Splunk Compliance Checks

Plugin ID: 166550

The Splunk plugin is meant to connect to Splunk API endpoints that can be found in the Splunk products. The plugin connects to Splunk targets, fetches data from API endpoints, and evaluates the output for specific expressions.

Scan Requirements

Credentials

The plugin requires the following Miscellaneous Splunk API credentials for scanning:

• Username — (Required) The username for an account on the Splunk target.

• Password — (Required) The password for the scanning account.

• Port — (Required) The port to use when connecting to the target. This setting defaults to port 8089.

• HTTPS — The HTTPS setting determines when to use secured communication or to use standard HTTP. The setting defaults to On.

• Verify SSL Certificate — When you check this setting, the certificates provided by an HTTPS connection are verified (the certificates fail if they are not valid). If the target is using a self-signed certificate, you have to uncheck this setting. The setting defaults to checked.

Permissions

A user with the admin role is required.

Checks

You must bracket all Splunk REST API compliance checks with the check_type encapsulation and the Splunk designation.

This is required to differentiate .audit files intended specifically for Splunk REST API from other types of compliance audits.

See the following topics to learn more about the Splunk plugin:

• Splunk Audit Containers

• Splunk Audit Items

• Splunk Comments

• Splunk Request Types

• Splunk REST_API Check

• Splunk KB_VALUE Check