GitHub Repo

Data Source: Splunk

Date: 2025-01-23

ID: d8a2c791-460b-4756-a8e5-ecade77b21e3

Author: Patrick Bareiss, Splunk

Description

Logs user interface access events for Splunk, including details about user actions, accessed resources, and authentication information.

Details

Property Value
Source splunkd_ui_access.log
Sourcetype splunkd_ui_access
Name ▲▼ Technique ▲▼ Type ▲▼
Splunk Enterprise KV Store Incorrect Authorization Abuse Elevation Control Mechanism Hunting
Splunk Information Disclosure on Account Login Account Discovery Hunting
Splunk Path Traversal In Splunk App For Lookup File Edit File and Directory Discovery Hunting
Splunk RCE PDFgen Render Exploitation of Remote Services TTP
Splunk RCE Through Arbitrary File Write to Windows System Root Exploitation of Remote Services Hunting
Splunk Sensitive Information Disclosure in DEBUG Logging Channels Unsecured Credentials Hunting
Splunk User Enumeration Attempt Valid Accounts TTP
Splunk XSS Privilege Escalation via Custom Urls in Dashboard Drive-by Compromise Hunting

Event Fields

+ Fields 
  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">info</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestamp</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">user</span>
  
</div>

Example Log

1Audit:[timestamp=01-25-2023 22:08:54.818, user=admin, action=search, info=granted REST: /search/jobs/rt_1674684525.24/events]

Source: GitHub | Version: 2