Splunk Authentication Token

ID

splunk_authentication_token

Severity

high

Vendor

Splunk

Family

Access Token

Description

Splunk (now part of Cisco) provides data analysis software. This detector detects any leaked admin password for Splunk Enterprise.

If you have been assigned an authentication token, you can access a Splunk platform instance using REST API.

Security

Any hardcoded Splunk authentication token is a potential secret reported by this detector. The token permits actions according to the scope given during creation.

Examples

[user_info]
USERNAME = admin
PASSWORD = P4ssw0rt!

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). The Splunk Admin Password can be reset using the following command:

    splunk cmd splunkd rest --noauth POST /services/admin/users/admin "password=<your password>"

    Follow the recommendations given in the Reset credentials section of the Splunk documentation.

  2. Remove the Splunk Admin Password from the source code or committed configuration file. Note that resetting the password is necessary, as this step does not prevent unintended users from using previously captured credentials.

  3. Check Splunk access logs to ensure that the secret was not used by unintended actors during the exposure window.

  4. To limit the attack surface, you may restrict access to the Splunk Enterprise instance, as described in the Secure Splunk Enterprise on your network.

Reference

https://docs.splunk.com/Documentation/Splunk/latest/Security/UseAuthTokens