Security

Splunk database log manipulation

johann2017
Explorer

Greetings,

I had a question in regards to accessing and manipulating Splunk logs. All of my Splunk infrastructure is onsite.

For example, what would be required for someone to manually modify my Firewall logs or Active Directory logs that reside on my indexer or heavy forwarder? If possessing the right privileges, could a user modify a firewall log on in a Splunk database to change the source or destination IP (or whatever log information) in a firewall log, or delete that particular log event itself?

I was not sure what permissions and databases / files would be involved.

0 Karma
1 Solution

chrisyounger
SplunkTrust
SplunkTrust

Hi @johann2017

There is no way that someone using Splunk can easily change data such as changing the source and destination IPs. If the user has the can_delete capability (can be added to a role in Settings >Access Controls >Roles) they can specifically delete bits of to prevent them from being found. Restricting access to this capability is typically the protection that most customers require against data changes.

|delete can be reversed if you have filesystem access. If someone has access to the filesystem, they could conceivably change the data. - But this would be a huge amount of effort. They would need to reingest the whole bucket with the altered records.

There is this blog article that might be of interest to you: https://www.splunk.com/blog/2015/10/28/data-integrity-is-back-baby.html Note data integrity is not needed for most customers.

All the best.

View solution in original post

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

Hi @johann2017

There is no way that someone using Splunk can easily change data such as changing the source and destination IPs. If the user has the can_delete capability (can be added to a role in Settings >Access Controls >Roles) they can specifically delete bits of to prevent them from being found. Restricting access to this capability is typically the protection that most customers require against data changes.

|delete can be reversed if you have filesystem access. If someone has access to the filesystem, they could conceivably change the data. - But this would be a huge amount of effort. They would need to reingest the whole bucket with the altered records.

There is this blog article that might be of interest to you: https://www.splunk.com/blog/2015/10/28/data-integrity-is-back-baby.html Note data integrity is not needed for most customers.

All the best.

0 Karma

johann2017
Explorer

Thank you!

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...