Skip to main content

Splunk Authentication Token

Description#

General#

  • Documentation: https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/UseAuthTokens
  • Summary: Splunk is a company providing data analysis software. This detector focuses on detecting tokens used to access Splunk's API.
  • IPs allowlist: It is not possible to set a specific IP allowlisting for a token. It will share the same allowlisting as the instance.
  • Scopes: Different scopes can be selected when creating a token, for example a token may grant access to only one server.

Revoke the secret#

This can be done by the user who issued the token or an administrator.

Check for suspicious activity#

Access logs are available on the Enterprise instance as described in the access logs documentation.

Details for Splunk token#

  • Family: Api

  • Category: Monitoring

  • Company: Splunk

  • High recall: False

  • Validity check available: False

  • Minimum number of matches: 1

  • Occurrences found for one million commits: 6.95

  • Prefixed: False

  • PreValidators:

- type: ContentWhitelistPreValidator  patterns:  - splunk

Examples#

- text: "SPLUNK_TOKEN1 = '851A5E58-4EF1-7291-F947-F614A7654321'"  token: 851A5E58-4EF1-7291-F947-F614A7654321- text: "splunk-token=176fcebf-4cf5-4edf-91bc-703796554321"  token: 176fcebf-4cf5-4edf-91bc-703796554321- text: |    some context with the word splunk somewhere    access_token: '08243c00-a31b-499d-9fae-776b41994321'"  token: 08243c00-a31b-499d-9fae-776b41994321- text: -Dsplunk_token=D6BD1AD4-CB62-4D80-A637-350CE2B14321\  token: D6BD1AD4-CB62-4D80-A637-350CE2B14321