Configure data protection
Splunk includes a number of solutions to verify the integrity of your IT data, including tamper detection, and data masking. These solutions should be implemented in addition to your existing security controls.
The Splunk App for Enterprise Security includes three mechanisms for tamper detection: event hashing, audit event signing, and IT data signing.
Event hashing detects if events have been tampered with sometime between index time and search time.
By default, Enterprise Security enables event hashing of notable events generated by search-time correlations. Each notable event will be assessed for modification when viewed from within the Incident Review dashboard. The following icons show the status of the notable events:
To enable hashing for other events based on host, source, or source type:
1. Open the file
$SPLUNK_HOME/etc/system/local/audit.conf in a text editor, or create a new file if it does not exist.
2. Look for or create the
3. For each host, source type, or source for which you want to enable hashing, create a new
filterSpec stanza. Place the
filterSpec stanza after the
eventHashing stanza. You can use any name for the filter. The following shows the syntax, with the parts you must edit:
Example: To create a filter named
nessusWhiteList that hashes all events with
4. Edit or create the
eventHashing stanza and add each filter:
5. Restart Splunk.
Audit event signing
Splunk creates audit trail information (by creating and signing audit events) when you have auditing enabled. The audit processor applies a sequence number ID to the event, then creates a hash signature from the sequence ID and the event's timestamp. Once you've enabled audit signing, you can search for gaps in the sequence of numbers and find out if your data has been tampered with.
Audit event signing is configured in the
auditTrail stanza in
audit.conf. See "How audit event signing works" in the Splunk core documentation for details of how to generate a public/private key pair and enable audit event signing.
Once you have set up audit signing, you can view the Splunk audit events using the
IT data signing
IT data signing applies a digital signature to blocks of IT events in order to verify the integrity of the data at search time and identify gaps in the data (if someone deleted log messages). IT data signing is configured in
indexes.conf by setting
blockSignSize to a value greater than zero. IT data signing can be configured per index (encrypt all events for an index) or globally (for all indexes). Note that increasing the block size decreases the number of times that Splunk has to encrypt events and thus reduces the performance impact to Splunk. See "IT data signing" in the Splunk core documentation for more information.
To verify data that has been digitally signed:
- 1. Click the down arrow next to the event in any search window.
- 2. Select Show Source.
- Splunk will display all of the source data for the block containing that event. The top of the view source page will display a message indicating whether the source data was validated or not. No message is displayed if data signing is disabled.
Note: Enabling data signing will cause a decrease in overall search and index performance.
Some data sources may provide IT data containing sensitive information that should not be available within Splunk. This may include passwords, credit cards numbers, name, emails or other personally identifiable information. Splunk can replace the sensitive data at index time, preventing it from being seen. See "Anonymize data" in the Splunk documentation for more information.
Configure threat lists
Configure the search head
This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1