Splunk User Credentials
Description
General
- Documentation: https://docs.splunk.com/Documentation/Splunk/8.1.0/Security/Secureyouradminaccount
- Summary: Splunk is a company providing data analysis software. This detector focuses on detecting admin credentials for Splunk Enterprise.
- IPs allowlist: It is possible to restrict access to a Splunk Enterprise instance, this is documented here.
- Scopes: These credentials are the admin credentials, they have full access to the instance.
Revoke the secret
The password can be reset as described in the documentation.
Check for suspicious activity
Access logs are available on the Enterprise instance as described in the access logs documentation.
Details for Splunk user seed
Family: Other
Category: Monitoring
Company: Splunk
High recall: False
Validity check available: False
Minimum number of matches: 2
Occurrences found for one million commits: 0.03
Prefixed: False
PreValidators:
- type: FilenameWhitelistPreValidator
whitelist_extensions: []
whitelist_filenames:
- user-seed.conf
whitelist_filepaths: []
Examples
- text: |
[user_info]
USERNAME = hello
PASSWORD = spluqkuc
username: hello
password: spluqkuc
Was this page helpful?
