# Splunk Enterprise ## Overview The Veza Splunk Enterprise integration provides visibility into access management and authorization within your Splunk Enterprise deployments. The integration connects to your Splunk environment to discover users, roles, and groups, helping security teams understand who has access to Splunk data and analytics capabilities. Use this integration to: * Discover and monitor Splunk Enterprise users and their access levels * Analyze role-based access control (RBAC), including role inheritance and capabilities * Identify users with elevated privileges and administrative access * Track LDAP and SAML-federated group memberships * Monitor user authentication types and account status * Support automated user lifecycle management for provisioning and access changes See [Notes and Supported Entities](#notes-and-supported-entities) for more information about the metadata discovered by Veza. ## Prerequisites {% hint style="info" %} This integration is designed for **Splunk Enterprise** (on-premises deployments) only. Splunk Cloud is not currently supported. {% endhint %} Before configuring the integration, ensure you have: * Network connectivity from Veza to your Splunk Enterprise instance via: * A [deployed Insight Point](/4yItIzMvkpAvMVFAamTf/integrations/connectivity/insight-point.md) in your network (recommended for production) * Direct connection using Veza's internal Insight Point (suitable for testing) * A Splunk Enterprise service account with appropriate permissions (see below) * Splunk Enterprise connection information: * API endpoint URL (typically `https://:8089`) * Authentication credentials (API token or username/password) * Splunk Enterprise version 8.1 or higher (tested with version 9.4.1) * Administrator access to create service accounts and manage roles {% hint style="warning" %} Splunk Enterprise 9.0 and higher requires Linux kernel version 3.x or higher if running on Linux. Ensure your Splunk deployment meets minimum version requirements. {% endhint %} ## Configuring Splunk Enterprise ### Creating the Service Account Veza requires a service account with read-only access to discover Splunk Enterprise users, roles, and groups. You can authenticate using either an authentication token (recommended) or basic authentication with username and password. ### Option 1: Using Authentication Token (Recommended) Create an authentication token for the Veza service account: 1. Log in to Splunk Web with an account that has the `admin` role 2. Navigate to **Settings** > **Users and Authentication** > **Tokens** 3. Click **New Token** 4. Configure the token: * **User**: Select or create a service account user * **Audience**: Leave blank or use default * **Expiration**: Set according to your security policy (e.g., 1 year) * **Token Name**: Enter a descriptive name like "Veza Integration" 5. Click **Create** and save the generated token securely **Required Permissions:** The service account user needs a role with the following capabilities: | **Capability** | **Purpose** | | ---------------- | ------------------------------------------------ | | `list_all_users` | Read user accounts and attributes | | `list_all_roles` | Read role definitions and capabilities | | `list_httpauths` | Read LDAP and SAML authentication configurations | | `rest_apps_view` | Access REST API endpoints for discovery | **Creating the Service Account Role:** ```bash # Create a custom role for Veza with read-only permissions curl -k -u admin:password https://localhost:8089/services/authorization/roles \ -d name=veza_readonly \ -d capabilities=list_all_users \ -d capabilities=list_all_roles \ -d capabilities=list_httpauths \ -d capabilities=rest_apps_view ``` **Assign the Role to User:** ```bash # Create or update the service account user with the role curl -k -u admin:password https://localhost:8089/services/authentication/users/veza_service \ -d password= \ -d roles=veza_readonly ``` For detailed information about authentication tokens, see [Splunk Authentication Tokens Documentation](https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/UseAuthTokens). ### Option 2: Using Basic Authentication Create a service account user with basic authentication: 1. Log in to Splunk Web with an account that has the `admin` role 2. Navigate to **Settings** > **Users and Authentication** > **Users** 3. Click **New User** 4. Configure the user: * **Name**: `veza_service` (or your preferred username) * **Password**: Set a strong password * **Full Name**: "Veza Integration Service Account" * **Email Address**: Your team's email * **Time Zone**: Default * **Default App**: Search & Reporting 5. In the **Assign Roles** section, select or create a role with these capabilities: * `list_all_users` * `list_all_roles` * `list_httpauths` * `rest_apps_view` 6. Enable **Web service access only** to prevent UI access 7. Click **Save** Note the username and password for use when configuring the Veza integration. ### SSL Certificate