Try in Splunk Security Cloud

Description

Keeping your Splunk Enterprise deployment up to date is critical and will help you reduce the risk associated with vulnerabilities in the product.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Splunk_Audit
  • Last Updated: 2022-03-28
  • Author: Lou Stella, Splunk
  • ID: 5354df00-dce2-48ac-9a64-8adb48006828

Narrative

This analytic story includes detections that focus on attacker behavior targeted at your Splunk environment directly.

Detections

Name Technique Type
Detect Risky SPL using Pretrained ML Model Command and Scripting Interpreter Anomaly
Open Redirect in Splunk Web   TTP
Path traversal SPL injection File and Directory Discovery TTP
Persistent XSS in RapidDiag through User Interface Views Drive-by Compromise TTP
Splunk Account Discovery Drilldown Dashboard Disclosure Account Discovery TTP
Splunk Code Injection via custom dashboard leading to RCE Exploitation of Remote Services Hunting
Splunk Command and Scripting Interpreter Delete Usage Command and Scripting Interpreter Anomaly
Splunk Command and Scripting Interpreter Risky Commands Command and Scripting Interpreter Hunting
Splunk Command and Scripting Interpreter Risky SPL MLTK Command and Scripting Interpreter Anomaly
Splunk Data exfiltration from Analytics Workspace using sid query Exfiltration Over Web Service Hunting
Splunk Digital Certificates Infrastructure Version Digital Certificates Hunting
Splunk Digital Certificates Lack of Encryption Digital Certificates Anomaly
Splunk DoS via Malformed S2S Request Network Denial of Service TTP
Splunk Endpoint Denial of Service DoS Zip Bomb Endpoint Denial of Service TTP
Splunk Enterprise Information Disclosure   TTP
Splunk Identified SSL TLS Certificates Network Sniffing Hunting
Splunk Improperly Formatted Parameter Crashes splunkd Endpoint Denial of Service TTP
Splunk Process Injection Forwarder Bundle Downloads Process Injection Hunting
Splunk Protocol Impersonation Weak Encryption Configuration Protocol Impersonation Hunting
Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature Exploitation of Remote Services Hunting
Splunk Reflected XSS in the templates lists radio Drive-by Compromise Hunting
Splunk Stored XSS via Data Model objectName field Drive-by Compromise Hunting
Splunk User Enumeration Attempt Valid Accounts TTP
Splunk XSS in Monitoring Console Drive-by Compromise TTP
Splunk XSS in Save table dialog header in search page Drive-by Compromise Hunting
Splunk XSS via View Drive-by Compromise Hunting
Splunk csrf in the ssg kvstore client endpoint Drive-by Compromise TTP
Splunk list all nonstandard admin accounts Drive-by Compromise Hunting
Splunk protocol impersonation weak encryption selfsigned Digital Certificates Hunting
Splunk protocol impersonation weak encryption simplerequest Digital Certificates Hunting
Splunk risky Command Abuse disclosed february 2023 Abuse Elevation Control Mechanism Hunting
Splunk unnecessary file extensions allowed by lookup table uploads Drive-by Compromise TTP

Reference

source | version: 1