Splunk ES DoS Investigations Manager via Investigation Creation
Description
In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted.
- Type: TTP
-
Product: Splunk Enterprise Security
- Last Updated: 2024-01-04
- Author: Rod Soto, Eric McGinnis, Chase Franklin
- ID: 7f6a07bd-82ef-46b8-8eba-802278abd00e
Annotations
Kill Chain Phase
- Actions On Objectives
NIST
- DE.CM
CIS20
- CIS 10
CVE
ID | Summary | CVSS |
---|---|---|
CVE-2024-22165 | In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted.<br>The vulnerability requires an authenticated session and access to create an Investigation. It only affects the availability of the Investigations manager, but without the manager, the Investigations functionality becomes unusable for most users. | None |
Search
1
2
3
4
5
`splunkd_investigation_rest_handler` method=put msg=*investigation* status=error
| stats count min(_time) as firstTime max(_time) as lastTime by user method msg
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `splunk_es_dos_investigations_manager_via_investigation_creation_filter`
Macros
The SPL above uses the following Macros:
splunk_es_dos_investigations_manager_via_investigation_creation_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- method
- msg
- status
- user
How To Implement
This search requires access to internal indexes. Only affects Splunk Enterprise Security versions lower than 7.1.2.
Known False Positives
The vulnerability requires an authenticated session and access to create an Investigation. It only affects the availability of the Investigations manager, but without the manager, the Investigations functionality becomes unusable for most users. This search gives the exact offending event.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
100.0 | 100 | 100 | Denial of Service Attack against Splunk ES Investigation Manager by $user$ |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1