Configuration (Optional) Self-signed SSL certificates are common in on-premises Splunk Enterprise deployments. If your Splunk Enterprise instance uses a self-signed SSL certificate, you can provide the CA certificate to Veza for secure validation: 1. Export your Splunk server's CA certificate in PEM format 2. When configuring the integration in Veza, upload the CA certificate file 3. Veza will use the certificate to validate the SSL connection If no CA certificate is provided, Veza will skip SSL verification to allow the connection to proceed. For production environments, it is strongly recommended to provide the CA certificate to ensure secure, validated connections to your Splunk Enterprise instance. ## Configuring Splunk Enterprise on the Veza Platform Add the integration in Veza. See [Configuring Integrations](/4yItIzMvkpAvMVFAamTf/integrations/configuration.md) for detailed steps on adding and configuring integrations in the Veza UI. ### Configuration Options | **Field** | **Required** | **Notes** | | ------------------ | ------------ | ------------------------------------------------------------------------------------------------ | | **Insight Point** | Yes | Choose whether to use the default data plane or a deployed Insight Point | | **Name** | Yes | A friendly name to identify this integration instance | | **URL** | Yes | Splunk Enterprise API endpoint URL in format `https://:8089` | | **Token** | Conditional | Authentication token for token-based authentication. Required if username/password not provided. | | **Username** | Conditional | Username for basic authentication. Must be provided with password. | | **Password** | Conditional | Password for basic authentication. Must be provided with username. | | **CA Certificate** | No | Self-signed CA certificate in PEM format for SSL verification (optional) | You must provide **either** a **Token** OR both **Username and Password** (not both authentication methods). Token-based authentication is recommended for better security and token lifecycle management. ## Lifecycle Management The Splunk Enterprise integration supports Veza Lifecycle Management for automated user provisioning and access management. See [Lifecycle Management: Splunk Enterprise](/4yItIzMvkpAvMVFAamTf/integrations/integrations/splunk-enterprise/provisioning.md) for configuration details and supported actions. To enable lifecycle management capabilities, the service account requires additional permissions beyond read-only access. See the lifecycle management documentation for specific permission requirements. ## Notes and Supported Entities Veza discovers the following entities from Splunk Enterprise: ### Application The Splunk Enterprise instance itself, with custom properties: | **Attribute** | **Description** | | ------------- | ---------------------------------- | | **Host** | Splunk Enterprise API endpoint URL | ### Users Splunk Enterprise user accounts, including local users and federated identities from LDAP or SAML. | **Attribute** | **Type** | **Description** | | ----------------- | ------------ | ------------------------------------------------------------------------ | | **Name** | String | Username (unique identifier) | | **Real Name** | String | User's full or display name | | **Email** | String | User's email address (if configured) | | **User Type** | System Field | System field (always `human` for Splunk users) | | **Is Active** | System Field | Account status based on locked-out state. `false` if user is locked out. | | **Last Login At** | Timestamp | Last successful login timestamp | | **Updated At** | Timestamp | Date and time when the user was last updated | | **Locked Out** | Boolean | `true` if the user account is locked out | | **Auth Type** | String | Authentication type: `Splunk` (local), `LDAP`, or `SAML` | **Notes:** * Users federated from LDAP or SAML include authentication type information * Email addresses are used for identity federation with other systems in Veza * Locked-out users are marked as inactive ### Groups Splunk Enterprise groups from LDAP and SAML authentication providers. Veza discovers two types of groups: * **LDAP Groups**: Imported from LDAP authentication configurations * **SAML Groups**: Imported from SAML authentication configurations #### Group Attributes | **Attribute** | **Type** | **Description** | | -------------- | --------- | ---------------------------------------------------------------- | | **Name** | String | Group name (unique identifier) | | **Type** | String | Group type: `LDAP` or `SAML` | | **Updated At** | Timestamp | Date and time when the group was last updated | | **Identities** | Array | For SAML groups, includes the group name for identity federation | **Notes:** * **LDAP Groups**: Extract user memberships from Distinguished Names (DN) returned by the Splunk API. For example, a DN like `CN=username,CN=Users,DC=corp,DC=example,DC=com` is parsed to extract the username (`username`) from the first `CN=` field. Users