Splunk Authentication Token
Service Name: Splunk
Service Description: Splunk is a software platform for searching, monitoring, and analyzing machine-generated big data via a web-style interface. It captures, indexes, and correlates real-time data in a searchable repository, from which it can generate graphs, reports, alerts, dashboards, and visualizations.
Service Address: https://www.splunk.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the Splunk instance level through authentication settings and network access controls.
Secret Access Scope: Grants programmatic access to Splunk's REST API, allowing data querying, report generation, dashboard management, and potentially administrative functions depending on the token's permissions.
Secret Revokement URL: https://docs.splunk.com/Documentation/Splunk/latest/Security/Manageauthenticationtokens
Secret Example: eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnIjoiSFM1MTIiLCJ2ZXIiOiJ2MiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImlzcyI6InNwbHVuayIsImF1ZCI6InNwbHVuayIsImlkcCI6InNwbHVuayIsImp0aSI6IjEyMzQ1Njc4OTAiLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTUxNjI0MjYyMn0.EXAMPLE_SIGNATURE
Suspicious Activity Investigation Instructions:
- Review Splunk audit logs for unusual search queries or data access patterns
- Check for unexpected API calls or data exports from unfamiliar IP addresses
- Monitor for changes to dashboards, saved searches, or alert configurations
- Examine authentication logs for failed login attempts or unusual access times
- Look for unauthorized creation of new users or role modifications
Mitigation Instructions:
- Immediately revoke the compromised token through the Splunk web interface (Settings > Tokens)
- Generate a new token with appropriate permissions if needed
- Review and update IP allowlists for API access
- Implement token rotation policies and shorter expiration times
- Consider implementing multi-factor authentication for Splunk access
- Audit all user roles and permissions to enforce the Principle of Least Privilege.
- Check for any scheduled searches or alerts that might be using the compromised token