Splunk Authentication Token
#
Description#
General- Documentation: https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/UseAuthTokens
- Summary: Splunk is a company providing data analysis software. This detector focuses on detecting tokens used to access Splunk's API.
- IPs allowlist: It is not possible to set a specific IP allowlisting for a token. It will share the same allowlisting as the instance.
- Scopes: Different scopes can be selected when creating a token, for example a token may grant access to only one server.
#
Revoke the secretThis can be done by the user who issued the token or an administrator.
#
Check for suspicious activityAccess logs are available on the Enterprise instance as described in the access logs documentation.
Splunk token
#
Details for Family: Api
Category: Monitoring
Company: Splunk
High recall: False
Validity check available: False
Minimum number of matches: 1
Occurrences found for one million commits: 6.95
Prefixed: False
PreValidators:
- type: ContentWhitelistPreValidator patterns: - splunk
#
Examples- text: "SPLUNK_TOKEN1 = '851A5E58-4EF1-7291-F947-C612A9654321'" token: 851A5E58-4EF1-7291-F947-C612A9654321- text: "splunk-token=176fcebf-4cf5-4edf-91bc-728408560464" token: 176fcebf-4cf5-4edf-91bc-728408560464- text: | some context with the word splunk somewhere access_token: '08243c00-a31b-499d-9fae-763b41990326'" token: 08243c00-a31b-499d-9fae-763b41990326- text: -Dsplunk_token=D6BD1AD4-CB62-4D80-A637-593EE2B17391\ token: D6BD1AD4-CB62-4D80-A637-593EE2B17391