SPL safeguards for risky commands
The Splunk platform contains search processing language (SPL) safeguards to warn you when you might unknowingly run a search in Splunk Web that has commands that might be either a security or a performance risk. If a search command that Splunk classifies as risky triggers the safeguard, a warning dialog box appears to provide extra context for review, as well as the option to accept the risk and run the query anyway.
In the Search app, the warning dialog box appears when you click a link or type a URL that loads a search which contains risky commands. In dashboards, the warning dialog box appears automatically unless an input or visualization contains a search with a risky command. In this case, you must click the error icon to invoke the warning. The warning does not appear when you create ad hoc searches.
This warning alerts you to the possibility of either a significant impact to performance or unauthorized actions by a malicious user. Unauthorized actions include:
- Copying or transferring data, a practice known as data exfiltration
- Deleting data
- Overwriting data
A possible scenario when this might occur in the Search app involves a malicious person creating a search that includes commands that exfiltrate or destroy data. The malicious person then sends an unsuspecting user a link to the search. The URL contains a query string (q) and a search identifier (sid), but the sid is not valid. The malicious person hopes the user will use the link, and the search will run.
A potential scenario in a dashboard might involve a malicious person creating or editing a dashboard to include searches that contain commands that exfiltrate or destroy data. The malicious person can then send an unsuspecting user a link to the corrupted dashboard and wait for the user to load the dashboard which runs the searches with the risky commands.
Some search commands do not pose security risks, but Splunk includes them in the list of risky commands because of their impact on performance. The rules are the same. When a search contains the risky command, the Splunk platform raises a warning to advise of the potential performance effects of the command.
Commands that trigger SPL safeguards
Here is the list of search commands in that are classified as risky. Splunk considers these commands risky because, if used incorrectly, they can pose a security risk or you can potentially lose data by running the commands.
collect
delete
dump
map
mcollect
meventcollect
outputcsv
outputlookup
run
runshellscript
script
sendalert
sendemail
tscollect
New capabilities can limit access to some custom and potentially risky commands
In versions 8.2.2107 and higher of Splunk Cloud Platform and 9.0.0 and higher of Splunk Enterprise, new capabilities have been added that, in certain cases, you must grant explicitly to be able to run custom and potentially risky commands. The "user" and "power" roles receive the capabilities automatically, but if you are a user that does not hold one of these roles either directly or through a role inheritance, you must assign the capabilities to roles that the user does hold. The following table shows the new capabilities and the actions that they grant:
Capability | What it lets you do |
---|---|
run_sendalert | Lets users run the sendalert command
|
run_dump | Lets users run the dump command
|
run_custom_command | Lets users run any custom search command. For more information on custom commands, see Create custom search commands for apps in Splunk Cloud Platform or Splunk Enterprise on the Splunk Developer Portal. |
For the full list of capabilities, see Define roles on the Splunk platform with capabilities.
Actions in the warning dialog box
Instead of running the search immediately, the Splunk platform analyzes the search or dashboard for risky commands. If the platform identifies one or more risky commands in a search, a warning dialog box appears. If the platform identifies one or more risky commands in a dashboard, the warning appears automatically, or you must click the error icon to invoke the dialog box.
Search
With the Search warning dialog box, you have the option to cancel, run, or investigate the search.
- Cancel
- Closes the warning dialog box. The search does not run and Splunk Web removes the search from the Search bar. If you close the dialog box by clicking the Close button (X), it is the same action as clicking Cancel.
- Run
- Runs the search. The Splunk platform runs any risky commands in the search because you authorized it. You can't undo this action.
- Investigate
- Displays the search in the Search bar so that you can review the SPL. Use this option to copy the syntax of the search. Send a copy of the search, along with any information about the source of the link, to your system administrator.
Dashboards
The Dashboards warning dialog box prompts you to accept or reject the risk of running the query with the risky command. The workflow of the dialog box depends on what dashboard component connects to the search that triggers the safeguard.
- Inputs and visualizations with risky commands do not run automatically. You must click the error icon to invoke the warning modal to run the search.
- Risky searches that are not associated with inputs or visualizations will automatically display the warning dialog box.
With the Dashboards warning dialog box, you have the option to cancel or run the search.
- Cancel
- Closes the warning dialog box. The search does not run.
- Run Query Anyway
- Runs the search. The Splunk platform runs any risky commands in the search because you authorized it. You can't undo this action.
Risky chained searches
If the Splunk platform identifies a risky command within a chained search, you must resolve each chained search that extends the risky command, even if only one of the searches within the chain contains a risk.
