Why we collect data

Splunk Security Essentials is a free app, and because of that we often don’t really know what people care about in the app. We’ve got lots of ideas for what we should build next, but we want to know what people find valuable. For customers who opt in, collecting data tells us what you care about! For example, we are shipping some Data Onboarding Guides. How often people actually use these will help us to know whether it’s worth it to build more. Everything is anonymized, so your info is always private.

How data is collected

If you opt in globally on your Splunk environment, the app enables an internal library to track basic usage and crash information. The library uses browser cookies to track app user visitor uniqueness and sessions and sends events to Splunk using XHR in JSON format, with all user or system identifying data resolved to GUIDs.

What we collect

EventDescriptionExample Fields in addition to Common Fields
Example OpenedYou were interested enough to open an examplestatus - exampleLoaded; exampleName - the name from the contents; searchName - which search for that example.
SPL ViewedYou thought the SPL for an example was worth seeing!status - SPLViewed; name - the searchName from row 1
Schedule Search (Started)An example so useful that you decided to schedule an alertstatus - scheduleAlertStarted; name - the searchName from row 1
Schedule Search (Finished)An example so useful you actually scheduled an alert!status - scheduleAlertCompleted; name - the searchName from row 1
Doc LoadedYou were curious about onboarding and opened a guidestatus - docLoaded; pageName - whatever page you are viewing (e.g., Windows Security Logs)
Filters UpdatedYou updated your filters to filter for specific examplesstatus - filtersUpdated; name - the filter you change; value - the value; enabledFilters - the filters in use
Selected Intro Use CaseFrom the intro page, you clicked on a use case for morestatus - selectedIntroUseCase; useCase - whatever you clicked on, like “Security Monitoring”
Added to BookmarkYou wanted to remember an example, and added to a wish liststatus - BookmarkChange; name - what you clicked on; itemStatus - what choice you made (e.g., “inQueue”)
Data Foundation ConfigYou introspected or configured available data sources.status - DataStatusChange; category - data type; status - whether present; selectionType - how you configured it
Custom Content CreatedYou created new custom content.status - CustomContentCreated; whitelisted values of mitre_technique, mitre_tactic, killchain, usecase, category
Unexpected Error OccurredSomething bad happened, we want to know if it’s just you.status - ErrorOccurred; banner - that an error occurred, msg - the error message if present, session details: lang, anonymized URL, page, splunk_version

Example Collections

EventExample Message
Example Opened{status: “exampleLoaded”, exampleName: “New Interactive Logon from a Service Account”, searchName: “New Interactive Logon from a Service Account - Demo”}
SPL Viewed{status: “SPLViewed”, name: “New Interactive Logon from a Service Account - Demo”}
Schedule Search (Started){status: “scheduleAlertStarted”, name: “New Interactive Logon from a Service Account - Demo”}
Schedule Search (Finished){status: “scheduleAlertCompleted”, searchName: “New Interactive Logon from a Service Account - Demo”}
Doc Loaded{status: “docLoaded”, pageName: “Windows Security Logs”}
Filters Updated{status: “filtersUpdated”, name: “category”, value: “Account_Sharing”, enabledFilters: [“journey”, “usecase”, “category”, “datasource”, “highlight”]}
Selected Intro Use Case{status: “selectedIntroUseCase”, useCase: “Security Monitoring”}
Added to Bookmark{status: “BookmarkChange”, name: “Basic Malware Outbreak”, itemStatus: “needData”}
Data Foundation Config{status: “DataStatusChange”, category: “DS010NetworkCommunication-ET01Traffic”, status: “good”, selectionType: “manual”}
Custom Content Created{status: “CustomContentCreated”, mitre_technique: “T1046
Unexpected Error Occurred{status: “ErrorOcurred”, banner: “Got an error while trying to update the kvstore. Your changes may not be saved.”, msg: “Access Denied”, locale: “en-US”, anon_url: “https://……../en-US/app/Splunk_Security_Essentials/contents”, page: “contents”, splunk_version: “7.3.1”}

Opting in or out

When first installing Splunk (or upgrading to a version of Splunk that supported usage data collection) an administrator was asked whether to opt in or not. That setting can be viewed or changed (aka, you can opt in/out) by enabling/disabling Anonymized Usage Data under Settings > Instrumentation on the Splunk Web UI.

What are Common Fields

Splunk itself sends some usage data (again, if you’ve opt’d in). Splunk Security Essentials doesn’t touch that stuff, but you can go read about it here: