AgentSkillsCN

Splunk Security

Splunk 安全

SKILL.md

splunk-security

Token management, RBAC, and ACL verification for Splunk.

Purpose

Manage JWT tokens, check permissions, and configure ACLs on knowledge objects.

Risk Levels

OperationRiskNotes
Get current user-Read-only
List users/roles-Read-only
List tokens-Read-only
Get capabilities-Read-only
Check permission-Read-only
Get ACL-Read-only
Create token⚠️Security credential created
Delete token⚠️⚠️Breaks dependent integrations
Modify ACL⚠️⚠️Changes access permissions

Triggers

  • "token", "permission", "ACL"
  • "security", "RBAC", "role"
  • "access", "capabilities"

CLI Commands

CommandDescription
security whoamiGet current user info
security list-usersList all users
security list-rolesList all roles
security list-tokensList auth tokens
security create-tokenCreate auth token
security delete-tokenDelete auth token
security capabilitiesGet user capabilities
security checkCheck if user has capability
security aclGet ACL for resource

Options

OptionCommandsDescription
-o, --outputwhoami, list-users, list-roles, list-tokens, capabilities, aclOutput format (text, json)
-n, --namecreate-tokenToken name (required)
--audiencecreate-tokenToken audience (optional)
--expirescreate-tokenExpiration time in seconds (optional)

Examples

bash
# Get current user info (with output format)
splunk-as security whoami
splunk-as security whoami -o json

# List users
splunk-as security list-users
splunk-as security list-users -o json

# List roles
splunk-as security list-roles
splunk-as security list-roles -o json

# List tokens
splunk-as security list-tokens
splunk-as security list-tokens -o json

# Create token (--name required, --audience and --expires optional)
splunk-as security create-token -n "my-app-token"
splunk-as security create-token -n "my-app-token" --audience "my-app" --expires 2592000

# Delete token
splunk-as security delete-token token_123

# Get capabilities (current user)
splunk-as security capabilities
splunk-as security capabilities -o json

# Check if user has a specific capability (positional argument)
splunk-as security check search

# Get ACL (full REST path starting with /)
splunk-as security acl /servicesNS/nobody/search/saved/searches/MySearch
splunk-as security acl /servicesNS/nobody/search/saved/searches/MySearch -o json

API Endpoints

  • GET/POST/DELETE /services/authorization/tokens - Tokens
  • GET/POST /services/data/transforms/lookups/{name}/acl - ACL