SPL safeguards for risky commands
The Splunk platform contains search processing language (SPL) safeguards to warn you when you might unknowingly run a search in Splunk Web that has commands that might be either a security or a performance risk. If a search command that Splunk classifies as risky triggers the safeguard, a warning dialog box appears to provide extra context for review, as well as the option to accept the risk and run the query anyway.
In the Search app, the warning dialog box appears when you click a link or type a URL that loads a search which contains risky commands. In dashboards, the warning dialog box appears automatically unless an input or visualization contains a search with a risky command. In this case, you must click the error icon to invoke the warning. The warning does not appear when you create ad hoc searches.
This warning alerts you to the possibility of either a significant impact to performance or unauthorized actions by a malicious user. Unauthorized actions include:
- Copying or transferring data, a practice known as data exfiltration
- Deleting data
- Overwriting data
A possible scenario when this might occur in the Search app involves a malicious person creating a search that includes commands that exfiltrate or destroy data. The malicious person then sends an unsuspecting user a link to the search. The URL contains a query string (q) and a search identifier (sid), but the sid is not valid. The malicious person hopes the user will use the link, and the search will run.
A potential scenario in a dashboard might involve a malicious person creating or editing a dashboard to include searches that contain commands that exfiltrate or destroy data. The malicious person can then send an unsuspecting user a link to the corrupted dashboard and wait for the user to load the dashboard which runs the searches with the risky commands.
Some search commands do not pose security risks, but Splunk includes them in the list of risky commands because of their impact on performance. The rules are the same. When a search contains the risky command, the Splunk platform raises a warning to advise of the potential performance effects of the command.
Commands that trigger SPL safeguards
Here is the list of search commands in that are classified as risky. Splunk considers these commands risky because, if used incorrectly, they can pose a security risk or you can potentially lose data by running the commands.
collect
delete
dump
map
mcollect
meventcollect
outputcsv
outputlookup
run
runshellscript
script
sendalert
sendemail
tscollect
On Splunk Cloud Platform only, new capabilities can limit access to some custom and potentially risky commands
In versions 8.2.2107 and higher of Splunk Cloud Platform only, new capabilities have been added that, in certain cases, you must grant explicitly to be able to run custom and potentially risky commands. The "user" and "power" roles receive the capabilities automatically, but if you are a user that does not hold one of these roles either directly or through a role inheritance, you must assign the capabilities to roles that the user does hold. The following table shows the new capabilities and the actions that they grant:
New capability | What it lets you do |
---|---|
run_sendalert | Lets users run the sendalert command
|
run_dump | Lets users run the dump command
|
run_custom_command | Lets users run any custom command |
For the full list of capabilities, see Define roles on the Splunk platform with capabilities.
Actions in the warning dialog box
Instead of running the search immediately, the Splunk platform analyzes the search or dashboard for risky commands. If the platform identifies one or more risky commands in a search, a warning dialog box appears. If the platform identifies one or more risky commands in a dashboard, the warning appears automatically, or you must click the error icon to invoke the dialog box.
Search
With the Search warning dialog box, you have the option to cancel, run, or investigate the search.
- Cancel
- Closes the warning dialog box. The search does not run and Splunk Web removes the search from the Search bar. If you close the dialog box by clicking the Close button (X), it is the same action as clicking Cancel.
- Run
- Runs the search. The Splunk platform runs any risky commands in the search because you authorized it. You can't undo this action.
- Investigate
- Displays the search in the Search bar so that you can review the SPL. Use this option to copy the syntax of the search. Send a copy of the search, along with any information about the source of the link, to your system administrator.
Dashboards
The Dashboards warning dialog box prompts you to accept or reject the risk of running the query with the risky command. The workflow of the dialog box depends on what dashboard component connects to the search that triggers the safeguard.
- Inputs and visualizations with risky commands do not run automatically. Youmust to click the error icon to invoke the warning modal to run the search.
- Risky searches that are not associated with inputs or visualizations will automatically display the warning dialog box.
With the Dashboards warning dialog box, you have the option to cancel or run the search.
- Cancel
- Closes the warning dialog box. The search does not run.
- Run Query Anyway
- Runs the search. The Splunk platform runs any risky commands in the search because you authorized it. You can't undo this action.
Risky chained searches
If the Splunk platform identifies a risky command within a chained search, you must resolve each chained search that extends the risky command, even if only one of the searches within the chain contains a risk.
For example, a chain search has a safe base search, but one risky search out of two:
base search
+ risky chain search 1
+ chain search 2
Although only risky chain search 1
poses a risk, chain search 2
also triggers a warning dialog box because it extends the risk of risky chain search 1
. In this scenario, you can safely run chain search 2
to reach the warning dialog box for risky chain search 1
and decide to run or cancel risky chain search 1
.
For more details about chained searches, see Create a chain search.
Deactivate SPL safeguards on Splunk Enterprise only
On Splunk Enterprise only, you can disable SPL safeguards if you have write permissions to the instance. The web.conf
configuration file controls whether or not the safeguards are active. You can edit this file to disable the risky SPL command warning dialog box. You can turn off the warning for a specific command, or for all of the risky commands.
If you use Splunk Cloud Platform, contact your Splunk account representative to help with making updates to the web.conf
configuration file. It is not possible to use Splunk Web to disable SPL safeguards.
Disable safeguards for a specific command
- Use a text editor to open the
commands.conf
configuration file located in the$SPLUNK_HOME/etc/system/default
directory. - Find the
is_risky
command within the file and copy theis_risky
setting stanza. - Open the
$SPLUNK_HOME/etc/system/local
directory and open thecommands.conf
configuration file for editing. If this file does not exist, create it. - Paste the
is_risky
setting stanza into$SPLUNK_HOME/etc/system/local/commands.conf
. - Change the
is_risky
setting for the command fromtrue
tofalse
. - Save the
commands.conf
configuration file and close it. - Restart Splunk Enterprise.
Disable safeguards for all commands
- Use a text editor to open the
web.conf
configuration file located in the$SPLUNK_HOME/etc/system/default
directory. - Find the command check settings within the
web.conf
configuration file and copy the setting stanza.- For the Search page, find the
enable_risky_command_check
setting stanza. - For dashboards, find the
enable_risky_command_check_dashboard
setting stanza.
- For the Search page, find the
- Locate and open the
$SPLUNK_HOME/etc/system/local/web.conf
configuration file. If this file does not exist, create it. - Paste the copied setting stanza into the
$SPLUNK_HOME/etc/system/local/web.conf
file. - Change the
enable_risky_command_check
orenable_risky_command_check_dashboard
setting values fromtrue
tofalse
:- For the Search page, setting the value to
false
disables SPL safeguards for all searches in the deployment. If you've set the Search page tofalse
, and dashboards remaintrue
, SPL safeguards are still active on the dashboards but are not active on the Search page. - For dashboards, setting the value to
false
turns off the warning for all dashboards in the deployment. If you've set dashboards tofalse
, and the Search page remainstrue
, SPL safeguards are still active on the Search page but are not active on the dashboards.
- For the Search page, setting the value to
- Save the
web.conf
file and close it. - Restart Splunk Enterprise.
See also
In the Splunk Enterprise Admin Manual:
Troubleshoot token authentication | Troubleshoot Splunk forwarder TCP tokens |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2202
Feedback submitted, thanks!