Skip to content

Splunk HEC Token

Service Name: Splunk

Service Description: Splunk is a software platform for searching, monitoring, and analyzing machine-generated big data via a web-style interface. It captures, indexes, and correlates real-time data in a searchable repository, from which it can generate graphs, reports, alerts, dashboards, and visualizations.

Service Address: https://www.splunk.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the token level by specifying allowed source IP addresses in the Splunk HTTP Event Collector (HEC) token settings.

Secret Access Scope: Grants the ability to send data to Splunk via the HTTP Event Collector (HEC). The token allows applications to send data directly to Splunk Enterprise or Splunk Cloud without using a forwarder.

Secret Revokement URL: https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Delete_a_token

Secret Example: 1A2B3C4D-5E6F-7G8H-9I0J-1K2L3M4N5O6P

Suspicious Activity Investigation Instructions:

  • Review Splunk logs for unusual data ingestion patterns or volumes.
  • Check the Splunk audit logs to see which sources are using the HEC token.
  • Examine the types and content of data being sent through the token.
  • Verify if the token is being used from unexpected IP addresses or locations.
  • Monitor for unusual spikes in data volume that could indicate abuse.

Mitigation Instructions:

  • Log into your Splunk instance as an administrator.
  • Navigate to Settings > Data Inputs > HTTP Event Collector.
  • Locate the compromised token in the list.
  • Click Delete next to the token to immediately revoke it.
  • Create a new token with appropriate source restrictions if needed.
  • Update all legitimate applications to use the new token.
  • Consider enabling token source restrictions to limit which IP addresses can use the token.
  • Review and update your token rotation policies to ensure regular rotation of HEC tokens.