Splunk User Credentials

Description

General

• Documentation: https://docs.splunk.com/Documentation/Splunk/8.1.0/Security/Secureyouradminaccount
• Summary: Splunk is a company providing data analysis software. This detector focuses on detecting admin credentials for Splunk Enterprise.
• IPs allowlist: It is possible to restrict access to a Splunk Enterprise instance, this is documented here.
• Scopes: These credentials are the admin credentials, they have full access to the instance.

Revoke the secret

The password can be reset as described in the documentation.

Check for suspicious activity

Access logs are available on the Enterprise instance as described in the access logs documentation.

Details for Splunk user seed

• Family: Other

• Category: Monitoring

• Company: Splunk

• High recall: False

• Validity check available: False

• Minimum number of matches: 2

• Occurrences found for one million commits: 0.03

• Prefixed: False

• PreValidators:

- type: FilenameWhitelistPreValidator
  whitelist_extensions: []
  whitelist_filenames:
    - user-seed.conf
  whitelist_filepaths: []

Examples

- text: |
    [user_info]
    USERNAME = hello
    PASSWORD = spluqkuc
  username: hello
  password: spluqkuc