Solved: Are there any new resources on Splunk On Prem Data...

NightShark · ‎08-08-2023

Hello,

I have looked over blogs and topics being discussed about Splunk's Data Integrity Checks and Anti Tampering controls, yet most of the resources found were outdated and/or not found anymore.

Are there any new sources or apps that keep track of Splunk's own security from its Admins via the configuration tracker index or other means?

Thanks,
Best Regards,

VatsalJagani · ‎08-21-2023

@NightShark - For the 1st item I know you (as a admin user) will see a message on the Splunk screen as shown here in the screenshot, that's where you will see that message.

View solution in original post

VatsalJagani · ‎08-08-2023

@NightShark - Splunk has two things for it:

Splunk gives error for file hash not matching if it finds files being updated/deleted which not suppose to change.
It has a configuration changes tracker. Search for index=_configtracker

I hope this helps!!!

NightShark · ‎08-08-2023

Hello @VatsalJagani,

Thank you for your response, what is that feature called about giving an alert when hashes do not match?

Second of all, is there a list of specific configuration changes that could allow us to tamper with the data before being sent to the indexers like sed being added for example in the configuration files?

Thanks,

Regards,

VatsalJagani · ‎08-21-2023

@NightShark - For the 1st item I know you (as a admin user) will see a message on the Splunk screen as shown here in the screenshot, that's where you will see that message.

Are there any new resources on Splunk On Prem Data Integrity and Anti Tamper Controls?

access control

other

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases