SPL safeguards for risky commands
The Splunk platform contains search processing language (SPL) safeguards to warn you when you might unknowingly run a search in Splunk Web that has commands that might be either a security or a performance risk. If a search command that Splunk classifies as risky triggers the safeguard, a warning dialog box appears to provide extra context for review, as well as the option to accept the risk and run the query anyway.
In the Search app, the warning dialog box appears when you click a link or type a URL that loads a search which contains risky commands. In dashboards, the warning dialog box appears automatically unless an input or visualization contains a search with a risky command. In this case, you must click the error icon to invoke the warning. The warning does not appear when you create ad hoc searches.
This warning alerts you to the possibility of either a significant impact to performance or unauthorized actions by a malicious user. Unauthorized actions include:
- Copying or transferring data, a practice known as data exfiltration
- Deleting data
- Overwriting data
A possible scenario when this might occur in the Search app involves a malicious person creating a search that includes commands that exfiltrate or destroy data. The malicious person then sends an unsuspecting user a link to the search. The URL contains a query string (q) and a search identifier (sid), but the sid is not valid. The malicious person hopes the user will use the link, and the search will run.
A potential scenario in a dashboard might involve a malicious person creating or editing a dashboard to include searches that contain commands that exfiltrate or destroy data. The malicious person can then send an unsuspecting user a link to the corrupted dashboard and wait for the user to load the dashboard which runs the searches with the risky commands.
Some search commands do not pose security risks, but Splunk includes them in the list of risky commands because of their impact on performance. The rules are the same. When a search contains the risky command, the Splunk platform raises a warning to advise of the potential performance effects of the command.