Nailing the Security Audit with RRCU

ConductorOne docs

Set up a Splunk connector

ConductorOne provides identity governance and just-in-time provisioning for Splunk Enterprise. Integrate your Splunk Enterprise server with ConductorOne to run user access reviews (UARs), enable just-in-time access requests, and automatically provision and deprovision access.

Why does this connector look different from most others? This connector leverages the Baton connector for Splunk.

Are you a Splunk Cloud user? This page has instructions for integrating ConductorOne with Splunk Enterprise. If you want to integrate ConductorOne with your Splunk Cloud instance, follow the instructions in the Splunk connector’s README file.

Capabilities

  • Sync user identities from Splunk Enterprise to ConductorOne

  • Resources supported:

    • Deployments
    • Roles
    • Capabilities
    • Applications

Integrate your Splunk Enterprise connector

Before you begin:

  1. Prepare a Splunk Enterprise image for the baton-splunk connector by following the Splunk Enterprise documentation to Deploy and run Splunk Enterprise inside a Docker container. Note that the Splunk Docker image only supports x86_64 CPU architecture.

  2. Make sure that token authentication is enabled for your Splunk Enterprise instance.

Step 1: Generate an API token

Splunk Enterprise authentication tokens inherit the same permission set as the user associated with the token. Make sure that the user associated with the token you create has permission to read all users, roles, deployments, capabilities, and applications for your instance.

If you want to create tokens for yourself, your account must have a role that has the edit_tokens_own capability. If you want to create tokens for another user on the instance (such as a service account), your account must have a role that has the edit_tokens_all capability.

  1. Sign into Splunk Enterprise.

  2. Click Settings and select Tokens from the menu.

  3. If necessary, click Enable Token Authentication.

  4. On the Tokens page, click New Token.

  5. Fill out the form and click Create.

  6. The token is generated. Carefully copy and save the token value. We’ll use it in Step 2.

Step 2: Install baton-splunk

  1. Run the Docker command shown below to install baton-splunk, substituting in the required credentials (see the baton-splunk repo’s README for details).

    SPLUNK_ADMIN_PASSWORD=admin_pass BATON_TOKEN=token BATON_UNSAFE=true docker-compose up

    The instance comes with TLS disabled by default. To bypass validation of TLS certificates, set BATON_UNSAFE environment variable to true or use the --unsafe flag.

    To gain more verbose output, set the BATON_VERBOSE environment variable to true or use the --verbose flag. This mode lists Application and Capability entitlements and grants.

Step 3: Set up the Splunk connector in ConductorOne

This step requires the Connector Administrator or Super Administrator role in ConductorOne.

  1. In ConductorOne, click Connectors > Add connector.

  2. Search for Baton and click Add.

  3. Choose whether to add the Splunk connector to an existing application in ConductorOne (and select the app of your choice) or to create a new Baton application.

    Once the connection is established between Splunk Enterprise and ConductorOne, the new application’s name will automatically change from Baton to Splunk.

  4. Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.

  5. Click Next.

    If you selected someone else as the connector owner, that person will be notified to take over this process from this point.

  6. Find the Settings area of the page and click Edit.

  7. Click Rotate to generate a new set of credentials. Carefully copy the Client ID and Secret. You’ll use them in Step 4.

Step 4: Add credentials to your Splunk connector

  1. On the server where your the Splunk is running, pass in the Client ID and Secret generated in Step 3 by running --client-id <CLIENT ID> --client-secret <SECRET>.

    Run baton-splunk --help to see the list of flags to be used when passing your credentials to the connector.

  2. The connector syncs current data, uploads it to ConductorOne, and prints a Task complete! message when finished.

  3. Check that the connector data uploaded correctly. In ConductorOne, click Applications. On the Managed apps tab, locate and click the name of the application you added the Splunk connector to. Splunk data should be found on the Resources, Entitlements, and Accounts tabs, as appropriate.

Now that baton-splunk is installed and the connector is set up, Baton runs as a service in your environment. The service maintains contact with ConductorOne, syncs and uploads data at regular intervals, and passes that data to the ConductorOne UI, where you and your colleagues can use it to run access reviews and facilitate access requests for the application.