Telemetry
Why we collect data
Splunk Security Essentials is a free app, and because of that we often don’t really know what people care about in the app. We’ve got lots of ideas for what we should build next, but we want to know what people find valuable. For customers who opt in, collecting data tells us what you care about! For example, we are shipping some Data Onboarding Guides. How often people actually use these will help us to know whether it’s worth it to build more. Everything is anonymized, so your info is always private.
How data is collected
If you opt in globally on your Splunk environment, the app enables an internal library to track basic usage and crash information. The library uses browser cookies to track app user visitor uniqueness and sessions and sends events to Splunk using XHR in JSON format, with all user or system identifying data resolved to GUIDs.
What we collect
| Event | Description | Example Fields in addition to Common Fields |
|---|---|---|
| Example Opened | You were interested enough to open an example | status - exampleLoaded; exampleName - the name from the contents; searchName - which search for that example. |
| SPL Viewed | You thought the SPL for an example was worth seeing! | status - SPLViewed; name - the searchName from row 1 |
| Schedule Search (Started) | An example so useful that you decided to schedule an alert | status - scheduleAlertStarted; name - the searchName from row 1 |
| Schedule Search (Finished) | An example so useful you actually scheduled an alert! | status - scheduleAlertCompleted; name - the searchName from row 1 |
| Doc Loaded | You were curious about onboarding and opened a guide | status - docLoaded; pageName - whatever page you are viewing (e.g., Windows Security Logs) |
| Filters Updated | You updated your filters to filter for specific examples | status - filtersUpdated; name - the filter you change; value - the value; enabledFilters - the filters in use |
| Selected Intro Use Case | From the intro page, you clicked on a use case for more | status - selectedIntroUseCase; useCase - whatever you clicked on, like “Security Monitoring” |
| Added to Bookmark | You wanted to remember an example, and added to a wish list | status - BookmarkChange; name - what you clicked on; itemStatus - what choice you made (e.g., “inQueue”) |
| Data Foundation Config | You introspected or configured available data sources. | status - DataStatusChange; category - data type; status - whether present; selectionType - how you configured it |
| Custom Content Created | You created new custom content. | status - CustomContentCreated; whitelisted values of mitre_technique, mitre_tactic, killchain, usecase, category |
| Unexpected Error Occurred | Something bad happened, we want to know if it’s just you. | status - ErrorOccurred; banner - that an error occurred, msg - the error message if present, session details: lang, anonymized URL, page, splunk_version |
Example Collections
| Event | Example Message |
|---|---|
| Example Opened | {status: “exampleLoaded”, exampleName: “New Interactive Logon from a Service Account”, searchName: “New Interactive Logon from a Service Account - Demo”} |
| SPL Viewed | {status: “SPLViewed”, name: “New Interactive Logon from a Service Account - Demo”} |
| Schedule Search (Started) | {status: “scheduleAlertStarted”, name: “New Interactive Logon from a Service Account - Demo”} |
| Schedule Search (Finished) | {status: “scheduleAlertCompleted”, searchName: “New Interactive Logon from a Service Account - Demo”} |
| Doc Loaded | {status: “docLoaded”, pageName: “Windows Security Logs”} |
| Filters Updated | {status: “filtersUpdated”, name: “category”, value: “Account_Sharing”, enabledFilters: [“journey”, “usecase”, “category”, “datasource”, “highlight”]} |
| Selected Intro Use Case | {status: “selectedIntroUseCase”, useCase: “Security Monitoring”} |
| Added to Bookmark | {status: “BookmarkChange”, name: “Basic Malware Outbreak”, itemStatus: “needData”} |
| Data Foundation Config | {status: “DataStatusChange”, category: “DS010NetworkCommunication-ET01Traffic”, status: “good”, selectionType: “manual”} |
| Custom Content Created | {status: “CustomContentCreated”, mitre_technique: “T1046 |
| Unexpected Error Occurred | {status: “ErrorOcurred”, banner: “Got an error while trying to update the kvstore. Your changes may not be saved.”, msg: “Access Denied”, locale: “en-US”, anon_url: “https://……../en-US/app/Splunk_Security_Essentials/contents”, page: “contents”, splunk_version: “7.3.1”} |
Opting in or out
When first installing Splunk (or upgrading to a version of Splunk that supported usage data collection) an administrator was asked whether to opt in or not. That setting can be viewed or changed (aka, you can opt in/out) by enabling/disabling Anonymized Usage Data under Settings > Instrumentation on the Splunk Web UI.
What are Common Fields
Splunk itself sends some usage data (again, if you’ve opt’d in). Splunk Security Essentials doesn’t touch that stuff, but you can go read about it here: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Shareperformancedata