no known at this time.

T1587.003
endpoint
splunk

Techniques

T1587.003

Sample rules

Splunk Digital Certificates Infrastructure Version

source: splunk
technicques:
- T1587.003

Description

This search will check the TLS validation is properly configured on the search head it is run from as well as its search peers after Splunk version 9. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked.

Detection logic


| rest /services/server/info 
| table splunk_server version server_roles 
| join splunk_server [
| rest /servicesNS/nobody/search/configs/conf-server/ search="sslConfig"
| table splunk_server sslVerifyServerCert sslVerifyServerName serverCert] 
| fillnull value="Not Set" 
| rename sslVerifyServerCert as "Server.conf:SslConfig:sslVerifyServerCert", sslVerifyServerName as "Server.conf:SslConfig:sslVerifyServerName", serverCert as "Server.conf:SslConfig:serverCert" 
| `splunk_digital_certificates_infrastructure_version_filter`