Splunk Cloud is a cloud-hosted security information and event management (SIEM) and observability platform used by enterprises to collect, index, search, and analyze machine-generated data at scale. Organizations rely on Splunk Cloud for log aggregation, security monitoring, incident response, and compliance reporting.
Misconfigurations in Splunk Cloud — weak authentication, overly permissive roles, unencrypted data transport, disabled audit logging, or insecure HTTP Event Collector (HEC) tokens — can expose sensitive log data, enable unauthorized searches across security-relevant indexes, and undermine the integrity of an organization's security monitoring pipeline. Because Splunk often ingests the most sensitive data in an environment (authentication logs, network flows, endpoint telemetry), a compromised or misconfigured Splunk instance represents an outsized risk.
splunk-sec-inspector is an automated compliance inspection tool that connects to a Splunk Cloud instance via its REST API and Admin Config Service (ACS) API, collects security-relevant configuration data, evaluates it against hardened baselines derived from multiple compliance frameworks, and produces actionable reports with framework-specific control mappings.
2. APIs & SDKs
2.1 Splunk REST API (splunkd)
The core Splunk REST API is served by the splunkd daemon and provides access to all configuration, search, and administrative functions. Base URL: https://<instance>.splunkcloud.com:8089.
Authentication & Authorization Endpoints
Endpoint
Method
Purpose
/services/auth/login
POST
Obtain session key via username/password
/services/authentication/users
GET
List all local and LDAP/SAML-mapped users
/services/authentication/users/{name}
GET
Get individual user details (roles, type, email)
/services/authentication/providers/SAML
GET
SAML identity provider configuration
/services/authentication/providers/LDAP
GET
LDAP provider configuration
/services/authorization/roles
GET
List all roles and their capabilities
/services/authorization/roles/{name}
GET
Get role details (imported roles, capabilities, search filters)
The ACS API provides cloud-specific administrative functions not available via the standard REST API. Base URL: https://admin.splunk.com/{stack}/adminconfig/v2.
Endpoint
Method
Purpose
/access/{feature}/ipallowlists
GET
IPv4 IP allow list per feature (search-api, hec, s2s, etc.)
/access/{feature}/ipallowlists-v6
GET
IPv6 IP allow list per feature
/tokens
GET
List all authentication tokens
/tokens/{id}
GET/DELETE
Manage individual tokens
/inputs/http-event-collectors
GET
List HEC token configurations
/inputs/http-event-collectors/{name}
GET
Individual HEC token
/indexes
GET
List all indexes
/indexes/{name}
GET
Individual index configuration
/maintenance-windows
GET
Scheduled maintenance windows
/apps/victoria
GET
Installed apps (Victoria Experience)
/apps/victoria/{name}
GET
Individual app details
/limits
GET
limits.conf configuration overrides
/restarts
POST
Restart management
/outbound-ports
GET
Outbound port allow lists
/encryption-keys
GET
Enterprise Managed Encryption Keys (EMEK) status
2.3 SDKs and CLIs
Tool
Language
Package
Notes
splunk-sdk-python
Python
pip install splunk-sdk
Official Splunk Enterprise SDK; provides splunklib with Service, Job, and Entity abstractions
splunk-sdk-go
Go
github.com/splunk/splunk-cloud-sdk-go
Official Splunk Cloud SDK for Go; covers ACS and search APIs
splunk-sdk-javascript
JS/TS
npm install splunk-sdk
Official JavaScript SDK
Splunk CLI
Python
Built-in (splunk binary)
Shipped with Splunk Enterprise; not available for Cloud
Create a token via Splunk Web: Settings > Tokens > New Token. Tokens can be scoped to specific users and have configurable expiration. The token is passed as a Bearer token in the Authorization header.
Authenticate via POST /services/auth/login to obtain a session key. The session key is then passed as the Authorization header for subsequent requests. Session keys expire based on the sessionTimeout setting in web.conf.
The ACS API requires a JSON Web Token (JWT) generated from the Splunk Cloud Platform UI or via the ACS token endpoint. The sc_admin role is required. Tokens are passed as Bearer tokens against https://admin.splunk.com/{stack}/adminconfig/v2/.
3.4 SAML SSO
When SAML is configured, API access typically still uses tokens or service accounts. The inspector checks whether SAML is the enforced authentication method and evaluates the SAML IdP configuration.
3.5 Environment Variables (splunk-sec-inspector)
Variable
Required
Description
SPLUNK_URL
Yes
Base URL of Splunk instance (e.g., https://org.splunkcloud.com:8089)
SPLUNK_TOKEN
Yes*
Splunk authentication token (Bearer)
SPLUNK_USERNAME
Alt*
Username for session-key auth
SPLUNK_PASSWORD
Alt*
Password for session-key auth
SPLUNK_STACK
Optional
Stack name for ACS API access
SPLUNK_ACS_TOKEN
Optional
JWT for ACS API (defaults to SPLUNK_TOKEN)
SPLUNK_VERIFY_SSL
Optional
Set false to skip TLS verification (not recommended)
*Either SPLUNK_TOKEN or both SPLUNK_USERNAME/SPLUNK_PASSWORD are required.
