Try in Splunk Security Cloud


This search uses the Kubernetes logs from a nginx ingress controller to detect local file inclusion attacks.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud, Dev Sec Ops Analytics
  • Datamodel:
  • Last Updated: 2021-08-20
  • Author: Patrick Bareiss, Splunk
  • ID: 0f83244b-425b-4528-83db-7a88c5f66e48


ID Technique Tactic
T1212 Exploitation for Credential Access Credential Access
| rex field=_raw "^(?<remote_addr>\S+)\s+-\s+-\s+\[(?<time_local>[^\]]*)\]\s\"(?<request>[^\"]*)\"\s(?<status>\S*)\s(?<body_bytes_sent>\S*)\s\"(?<http_referer>[^\"]*)\"\s\"(?<http_user_agent>[^\"]*)\"\s(?<request_length>\S*)\s(?<request_time>\S*)\s\[(?<proxy_upstream_name>[^\]]*)\]\s\[(?<proxy_alternative_upstream_name>[^\]]*)\]\s(?<upstream_addr>\S*)\s(?<upstream_response_length>\S*)\s(?<upstream_response_time>\S*)\s(?<upstream_status>\S*)\s(?<req_id>\S*)" 
| lookup local_file_inclusion_paths local_file_inclusion_paths AS request OUTPUT lfi_path 
| search lfi_path=yes 
| rename remote_addr AS src_ip, upstream_status as status, proxy_upstream_name as proxy 
| rex field=request "^(?<http_method>\S+)\s(?<url>\S+)\s" 
| eval phase="operate" 
| eval severity="high" 
| stats count min(_time) as firstTime max(_time) as lastTime by src_ip, status, url, http_method, host, http_user_agent, proxy, phase, severity 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `kubernetes_nginx_ingress_lfi_filter`

Associated Analytic Story

How To Implement

You must ingest Kubernetes logs through Splunk Connect for Kubernetes.

Required field

  • raw

Kill Chain Phase

  • Actions on Objectives

Known False Positives



Risk Score Impact Confidence Message
49.0 70 70 Local File Inclusion Attack detected on $host$


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1