Splunk® Enterprise Security

Administer Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Manage credentials in Splunk Enterprise Security

Use the Credential Management page to store credentials for scripted or modular inputs. Input configurations that reference credentials use the credentials stored in Credential Management. You can store credentials such as usernames and passwords, or certificates used for authentication with third-party systems. Do not use this page to manage certificates used to encrypt server-to-server communications.

Your role must have the appropriate capabilities to add, modify, and view credentials and certificates. See Configure users and roles in the Installation and Upgrade Manual.

Add a new credential for an input

  1. On the Enterprise Security menu bar, select Configure > General > Credential Management.
  2. Click New Credential to add a new user credential.
  3. Type a Username.
  4. (Optional) Type a Realm field to differentiate between multiple credentials that have the same username.
  5. Type the Password for the credential, and type it again in Confirm password.
  6. Select the App for the credential.
  7. Click Save.

Add a new credential for UBA input

Splunk ES uses a specific local UBA username and password authentication to integrate with Splunk User Behavior Analytics.

  1. On the Enterprise Security menu bar, select Configure > General > Credential Management.
  2. Click New Credential to add a new user credential.
  3. Type a Username of ubaesuser.
  4. Type a Realm of uba.
  5. Type the same Password for the credential that is used in UBA for this user, and type it again in Confirm password.
  6. Select the App of SA-UEBA for the credential.
  7. Click Save.

For the integration to work correctly, this user needs to exist in both UBA and Splunk ES. If the password for this user needs to be changed, it needs to be the same in both places.

Edit an existing input credential

You can edit passwords of existing input credentials.

  1. On the Enterprise Security menu bar, select Configure > General > Credential Management.
  2. In the Action column of a credential, click Edit.
  3. Type a new Password for the credential, and type it again in Confirm password.
  4. Click Save.

Add a new certificate

You cannot add a new certificate using Credential Management on a search head cluster (SHC). To add a new certificate to Splunk Enterprise Security on a SHC, add the certificate to $SPLUNK_HOME/etc/shcluster/apps/<app_name>/auth on the deployer and deploy the certificate to the SHC members.

  1. On the Enterprise Security menu bar, select Configure > General > Credential Management.
  2. Click New Certificate to add a new certificate.
  3. Type a File name for the certificate. This is the file name that the certificate is saved as in the $SPLUNK_HOME/etc/apps/<app_name>/auth directory.
  4. Add Certificate text for the certificate. Paste the contents of an existing certificate file here to add the certificate to Splunk Enterprise Security.
  5. Select an App to save the certificate in.
  6. Click Save.

Edit an existing certificate

You can edit the certificate text of existing certificates in Credential Management. You cannot edit certificates on a search head cluster.

  1. On the Enterprise Security menu bar, select Configure > General > Credential Management.
  2. In the Action column of a certificate, click Edit.
  3. Type a new Certificate text for the certificate.
  4. Click Save.

Delete an existing input credential or certificate

You cannot delete certificates on a search head cluster.

  1. On the Enterprise Security menu bar, select Configure > General > Credential Management.
  2. In the Action column of a credential or certificate, click Delete.
  3. Click OK to confirm.
Last modified on 22 November, 2021
Configure general settings for Splunk Enterprise Security   Manage permissions in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 6.1.0, 6.1.1, 6.2.0, 6.3.0 Cloud only, 6.4.0, 6.4.1, 6.5.0 Cloud only, 6.5.1 Cloud only, 6.6.0, 6.6.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters