Solved: Securing Authorization and Authentication of Splu...

kannu · ‎10-15-2024

Hello Splunkers,

I’m working on developing an app that requires making REST API calls to Splunk in order to gather information about saved searches, knowledge objects, and more.

Could you please advise on the most secure method for authorization and authentication? Does the REST API support MFA, or are there other mechanisms available, with or without SAML?

Is token generation the only secure way to make these API calls, or are there alternative methods?

Thanks

Manish Kumar

sainag_splunk

Token Authentication: This is definitely your best bet for security. You can create these through Splunk Web or via the API itself. https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTtoken
HTTPS: Always, always use HTTPS for your API calls. It's a must for encryption.
RBAC Make sure your API user or token only has the permissions it absolutely needs. Less is more when it comes to security! Create splunk roles and map accordingly.
MFA: While Splunk supports MFA for user logins, it's not directly used for API calls. Instead, you'd set up MFA for the user generating the API tokens. https://docs.splunk.com/Documentation/SIM/current/User/SetupMFA
SAML: If you're using SAML, you'll still use tokens for API access. SAML is more for the web interface.

Tokens are usually the way to go for most scenarios.

https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SetupuserauthenticationwithSplunk
https://docs.splunk.com/Documentation/Splunk/9.3.1/Security/UseAuthTokens

Hope this helps!

View solution in original post

sainag_splunk

Token Authentication: This is definitely your best bet for security. You can create these through Splunk Web or via the API itself. https://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTtoken
HTTPS: Always, always use HTTPS for your API calls. It's a must for encryption.
RBAC Make sure your API user or token only has the permissions it absolutely needs. Less is more when it comes to security! Create splunk roles and map accordingly.
MFA: While Splunk supports MFA for user logins, it's not directly used for API calls. Instead, you'd set up MFA for the user generating the API tokens. https://docs.splunk.com/Documentation/SIM/current/User/SetupMFA
SAML: If you're using SAML, you'll still use tokens for API access. SAML is more for the web interface.

Tokens are usually the way to go for most scenarios.

https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/SetupuserauthenticationwithSplunk
https://docs.splunk.com/Documentation/Splunk/9.3.1/Security/UseAuthTokens

Hope this helps!

PickleRick

From the security standpoint token authentication doesn't differ from user/password authentication. It's still authentication with a static secret.

You can't use SAML for REST API authentication.

You might want to think about integrating an external credentials provider like Conjur and rotating the tokens often

Securing Authorization and Authentication of Splunk rest API call

using Splunk Enterprise

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

Alerting Best Practices: How to Create Good Detectors

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...