Techniques
Sample rules
Splunk User Enumeration Attempt
- source: splunk
- technicques:
- T1078
Description
On May 3rd, 2022, Splunk published a security advisory for username enumeration stemming from verbose login failure messages present on some REST endpoints. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk.
Detection logic
`splunkd_failed_auths`
| stats count(user) as auths by user, src
| where auths>5
| stats values(user) as user, sum(auths) as TotalFailedAuths by src
| `splunk_user_enumeration_attempt_filter`