Splunk Cloud Platform

Securing Splunk Cloud Platform

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

SPL safeguards for risky commands

The Splunk platform contains search processing language (SPL) safeguards to warn you when you might unknowingly run a search in Splunk Web that has commands that might be a security risk. If a search command that Splunk classifies as risky triggers the safeguard, a warning dialog box appears to provide extra context for review, as well as the option to accept the risk and run the query anyway.

In the Search app, the warning dialog box appears when you click a link or type a URL that loads a search which contains risky commands. In dashboards, the warning dialog box appears automatically unless an input or visualization contains a search with a risky command. In this case, you must click the error icon to invoke the warning. The warning does not appear when you create ad hoc searches.

This warning alerts you to the possibility of unauthorized actions by a malicious user. Unauthorized actions include:

  • Copying or transferring data, a practice known as data exfiltration
  • Deleting data
  • Overwriting data

A possible scenario when this might occur in the Search app involves a malicious person creating a search that includes commands that exfiltrate or destroy data. The malicious person then sends an unsuspecting user a link to the search. The URL contains a query string (q) and a search identifier (sid), but the sid is not valid. The malicious person hopes the user will use the link, and the search will run.

A potential scenario in a dashboard might involve a malicious person creating or editing a dashboard to include searches that contain commands that exfiltrate or destroy data. The malicious person can then send an unsuspecting user a link to the corrupted dashboard and wait for the user to load the dashboard which runs the searches with the risky commands.

Commands that trigger SPL safeguards

Here is the list of search commands that Splunk classifies as risky. Splunk considers these commands risky because, if used incorrectly, they can pose a security risk or you can potentially lose data unexpectedly by running the commands.

  • collect
  • dump
  • delete
  • input
  • outputcsv
  • outputlookup
  • run
  • runshellscript
  • script
  • sendalert
  • sendemail
  • tscollect

On Splunk Cloud Platform only, new capabilities can limit access to some custom and potentially risky commands

In versions 8.2.2107 and higher of Splunk Cloud Platform only, new capabilities have been added that, in certain cases, you must grant explicitly to be able to run custom and potentially risky commands. The "user" and "power" roles receive the capabilities automatically, but if you use a user that does not hold one of these roles either directly or through a role inheritance, you must assign the capabilities to roles that the user does hold. The following table shows the new capabilities and the actions that they grant:

New capability What it lets you do
run_sendalert Lets users run the sendalert command
run_dump Lets users run the dump command
run_custom_command Lets users run any custom command

For the full list of capabilities, see Define roles on the Splunk platform with capabilities.

Actions in the warning dialog box

Instead of running the search immediately, the Splunk platform analyzes the search or dashboard for risky commands. If the platform identifies one or more risky commands in a search, a warning dialog box appears. If the platform identifies one or more risky commands in a dashboard, the warning appears automatically, or you must click the error icon to invoke the dialog box.

Search

With the Search warning dialog box, you have the option to cancel, run, or investigate the search.

Cancel
Closes the warning dialog box. The search does not run and Splunk Web removes the search from the Search bar. If you close the dialog box by clicking the Close button (X), it is the same action as clicking Cancel.
Run
Runs the search. The Splunk platform runs any risky commands in the search because you authorized it. You can't undo this action.
Investigate
Displays the search in the Search bar so that you can review the SPL. Use this option to copy the syntax of the search. Send a copy of the search, along with any information about the source of the link, to your system administrator.

Dashboards

The Dashboards warning dialog box prompts you to accept or reject the risk of running the query with the risky command. The workflow of the dialog box depends on what dashboard component connects to the search that triggers the safeguard.

  • Inputs and visualizations with risky commands do not run automatically. Youmust to click the error icon to invoke the warning modal to run the search.
  • Risky searches that are not associated with inputs or visualizations will automatically display the warning dialog box.

With the Dashboards warning dialog box, you have the option to cancel or run the search.

Cancel
Closes the warning dialog box. The search does not run.
Run Query Anyway
Runs the search. The Splunk platform runs any risky commands in the search because you authorized it. You can't undo this action.

Risky chained searches

If the Splunk platform identifies a risky command within a chained search, you must resolve each chained search that extends the risky command, even if only one of the searches within the chain contains a risk.

For example, a chain search has a safe base search, but one risky search out of two:

base search + risky chain search 1 + chain search 2

Although only risky chain search 1 poses a risk, chain search 2 also triggers a warning dialog box because it extends the risk of risky chain search 1. In this scenario, you can safely run chain search 2 to reach the warning dialog box for risky chain search 1 and decide to run or cancel risky chain search 1.

For more details about chained searches, see Create a chain search.

Deactivate SPL safeguards on Splunk Enterprise only

On Splunk Enterprise only, you can disable SPL safeguards if you have write permissions to the instance. The web.conf configuration file controls whether or not the safeguards are active. You can edit this file to disable the risky SPL command warning dialog box. You can turn off the warning for a specific command, or for all of the risky commands.

If you use Splunk Cloud Platform, contact your Splunk account representative to help with making updates to the web.conf configuration file. It is not possible to use Splunk Web to disable SPL safeguards.

Disable safeguards for a specific command

  1. Use a text editor to open the commands.conf configuration file located in the $SPLUNK_HOME/etc/system/default directory.
  2. Find the is_risky command within the file and copy the is_risky setting stanza.
  3. Open the $SPLUNK_HOME/etc/system/local directory and open the commands.conf configuration file for editing. If this file does not exist, create it.
  4. Paste the is_risky setting stanza into $SPLUNK_HOME/etc/system/local/commands.conf.
  5. Change the is_risky setting for the command from true to false.
  6. Save the commands.conf configuration file and close it.
  7. Restart Splunk Enterprise.

Disable safeguards for all commands

  1. Use a text editor to open the web.conf configuration file located in the $SPLUNK_HOME/etc/system/default directory.
  2. Find the command check settings within the web.conf configuration file and copy the setting stanza.
    1. For the Search page, find the enable_risky_command_check setting stanza.
    2. For dashboards, find the enable_risky_command_check_dashboard setting stanza.
  3. Locate and open the $SPLUNK_HOME/etc/system/local/web.conf configuration file. If this file does not exist, create it.
  4. Paste the copied setting stanza into the $SPLUNK_HOME/etc/system/local/web.conf file.
  5. Change the enable_risky_command_check or enable_risky_command_check_dashboard setting values from true to false:
    1. For the Search page, setting the value to false disables SPL safeguards for all searches in the deployment. If you've set the Search page to false, and dashboards remain true, SPL safeguards are still active on the dashboards but are not active on the Search page.
    2. For dashboards, setting the value to false turns off the warning for all dashboards in the deployment. If you've set dashboards to false, and the Search page remains true, SPL safeguards are still active on the Search page but are not active on the dashboards.
  6. Save the web.conf file and close it.
  7. Restart Splunk Enterprise.

See also

In the Admin Manual:

About configuration files
The commands.conf configuration file specification
The web.conf configuration file specification
How to edit a configuration file
Last modified on 07 December, 2021
PREVIOUS
Troubleshoot token authentication
  NEXT
Troubleshoot Splunk forwarder TCP tokens

This documentation applies to the following versions of Splunk Cloud Platform: 8.2.2107 (latest FedRAMP release), 8.2.2109, 8.2.2111


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters