Splunk Authentication Token

Description

General

• Documentation: https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/UseAuthTokens
• Summary: Splunk is a company providing data analysis software. This detector focuses on detecting tokens used to access Splunk's API.
• IPs allowlist: It is not possible to set a specific IP allowlisting for a token. It will share the same allowlisting as the instance.
• Scopes: Different scopes can be selected when creating a token, for example a token may grant access to only one server.

Revoke the secret

This can be done by the user who issued the token or an administrator.

Check for suspicious activity

Access logs are available on the Enterprise instance as described in the access logs documentation.

Details for Splunk token

• Family: Api

• Category: Monitoring

• Company: Splunk

• High recall: False

• Validity check available: False

• Minimum number of matches: 1

• Occurrences found for one million commits: 8.33

• Prefixed: False

• PreValidators:

- type: ContentWhitelistPreValidator
  patterns:
    - splunk

Examples

- text: "SPLUNK_TOKEN1 = '851A5E58-4EF1-7291-F947-C612A9654321'"
  token: 851A5E58-4EF1-7291-F947-C612A9654321
- text: 'splunk-token=176fcebf-4cf5-4edf-91bc-728408560464'
  token: 176fcebf-4cf5-4edf-91bc-728408560464
- text: |
    some context with the word splunk somewhere
    access_token: '08243c00-a31b-499d-9fae-763b41990326'"
  token: 08243c00-a31b-499d-9fae-763b41990326
- text: -Dsplunk_token=D6BD1AD4-CB62-4D80-A637-593EE2B17391\
  token: D6BD1AD4-CB62-4D80-A637-593EE2B17391