Hi,

I guess that the Security Metrics are KPIs based on accelerated datamodels searches. If you click and open those security metrics you will see search that generates the metric.

It would be interesting for you to understand first your data sources and what data is being used for each datamodel. I have listed below some fields and datamodels used by the Security Metrics you asked.

Access - Distinct Apps -> Uses app field from datamodel Authentication.Authentication
Access - Distinct Destinations -> Uses dest field from datamodel Authentication.Authentication
Access - Distinct Source -> Uses src field from datamodel Authentication.Authentication
Access - Distinct Users -> Uses user field from datamodel Authentication.Authentication
DNS - Errors -> Counts based on reply code field from datamodel Network_Resolution.DNS
DNS - Messages -> Counts based on datamodel Network_Resolution.DNS
DNS - Query Sources -> Uses src field from datamodel Network_Resolution.DNS
Email - Cloud Activity -> Counts based on datamodel Email.All_Email
Licensing - Average Events Per Day -> Uses the lookup licensing_epd and macro licensing_epd
Modular Actions - Action Invocations -> Counts based on datamodel Splunk_Audit.Modular_Actions
Modular Actions- Avarage Duration -> Uses the field duration from datamodel Splunk_Audit.Modular_Actions
Modular Actions- Distinct Search Name -> Uses the field search_name from datamodel Splunk_Audit.Modular_Actions

Also, here are some interesting links from docs:
Create Glass Table -> https://docs.splunk.com/Documentation/ES/5.3.0/User/CreateGlassTable
Create KPI -> https://docs.splunk.com/Documentation/ES/5.3.0/Admin/Createkeyindicatorsearches