must exist in Splunk Enterprise for the group membership to be established in Veza. * **SAML Groups**: Support identity federation using group names as identity markers for matching with other systems * Groups are only discovered if LDAP or SAML authentication is configured in Splunk Enterprise **SAML Group Membership Limitation**: Splunk Enterprise does not retain user-to-SAML-group membership data after authentication. Veza can discover SAML groups and their role assignments, but individual user memberships to SAML groups are not available through the Splunk API. This is a Splunk platform limitation. Only LDAP groups include user membership information. ### Roles Splunk Enterprise roles define collections of capabilities that determine what users can do in the system. | **Attribute** | **Type** | **Description** | | ------------------- | --------- | ------------------------------------------------ | | **Name** | String | Role name (unique identifier) | | **Updated At** | Timestamp | Date and time when the role was last updated | | **Capabilities** | Array | List of Splunk capabilities granted by this role | | **Inherited Roles** | Array | Roles that this role inherits capabilities from | **Notes:** * Roles can inherit from one or more other roles using the `imported_roles` configuration, creating a role hierarchy * The integration processes role inheritance in two passes: first, discovering all roles and their `imported_roles` relationships, then linking child roles to their parent roles * Each role defines a set of capabilities that map to Veza's effective permissions * Veza tracks both direct capabilities (defined on the role itself) and inherited capabilities (obtained through the role inheritance chain), providing a complete view of effective permissions for users assigned to roles ### Permissions and Capabilities Splunk Enterprise uses capabilities to control access to features and data. Veza maps these native capabilities to effective permissions for unified access analysis across systems. Splunk capabilities are mapped to Veza permission types: | **Permission Type** | **Example Splunk Capabilities** | | ------------------- | -------------------------------------------------------------- | | **Data Read** | `search`, `list_settings`, `get_metadata` | | **Data Write** | `edit_user`, `edit_roles`, `edit_local_apps` | | **Data Create** | `edit_user`, `edit_roles`, `install_apps` | | **Data Delete** | `delete_by_keyword`, `edit_user`, `edit_roles` | | **Metadata Read** | `list_all_objects`, `list_inputs`, `get_diag` | | **Metadata Write** | `edit_server`, `edit_search_scheduler`, `accelerate_datamodel` | | **Metadata Create** | `edit_tokens_all`, `edit_local_apps`, `install_apps` | | **Metadata Delete** | `edit_tokens_all`, `delete_by_keyword`, `delete_messages` | | **Non-Data** | `restart_splunkd`, `run_debug_commands`, `never_expire` | | **Uncategorized** | Other capabilities not explicitly mapped | **Example mappings:** | **Capability** | **Description** | **Veza Permission Mapping** | | ------------------- | -------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- | | `admin_all_objects` | Full administrative access to all objects and data | Maps to all 8 permission types (Data Read/Write/Create/Delete, Metadata Read/Write/Create/Delete) - highest privilege level | | `edit_user` | Create, modify, and delete user accounts | Data Read, Metadata Read/Create/Write/Delete | | `edit_roles` | Create, modify, and delete roles | Data Read, Metadata Read/Create/Write/Delete | | `list_all_users` | View all user accounts in the system | Metadata Read | | `list_all_roles` | View all roles and their configurations | Metadata Read | | `search` | Execute searches and access data | Data Read, Metadata Read | **Permission Mapping Examples:** * **Broad Administrative Access**: A user with the `admin_all_objects` capability receives all eight Veza permission types, representing complete control over the Splunk Enterprise instance * **User Management**: A user with `edit_user` capability can read data and create, modify, or delete metadata related to user accounts * **Read-Only Access**: A user with only `list_all_users` and `search` capabilities can view users and execute searches, but cannot modify any settings or data For a complete list of all Splunk capabilities and their mappings, see [Splunk Capabilities Documentation](https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/Rolesandcapabilities). ## Related Documentation * [Configuring Integrations](/4yItIzMvkpAvMVFAamTf/integrations/configuration.md) * [Lifecycle Management: Splunk Enterprise](/4yItIzMvkpAvMVFAamTf/integrations/integrations/splunk-enterprise/provisioning.md) * [Insight Point Deployment](/4yItIzMvkpAvMVFAamTf/integrations/connectivity/insight-point.md) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.veza.com/4yItIzMvkpAvMVFAamTf/integrations/integrations/splunk-enterprise.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.