automation executing authentication attempts against your splunk infrastructure with outdated credentials may cause false positives.

t1078
endpoint
splunk

Techniques

T1078

Sample rules

Splunk User Enumeration Attempt

source: splunk
technicques:
- T1078

Description

On May 3rd, 2022, Splunk published a security advisory for username enumeration stemming from verbose login failure messages present on some REST endpoints. This detection will alert on attempted exploitation in patched versions of Splunk as well as actual exploitation in unpatched version of Splunk.

Detection logic

 `splunkd_failed_auths` 
| stats count(user) as auths by user, src 
| where auths>5 
| stats values(user) as user, sum(auths) as TotalFailedAuths by src 
| `splunk_user_enumeration_attempt_filter`