4. Security Controls
Authentication & Identity
#
Control
Severity
What Is Checked
1
Authentication Method Enforcement
Critical
Verify SAML or LDAP is configured as the primary authentication method; local authentication should be disabled or restricted to break-glass accounts only
2
Password Policy Compliance
High
Check minPasswordLength, minPasswordUppercase, minPasswordLowercase, minPasswordDigit, minPasswordSpecial, expirePasswordDays, forceWeakPasswordChange in authentication.conf
3
Multi-Factor Authentication
Critical
Verify MFA/Duo/RSA integration is enabled via /services/admin/Rsa-MFA or SAML IdP MFA enforcement
4
Session Timeout Configuration
Medium
Validate sessionTimeout in web.conf is set to organizational policy (e.g., 60 minutes or less); check tools.sessions.timeout
5
Concurrent Session Limits
Medium
Check whether concurrent session controls are enforced; verify max sessions per user
6
Authentication Token Hygiene
High
Enumerate all tokens; flag tokens with no expiration, tokens older than 90 days, tokens assigned to disabled users, and ephemeral vs. persistent token ratios
Authorization & Access Control
#
Control
Severity
What Is Checked
7
Role-Based Access Control (RBAC)
Critical
Audit all roles; flag roles with admin_all_objects, delete_by_keyword, edit_tcp, edit_user, or other high-risk capabilities; check for least-privilege adherence
8
Admin Role Minimization
High
Count users with admin or sc_admin roles; flag if more than 3 users have full admin access
9
Search Head Access Controls
High
Validate srchFilter, srchIndexesAllowed, srchIndexesDefault on each role to ensure users cannot search beyond their authorized indexes
10
Index Access Control
High
Verify each role's srchIndexesAllowed and importRoles restrict access to only necessary indexes; flag roles with access to _audit or _internal
11
Knowledge Object Permissions
Medium
Audit saved searches, dashboards, reports, and lookups for sharing=global with write permissions; flag objects shared with all roles that modify system state
12
User Capabilities Audit
High
Enumerate all capabilities granted to each role; flag overly permissive capability assignments especially run_commands_on_forwarder, edit_server, change_authentication
Data Protection & Encryption
#
Control
Severity
What Is Checked
13
TLS/SSL Configuration
Critical
Verify enableSplunkdSSL=true in server.conf; check sslVersions, cipherSuite, requireClientCert for all listeners; flag TLS < 1.2
14
Data Encryption at Rest
High
Check index encryption settings; verify EMEK (Enterprise Managed Encryption Keys) status via ACS API if applicable
15
Forwarding Encryption
High
Validate that all forwarder-to-indexer communication uses TLS; check data/inputs/tcp/ssl settings and outputs.conf for sslPassword, sslCertPath
16
HEC Token Security
High
Audit all HEC tokens: flag tokens with useACK=false, tokens bound to permissive indexes, tokens without sourcetype restrictions, disabled SSL on HEC port
Audit & Monitoring
#
Control
Severity
What Is Checked
17
Audit Logging Enabled
Critical
Verify _audit index is active; check that auditTrail is enabled in audit.conf; validate audit events include authentication, search, and configuration changes
18
Audit Log Integrity
High
Check that _audit index has restricted write access; verify no roles can delete audit events (delete_by_keyword capability on _audit)
Network & Platform Security
#
Control
Severity
What Is Checked
19
IP Allow Listing
High
Via ACS API, verify IP allow lists are configured for search-api, hec, s2s, and search-ui features; flag if any feature has no IP restrictions
20
App Installation Restrictions
Medium
Audit installed apps; flag third-party apps not from Splunkbase; check if app installation is restricted to admins only
21
KV Store Access Controls
Medium
Verify KV Store collections have appropriate ACLs; flag collections with global read/write access
22
Saved Search Permissions
Medium
