Is it possible to modify an indexed event? My company is using Splunk for detecting suspicious activities. One of the scenarios is to detect Failed Logons to servers. I am afraid that someone (e.g. attacker) can modify the timestamp, username, or even delete the whole log to cover his/her track. Anyone know about this?
Any white paper or official document has been released regarding to the above question?
Data indexed in Splunk cannot be changed. That doesn't mean the source log can't be modified before it is indexed, however.
It's possible to delete data in Splunk (it's actually just marked as "invisible") by someone with the 'can_delete' privilege, but that's easily avoided by not granting the privilege to anyone.
--- If this reply helps you, an upvote would be appreciated.