Skip to main content

Splunk User Credentials

Description#

General#

  • Documentation: https://docs.splunk.com/Documentation/Splunk/8.1.0/Security/Secureyouradminaccount
  • Summary: Splunk is a company providing data analysis software. This detector focuses on detecting admin credentials for Splunk Enterprise.
  • IPs allowlist: It is possible to restrict access to a Splunk Enterprise instance, this is documented here.
  • Scopes: These credentials are the admin credentials, they have full access to the instance.

Revoke the secret#

The password can be reset as described in the documentation.

Check for suspicious activity#

Access logs are available on the Enterprise instance as described in the access logs documentation.

Details for Splunk user seed#

  • Family: Other

  • Category: Monitoring

  • Company: Splunk

  • High recall: False

  • Validity check available: False

  • Minimum number of matches: 2

  • Occurrences found for one million commits: 0.03

  • Prefixed: False

  • PreValidators:

- type: FilenameWhitelistPreValidator  whitelist_extensions: []  whitelist_filenames:  - user-seed.conf  whitelist_filepaths: []

Examples#

- text: |    [user_info]    USERNAME = hello    PASSWORD = splunkme  username: hello  password: splunkme  filename: user-seed.conf