Splunk HEC Token
Service Name: Splunk
Service Description: Splunk is a software platform for searching, monitoring, and analyzing machine-generated big data via a web-style interface. It captures, indexes, and correlates real-time data in a searchable repository, from which it can generate graphs, reports, alerts, dashboards, and visualizations.
Service Address: https://www.splunk.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the token level by specifying allowed source IP addresses in the Splunk HTTP Event Collector (HEC) token settings.
Secret Access Scope: Grants the ability to send data to Splunk via the HTTP Event Collector (HEC). The token allows applications to send data directly to Splunk Enterprise or Splunk Cloud without using a forwarder.
Secret Revokement URL: https://docs.splunk.com/Documentation/Splunk/latest/Data/UsetheHTTPEventCollector#Delete_a_token
Secret Example: 1A2B3C4D-5E6F-7G8H-9I0J-1K2L3M4N5O6P
Suspicious Activity Investigation Instructions:
- Review Splunk logs for unusual data ingestion patterns or volumes.
- Check the Splunk audit logs to see which sources are using the HEC token.
- Examine the types and content of data being sent through the token.
- Verify if the token is being used from unexpected IP addresses or locations.
- Monitor for unusual spikes in data volume that could indicate abuse.
Mitigation Instructions:
- Log into your Splunk instance as an administrator.
- Navigate to Settings > Data Inputs > HTTP Event Collector.
- Locate the compromised token in the list.
- Click Delete next to the token to immediately revoke it.
- Create a new token with appropriate source restrictions if needed.
- Update all legitimate applications to use the new token.
- Consider enabling token source restrictions to limit which IP addresses can use the token.
- Review and update your token rotation policies to ensure regular rotation of HEC tokens.