Splunk User Credentials
- Documentation: https://docs.splunk.com/Documentation/Splunk/8.1.0/Security/Secureyouradminaccount
- Summary: Splunk is a company providing data analysis software. This detector focuses on detecting admin credentials for Splunk Enterprise.
- IPs allowlist: It is possible to restrict access to a Splunk Enterprise instance, this is documented here.
- Scopes: These credentials are the admin credentials, they have full access to the instance.
#Revoke the secret
The password can be reset as described in the documentation.
#Check for suspicious activity
Access logs are available on the Enterprise instance as described in the access logs documentation.
Splunk user seed#
High recall: False
Validity check available: False
Minimum number of matches: 2
Occurrences found for one million commits: 0.03
- type: FilenameWhitelistPreValidator whitelist_extensions:  whitelist_filenames: - user-seed.conf whitelist_filepaths: 
- text: | [user_info] USERNAME = hello PASSWORD = splunkme username: hello password: splunkme filename: user-seed.conf