VictorOps API Key
Service Name: VictorOps (now Splunk On-Call)
Service Description: VictorOps is an incident management platform that provides real-time alerting, on-call scheduling, and incident response tools. It was acquired by Splunk and is now known as Splunk On-Call.
Service Address: https://victorops.com/ (redirects to https://www.splunk.com/en_us/products/on-call.html)
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the organization level through Splunk On-Call admin settings.
Secret Access Scope: Grants programmatic access to VictorOps/Splunk On-Call API, allowing management of incidents, teams, users, and alert configurations.
Secret Revokement URL: https://portal.victorops.com/dash/#/api-management
Secret Example: 1234567890abcdef1234567890abcdef
Suspicious Activity Investigation Instructions:
- Review API access logs in the VictorOps/Splunk On-Call portal for unauthorized API calls.
- Check for unexpected incident creation, modification, or resolution.
- Monitor for changes to on-call schedules or team configurations.
- Look for unusual alert rule modifications or integrations being added or modified.
- Verify if there are any unexpected user invitations or role changes.
Mitigation Instructions:
- Log in to the VictorOps/Splunk On-Call portal.
- Navigate to Settings > API Management.
- Locate the compromised API key and click "Revoke".
- Generate a new API key if needed.
- Update all legitimate applications and integrations with the new API key.
- Review and update IP restrictions for API access if available.
- Audit all recent changes made to your VictorOps/Splunk On-Call configuration.
- Consider implementing additional authentication mechanisms like OAuth if available.