Splunk API Token
Service Name: Splunk
Service Description: Splunk is a software platform for searching, monitoring, and analyzing machine-generated big data via a web-style interface. It captures, indexes, and correlates real-time data in a searchable repository, from which it can generate graphs, reports, alerts, dashboards, and visualizations.
Service Address: https://www.splunk.com/
Validation Type: API Auth
IP Allow list: Does not exist
Secret Access Scope: Grants programmatic access to Splunk's REST API, allowing for data querying, index management, and administrative operations.
Secret Revokement URL: https://docs.splunk.com/Documentation/Splunk/latest/Security/Revokeatoken
Secret Example: eyJraWQiOiJzcGx1bmtLZXkiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImlzcyI6InNwbHVuayIsImF1ZCI6InNwbHVuayIsImlkIjoiYWRtaW4iLCJqdGkiOiJhYmNkZWZnMTIzNDU2Nzg5MCIsImV4cCI6MTY0NTU1NTU1NX0.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Suspicious Activity Investigation Instructions:
- Review Splunk audit logs for unauthorized API calls or unusual access patterns
- Check for unexpected data exports or searches
- Monitor for configuration changes or new user accounts
- Examine access from unusual IP addresses or outside normal business hours
- Look for large-scale data extraction operations
Mitigation Instructions:
- Immediately revoke the compromised token through Splunk Web interface
- Navigate to Settings > Tokens and delete the affected token
- Create a new token with appropriate permissions
- Update any applications or scripts using the old token
- Review and adjust token permissions to follow the principle of least privilege
- Enable token expiration for all tokens
- Consider implementing IP restrictions for token usage if possible