kingfisher/crates/kingfisher-rules/data/rules/splunk.yml

rules:
  - name: Splunk Authentication Token
    id: kingfisher.splunk.1
    pattern: |
      (?xi)
      \b
      splunk
      (?:.|[\n\r]){0,64}?
      \b(?:token|auth|key|hec)\b
      (?:.|[\n\r]){0,32}?
      \b
      (
        [A-Fa-f0-9]{8}-
        [A-Fa-f0-9]{4}-
        [A-Fa-f0-9]{4}-
        [A-Fa-f0-9]{4}-
        [A-Fa-f0-9]{12}
      )
      \b
    pattern_requirements:
      min_digits: 6
    min_entropy: 3.0
    confidence: medium
    examples:
      - "splunk.token = \"C73A9E41-B2F0-4D18-A563-F9E73B012ABC\""
      - "splunk.token=a4d7e19c-3b25-4f0c-8d61-720a9b3e4f58"
      - "splunk.hec=D6BD1AD4-CB62-4D80-A637-593EE2B17391"
    references:
      - https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/UseAuthTokens
    # Splunk tokens are instance-scoped UUIDs; no public SaaS endpoint exists for standalone validation.