Audit saved searches that run as owner with elevated privileges; flag scheduled searches that run across all indexes or with dispatch.earliest_time=-0s
23
Splunk-to-Splunk (S2S) Port Security
High
Verify S2S receiving ports require TLS and certificate-based authentication; flag unencrypted S2S listeners
5. Compliance Framework Mappings
#
Control
FedRAMP (800-53 r5)
CMMC 2.0
SOC 2 (TSC)
CIS Splunk Benchmark
PCI-DSS 4.0
DISA STIG
IRAP (ISM)
ISMAP
1
Authentication Method Enforcement
IA-2, IA-8
AC.L2-3.1.1
CC6.1
4.1
8.3.1
SRG-APP-000148
ISM-1557
5.1.1
2
Password Policy Compliance
IA-5(1)
IA.L2-3.5.7
CC6.1
4.2
8.3.6
SRG-APP-000166
ISM-0421
5.1.2
3
Multi-Factor Authentication
IA-2(1), IA-2(2)
IA.L2-3.5.3
CC6.1
4.3
8.4.2
SRG-APP-000149
ISM-1401
5.1.3
4
Session Timeout Configuration
AC-12
AC.L2-3.1.10
CC6.1
4.5
8.2.8
SRG-APP-000295
ISM-1164
5.1.4
5
Concurrent Session Limits
AC-10
AC.L2-3.1.11
CC6.1
4.6
8.2.7
SRG-APP-000190
ISM-1380
5.1.5
6
Authentication Token Hygiene
IA-5(13), SC-12
IA.L2-3.5.10
CC6.1, CC6.6
4.7
8.6.3
SRG-APP-000175
ISM-1590
5.1.6
7
Role-Based Access Control
AC-3, AC-6
AC.L2-3.1.5
CC6.3
5.1
7.2.1
SRG-APP-000033
ISM-1508
5.2.1
8
Admin Role Minimization
AC-6(5)
AC.L2-3.1.6
CC6.3
5.2
7.2.2
SRG-APP-000340
ISM-1509
5.2.2
9
Search Head Access Controls
AC-3(7)
AC.L2-3.1.3
CC6.1, CC6.3
5.3
7.2.3
SRG-APP-000328
ISM-0405
5.2.3
10
Index Access Control
AC-3, AC-6(1)
AC.L2-3.1.4
CC6.3
5.4
7.2.4
SRG-APP-000340
ISM-1510
5.2.4
11
Knowledge Object Permissions
AC-3, AC-6
AC.L2-3.1.5
CC6.3, CC6.8
5.5
7.2.5
SRG-APP-000033
ISM-0405
5.2.5
12
User Capabilities Audit
AC-6(10)
AC.L2-3.1.7
CC6.3
5.6
7.2.6
SRG-APP-000342
ISM-1511
5.2.6
13
TLS/SSL Configuration
SC-8, SC-8(1)
SC.L2-3.13.8
CC6.1, CC6.7
6.1
4.2.1
SRG-APP-000439
ISM-1139
5.3.1
14
Data Encryption at Rest
SC-28, SC-28(1)
SC.L2-3.13.16
CC6.1, CC6.7
6.2
3.5.1
SRG-APP-000429
ISM-1080
5.3.2
15
Forwarding Encryption
SC-8, SC-8(1)
SC.L2-3.13.8
CC6.7
6.3
4.2.1
SRG-APP-000442
ISM-1139
5.3.3
16
HEC Token Security
IA-5, SC-8
SC.L2-3.13.8
CC6.6
6.4
8.6.2
SRG-APP-000175
ISM-1590
5.3.4
17
Audit Logging Enabled
AU-2, AU-3, AU-12
AU.L2-3.3.1
CC7.2, CC7.3
7.1
10.2.1
SRG-APP-000095
ISM-0580
5.4.1
18
Audit Log Integrity
AU-9, AU-9(4)
AU.L2-3.3.8
CC7.2
7.2
10.3.2
SRG-APP-000119
ISM-0859
5.4.2
19
IP Allow Listing
SC-7, AC-17
SC.L2-3.13.1
CC6.1, CC6.6
8.1
1.3.1
SRG-APP-000142
ISM-1416
5.5.1
20
App Installation Restrictions
CM-7(5), CM-11
CM.L2-3.4.8
CC6.8, CC8.1
8.2
6.3.2
SRG-APP-000386
ISM-1490
5.5.2
21
KV Store Access Controls
AC-3
AC.L2-3.1.3
CC6.3
8.3
7.2.1
SRG-APP-000033
ISM-0405
5.5.3
22
Saved Search Permissions
AC-3, AC-6
AC.L2-3.1.5
CC6.3, CC6.8
5.7
7.2.5
SRG-APP-000033
ISM-0405
5.2.7
23
S2S Port Security
SC-8(1), SC-23
SC.L2-3.13.8
CC6.7
6.5
4.2.1
SRG-APP-000439
ISM-1139
5.3.5
6. Existing Tools
Tool
Type
Relevance
Splunk Security Essentials (SSE)
Splunk App
Splunk-developed app providing security use case library, data source onboarding guides, and mapping to MITRE ATT&CK, NIST, CIS, and Kill Chain frameworks
CIS Splunk Enterprise Benchmark
PDF/Benchmark
Center for Internet Security benchmark for hardening Splunk Enterprise deployments; covers authentication, authorization, encryption, and logging controls
Splunk App for PCI Compliance
Splunk App
Provides PCI DSS reporting dashboards and compliance monitoring within Splunk
SA-CIM_Validator
Splunk App
Validates data model compliance against the Common Information Model
Splunk SOAR (Phantom)
Platform
Security orchestration platform with playbooks for automated response; complementary but not a configuration auditor
splunk-ansible
Ansible Roles
splunk/splunk-ansible GitHub project for automated Splunk deployment with hardened configurations
Prowler
CLI Tool
Multi-cloud security assessment tool; includes some Splunk-related checks when Splunk is the SIEM target
splunk-cloud-auth
Python Library
splunk/splunk-cloud-auth for programmatic authentication to Splunk Cloud services
7. Architecture
The project is written in Go and mirrors the modular architecture of okta-inspector.