Configure data protection
Splunk includes a number of solutions to verify the integrity of your IT data, including tamper detection, and data masking. These solutions should be implemented in addition to your existing security controls.
Tamper detection
The Splunk App for Enterprise Security includes three mechanisms for tamper detection: event hashing, audit event signing, and IT data signing.
Event hashing
Event hashing detects if events have been tampered with sometime between index time and search time.
By default, Enterprise Security enables event hashing of notable events generated by search-time correlations. Each notable event will be assessed for modification when viewed from within the Incident Review dashboard. The following icons show the status of the notable events:
Tampered! The event hash does not match and the notable event has been tampered with.
Valid! The event hash matches and the notable event has not been tampered with.
To enable hashing for other events based on host, source, or source type:
1. Open the file $SPLUNK_HOME/etc/system/local/audit.conf
in a text editor, or create a new file if it does not exist.
2. Look for or create the [eventHashing]
stanza.
3. For each host, source type, or source for which you want to enable hashing, create a new filterSpec
stanza. Place the filterSpec
stanza after the eventHashing
stanza. You can use any name for the filter. The following shows the syntax, with the parts you must edit:
[filterSpec:event_whitelist:filterName1] <host|sourcetype|source>=name
Example: To create a filter named nessusWhiteList
that hashes all events with sourcetype nessus
:
[filterSpec:event_whitelist:nessusWhiteList] sourcetype=nessus
4. Edit or create the eventHashing
stanza and add each filter:
[eventHashing] filters=filter1,filter2,nessusWhiteList
5. Restart Splunk.
Audit event signing
Splunk creates audit trail information (by creating and signing audit events) when you have auditing enabled. The audit processor applies a sequence number ID to the event, then creates a hash signature from the sequence ID and the event's timestamp. Once you've enabled audit signing, you can search for gaps in the sequence of numbers and find out if your data has been tampered with.
Audit event signing is configured in the auditTrail
stanza in audit.conf
. See "How audit event signing works" in the Splunk core documentation for details of how to generate a public/private key pair and enable audit event signing.
Once you have set up audit signing, you can view the Splunk audit events using the `audit_validation`
macro:
`audit_validation`
IT data signing
IT data signing applies a digital signature to blocks of IT events in order to verify the integrity of the data at search time and identify gaps in the data (if someone deleted log messages). IT data signing is configured in indexes.conf
by setting blockSignSize
to a value greater than zero. IT data signing can be configured per index (encrypt all events for an index) or globally (for all indexes). Note that increasing the block size decreases the number of times that Splunk has to encrypt events and thus reduces the performance impact to Splunk. See "IT data signing" in the Splunk core documentation for more information.
To verify data that has been digitally signed:
- 1. Click the down arrow next to the event in any search window.
- 2. Select Show Source.
- Splunk will display all of the source data for the block containing that event. The top of the view source page will display a message indicating whether the source data was validated or not. No message is displayed if data signing is disabled.
Note: Enabling data signing will cause a decrease in overall search and index performance.
Data masking
Some data sources may provide IT data containing sensitive information that should not be available within Splunk. This may include passwords, credit cards numbers, name, emails or other personally identifiable information. Splunk can replace the sensitive data at index time, preventing it from being seen. See "Anonymize data" in the Splunk documentation for more information.
Configure threat lists | Configure the search head |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1
Feedback submitted, thanks!