Skip to content

VictorOps API Key

Service Name: VictorOps (now Splunk On-Call)

Service Description: VictorOps is an incident management platform that provides real-time alerting, on-call scheduling, and incident response tools. It was acquired by Splunk and is now known as Splunk On-Call.

Service Address: https://victorops.com/ (redirects to https://www.splunk.com/en_us/products/on-call.html)

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the organization level through Splunk On-Call admin settings.

Secret Access Scope: Grants programmatic access to VictorOps/Splunk On-Call API, allowing management of incidents, teams, users, and alert configurations.

Secret Revokement URL: https://portal.victorops.com/dash/#/api-management

Secret Example: 1234567890abcdef1234567890abcdef

Suspicious Activity Investigation Instructions:

  • Review API access logs in the VictorOps/Splunk On-Call portal for unauthorized API calls.
  • Check for unexpected incident creation, modification, or resolution.
  • Monitor for changes to on-call schedules or team configurations.
  • Look for unusual alert rule modifications or integrations being added or modified.
  • Verify if there are any unexpected user invitations or role changes.

Mitigation Instructions:

  • Log in to the VictorOps/Splunk On-Call portal.
  • Navigate to Settings > API Management.
  • Locate the compromised API key and click "Revoke".
  • Generate a new API key if needed.
  • Update all legitimate applications and integrations with the new API key.
  • Review and update IP restrictions for API access if available.
  • Audit all recent changes made to your VictorOps/Splunk On-Call configuration.
  • Consider implementing additional authentication mechanisms like OAuth if available.