Skip to content

Splunk API Token

Service Name: Splunk

Service Description: Splunk is a software platform for searching, monitoring, and analyzing machine-generated big data via a web-style interface. It captures, indexes, and correlates real-time data in a searchable repository, from which it can generate graphs, reports, alerts, dashboards, and visualizations.

Service Address: https://www.splunk.com/

Validation Type: API Auth

IP Allow list: Does not exist

Secret Access Scope: Grants programmatic access to Splunk's REST API, allowing for data querying, index management, and administrative operations.

Secret Revokement URL: https://docs.splunk.com/Documentation/Splunk/latest/Security/Revokeatoken

Secret Example: eyJraWQiOiJzcGx1bmtLZXkiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImlzcyI6InNwbHVuayIsImF1ZCI6InNwbHVuayIsImlkIjoiYWRtaW4iLCJqdGkiOiJhYmNkZWZnMTIzNDU2Nzg5MCIsImV4cCI6MTY0NTU1NTU1NX0.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Suspicious Activity Investigation Instructions:

  • Review Splunk audit logs for unauthorized API calls or unusual access patterns
  • Check for unexpected data exports or searches
  • Monitor for configuration changes or new user accounts
  • Examine access from unusual IP addresses or outside normal business hours
  • Look for large-scale data extraction operations

Mitigation Instructions:

  • Immediately revoke the compromised token through Splunk Web interface
  • Navigate to Settings > Tokens and delete the affected token
  • Create a new token with appropriate permissions
  • Update any applications or scripts using the old token
  • Review and adjust token permissions to follow the principle of least privilege
  • Enable token expiration for all tokens
  • Consider implementing IP restrictions for token usage if possible