only present for simplicity.
The core of generating Modals in SSE. A better example for copying into other apps is UnattachedModal.js, which is copied from SA-devforall.
Only used on data_inventory.js.. it should probably be swapped to Modal.js at this point.
Used for the save search dialog (mostly from the MLTK era)
dashboard.js is run for every dashboard in the app – lots of misc logic functions live there (e.g., collectDiag()).
All telemetry is handled by swa.js, but the SSE wrapper around it is here.
The new home page is run by home.js and all the logic for the guides is stored in intro_content.json
The original core of SSE, this JS file contains the logic for the Security Contents page.
This is the core file for the data_inventory dashboard, first introduced in 2.4. It generates the display from data_inventory.json
This contains the UI elements for product configuration.
This contains the introspection logic.
Look for dev docs on the data inventory introspection process coming soon..
This contains the raw data inventory configuration. When grabbed through pullJSON it will augment it with any
The core logic for the Bookmarked Content dashboard is handled in this file.
The logic for the correlation search introspection is handled in this file.
Viewing a Detection
showcase_simple_search.js showcase_first_seen_demo.js showcase_standard_deviation.js showcase_phantom.js showcase_custom.js
There are dedicated files for each of the standard search builders, each providing capabilities for the types of searches they need to run.
Most of the real work for generating the display is actually handled in ProcessSummaryUI.js, allowing for an equivalent display across the different apps.
ES and ESCU and UBA Content
Despite its simple name, es_use_case.js is responsible for rendering content from ES, ESCU, and UBA (es_use_case.xml, escu_use_case.xml, uba_use_case.xml).
Data Source Onboarding Guides
This file is based on the SimpleXML Examples app, with some enhancements. All of the HTML for all of the docs are embedded in this
Security Data Journey
Renders the Security Journey. Custom JS and CSS, built by Dave Herrald.
The translation logic in SSE is fully implemented, but the JSON files for other languages referenced below do not ship due to concerns over the accuracy of the translation.
For detail on the transation process in SSE, visit the dedicated Translation page.
Syntax Highlighting, particularly around custom / partner content, and the line-by-line SPL.
The search engine used on contents.js and MapExistingSearchContent.js is listed here.
Showdown does markdown conversion for the descriptive fields (as documented in the partner integration guide and schema).
FileSaver allows you to save a generated file with a particular filename.
Custom Search Commands
See list at Search Commands