Skip to content

Splunk Authentication Token

Service Name: Splunk

Service Description: Splunk is a software platform for searching, monitoring, and analyzing machine-generated big data via a web-style interface. It captures, indexes, and correlates real-time data in a searchable repository, from which it can generate graphs, reports, alerts, dashboards, and visualizations.

Service Address: https://www.splunk.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the Splunk instance level through authentication settings and network access controls.

Secret Access Scope: Grants programmatic access to Splunk's REST API, allowing data querying, report generation, dashboard management, and potentially administrative functions depending on the token's permissions.

Secret Revokement URL: https://docs.splunk.com/Documentation/Splunk/latest/Security/Manageauthenticationtokens

Secret Example: eyJraWQiOiJzcGx1bmsuc2VjcmV0IiwiYWxnIjoiSFM1MTIiLCJ2ZXIiOiJ2MiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImlzcyI6InNwbHVuayIsImF1ZCI6InNwbHVuayIsImlkcCI6InNwbHVuayIsImp0aSI6IjEyMzQ1Njc4OTAiLCJpYXQiOjE1MTYyMzkwMjIsImV4cCI6MTUxNjI0MjYyMn0.EXAMPLE_SIGNATURE

Suspicious Activity Investigation Instructions:

  • Review Splunk audit logs for unusual search queries or data access patterns
  • Check for unexpected API calls or data exports from unfamiliar IP addresses
  • Monitor for changes to dashboards, saved searches, or alert configurations
  • Examine authentication logs for failed login attempts or unusual access times
  • Look for unauthorized creation of new users or role modifications

Mitigation Instructions:

  • Immediately revoke the compromised token through the Splunk web interface (Settings > Tokens)
  • Generate a new token with appropriate permissions if needed
  • Review and update IP allowlists for API access
  • Implement token rotation policies and shorter expiration times
  • Consider implementing multi-factor authentication for Splunk access
  • Audit all user roles and permissions to enforce the Principle of Least Privilege.
  • Check for any scheduled searches or alerts that might be using the compromised token