Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Securing Authorization and Authentication of Splunk rest API call

kannu
Communicator
‎10-15-2024 05:58 AM
Hello Splunkers,
 

I’m working on developing an app that requires making REST API calls to Splunk in order to gather information about saved searches, knowledge objects, and more.

Could you please advise on the most secure method for authorization and authentication? Does the REST API support MFA, or are there other mechanisms available, with or without SAML?

Is token generation the only secure way to make these API calls, or are there alternative methods?

Thanks 

Manish Kumar

 

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sainag_splunk
Splunk Employee
Splunk Employee
‎10-15-2024 12:24 PM
  1. Token Authentication: This is definitely your best bet for security. You can create these through Splunk Web or via the API itself.  https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTtoken
  2. HTTPS: Always, always use HTTPS for your API calls. It's a must for encryption.
  3. RBAC Make sure your API user or token only has the permissions it absolutely needs. Less is more when it comes to security! Create splunk roles and map accordingly.
  4. MFA: While Splunk supports MFA for user logins, it's not directly used for API calls. Instead, you'd set up MFA for the user generating the API tokens. https://docs.splunk.com/Documentation/SIM/current/User/SetupMFA

  5. SAML: If you're using SAML, you'll still use tokens for API access. SAML is more for the web interface.

Tokens are usually the way to go for most scenarios.

https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SetupuserauthenticationwithSplunk
https://docs.splunk.com/Documentation/Splunk/9.3.1/Security/UseAuthTokens

 

Hope this helps!

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

sainag_splunk
Splunk Employee
Splunk Employee
‎10-15-2024 12:24 PM
  1. Token Authentication: This is definitely your best bet for security. You can create these through Splunk Web or via the API itself.  https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTtoken
  2. HTTPS: Always, always use HTTPS for your API calls. It's a must for encryption.
  3. RBAC Make sure your API user or token only has the permissions it absolutely needs. Less is more when it comes to security! Create splunk roles and map accordingly.
  4. MFA: While Splunk supports MFA for user logins, it's not directly used for API calls. Instead, you'd set up MFA for the user generating the API tokens. https://docs.splunk.com/Documentation/SIM/current/User/SetupMFA

  5. SAML: If you're using SAML, you'll still use tokens for API access. SAML is more for the web interface.

Tokens are usually the way to go for most scenarios.

https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SetupuserauthenticationwithSplunk
https://docs.splunk.com/Documentation/Splunk/9.3.1/Security/UseAuthTokens

 

Hope this helps!

If this helps, Upvote!!!!
Together we make the Splunk Community stronger 
0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-15-2024 01:47 PM

From the security standpoint token authentication doesn't differ from user/password authentication. It's still authentication with a static secret.

You can't use SAML for REST API authentication.

You might want to think about integrating an external credentials provider like Conjur and rotating the tokens often

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...