Skip to main content


Splunk Lantern

Endpoint data

Endpoint security is used to protect corporate networks from inadvertent attacks by compromised devices using untrusted remote networks such as hotspots. By installing clients on laptops or other wireless and mobile devices, endpoint security software can monitor activity and provide security teams with warnings of devices attempting to spread malware or pose other threats. In this context, endpoint refers to the security client software or agent installed on a client device that logs security-related activity from the client OS, login, logout, shutdown events and various applications such as the browser (Explorer, Edge), mail client (Outlook) and Office applications. In the Common Information Model, endpoint data is typically mapped to the Endpoint data model


Endpoint data can be used for a variety of security uses, including identifying newly detected binaries, file hash, files in the filesystem and registries. Endpoints also log device configurations and various security parameters (certificates, local anti-malware signatures, etc.).


When your Splunk deployment is ingesting endpoint data, you can use it to accomplish security and compliance use cases.


Guidance for onboarding data can be found in the Spunk Documentation, Getting Data In (Splunk Enterprise) or Getting Data In (Splunk Cloud). In addition, these Splunk Add-Ons and Apps are helpful for working with endpoint data.

Looking for more information on data types? Download the Splunk Essential Guide to Machine Data.

  • Was this article helpful?