Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Is there any sensitive data in the _internal index

ickymettle
Explorer
‎03-23-2011 12:16 AM

Hi Splunkers,

We have a macro here we're using to allow users to search their previous search history. It relies on the searches.log contained in the _internal index.

In principal, at least from what i've used the _internal index for (metrics, search log etc) I haven't come across any events in there that are particularly operationally sensitive.

Was wondering if there are any potential "gotchas" that could be lurking there that I should be aware of, without actually trawling all the logs looking for sensitive stuff.

The intention is to allow _internal index access to the user role in our environment.

Cheers, Marcus

Tags (2)
Reply

sideview
SplunkTrust
SplunkTrust
‎03-23-2011 04:46 AM

I think one of the biggest security problems concerns the searchterms because all searches would become visible. For example if an admin is doing some searches and during the course of that they click on a particular social security number in the UI, that becomes a search so the number of course appears in searches.log and now all the regular users can see that number.

So if there are any indexes that only users with special roles can search, you're leaving a bit of a hole. On the other hand, if there are no such indexes in your system, this particular problem dissappears.

I cant think of much that's left. Traffic analysis and maybe searchterm analysis on what the other splunk users are searching for.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...