Splunk User Credentials
#
Description#
General- Documentation: https://docs.splunk.com/Documentation/Splunk/8.1.0/Security/Secureyouradminaccount
- Summary: Splunk is a company providing data analysis software. This detector focuses on detecting admin credentials for Splunk Enterprise.
- IPs allowlist: It is possible to restrict access to a Splunk Enterprise instance, this is documented here.
- Scopes: These credentials are the admin credentials, they have full access to the instance.
#
Revoke the secretThe password can be reset as described in the documentation.
#
Check for suspicious activityAccess logs are available on the Enterprise instance as described in the access logs documentation.
Splunk user seed
#
Details for Family: Other
Category: Monitoring
Company: Splunk
High recall: False
Validity check available: False
Minimum number of matches: 2
Occurrences found for one million commits: 0.03
Prefixed: False
PreValidators:
- type: FilenameWhitelistPreValidator whitelist_extensions: [] whitelist_filenames: - user-seed.conf whitelist_filepaths: []
#
Examples- text: | [user_info] USERNAME = hello PASSWORD = spluqkuc username: hello password: spluqkuc