For example, a chain search has a safe base search, but one risky search out of two:
base search
+ risky chain search 1
+ chain search 2
Although only risky chain search 1
poses a risk, chain search 2
also triggers a warning dialog box because it extends the risk of risky chain search 1
. In this scenario, you can safely run chain search 2
to reach the warning dialog box for risky chain search 1
and decide to run or cancel risky chain search 1
.
For more details about chained searches, see Create a chain search.
Deactivate SPL safeguards
You can deactivate SPL safeguards, if necessary, to prevent the "risky search" warning from appearing when you run searches that the Splunk Platform classifies as risky. When you deactivate SPL safeguards, the Splunk platform runs searches that contain risky commands and does not alert you to the fact that the commands in the search are risky. This can potentially cause problems with search performance. You can turn off the warning for a specific command, or for all of the risky commands.
Deactivate SPL safeguards on Splunk Cloud Platform
On Splunk Cloud Platform, if you want to deactivate SPL safeguards, use the Splunk Support portal to open a support case.
Deactivate SPL safeguards on Splunk Enterprise
On Splunk Enterprise only, you can disable SPL safeguards by modifying configuration files. The web.conf and commands.conf configuration files control whether or not the safeguards are active. You can edit these files to disable the risky SPL command warning dialog box. The configuration file that you use depends on the type of command for which you want to disable safeguards.
It is not possible to use Splunk Web to disable SPL safeguards.
Deactivate SPL safeguards on Splunk Enterprise for all commands
Use the following procedure when you want to disable SPL safeguards entirely.
- Use a text editor to open the web.conf configuration file located in the
$SPLUNK_HOME/etc/system/default
directory. - Find the command check settings within the web.conf configuration file and copy the setting stanza.
- For the Search page, find the
enable_risky_command_check
setting stanza. - For dashboards, find the
enable_risky_command_check_dashboard
setting stanza.
- For the Search page, find the
- Locate and open the
$SPLUNK_HOME/etc/system/local/web.conf
configuration file. If this file does not exist, create it. - If you had to create the configuration file in the previous step, add the
[settings]
stanza header as the first line of the file. - Paste the copied setting stanza into the
$SPLUNK_HOME/etc/system/local/web.conf
file. - Change the
enable_risky_command_check
orenable_risky_command_check_dashboard
setting values fromtrue
tofalse
:- For the Search page, setting the value to
false
disables SPL safeguards for all searches in the deployment. If you've set the Search page tofalse
, and dashboards remaintrue
, SPL safeguards are still active on the dashboards but are not active on the Search page. - For dashboards, setting the value to
false
turns off the warning for all dashboards in the deployment. If you've set dashboards tofalse
, and the Search page remainstrue
, SPL safeguards are still active on the Search page but are not active on the dashboards.
- For the Search page, setting the value to
- Save the
web.conf
file and close it. - Restart Splunk Enterprise.
Deactivate SPL safeguards on Splunk Enterprise for a specific built-in command
If you have to disable SPL safeguards, it is more secure to turn off the warnings for a subset of commands than it is for all commands.
Use this procedure when you want to disable SPL safeguards for one or more specific built-in commands. For commands that Splunk has designated as risky, this is the only option to deactivate the built-in commands individually.
You can deactivate built-in commands either in the global context, or within the context of an app.
- Open the $SPLUNK_HOME/etc/system/local/commands.conf configuration file for editing. If this file does not exist, create it.
- Add a stanza for the command for which you want to deactivate SPL safeguards.
- On the next line beneath this stanza, add the line
is_risky = false
. For example, if you wanted to disable SPL safeguards for theoutputlookup
file, your entry looks like the following:
[outputlookup] is_risky = false
- Save the commands.conf configuration file and close it.
- Restart Splunk Enterprise.
Deactivate SPL safeguards on Splunk Enterprise for a custom command that uses Python
Some custom search commands use the Python language to complete their tasks, and usually exist within the context of an app. These custom commands use a slightly different process to disable SPL safeguards.
- Open the $SPLUNK_HOME/etc/apps/<app name>/local/commands.conf configuration file for editing. If this file does not exist, create it.
- Add a stanza for the command for which you want to deactivate SPL safeguards.
- On the next line beneath this stanza, add the line
is_risky = false
. For example, if you wanted to disable SPL safeguards for therunshellscript
file, your entry looks like the following:
[runshellscript] is_risky = false
- Save the commands.conf configuration file and close it.
- Restart Splunk Enterprise.
See also
In the Splunk Enterprise Admin Manual:
Turning off Splunk platform role-based field filtering | Troubleshoot Splunk forwarder TCP tokens |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.3.2408, 9.0.2208, 8.2.2203, 9.0.2205, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!