Techniques
Sample rules
Splunk Digital Certificates Infrastructure Version
- source: splunk
- technicques:
- T1587.003
Description
This search will check the TLS validation is properly configured on the search head it is run from as well as its search peers after Splunk version 9. Other components such as additional search heads or anything this rest command cannot be distributed to will need to be manually checked.
Detection logic
| rest /services/server/info
| table splunk_server version server_roles
| join splunk_server [
| rest /servicesNS/nobody/search/configs/conf-server/ search="sslConfig"
| table splunk_server sslVerifyServerCert sslVerifyServerName serverCert]
| fillnull value="Not Set"
| rename sslVerifyServerCert as "Server.conf:SslConfig:sslVerifyServerCert", sslVerifyServerName as "Server.conf:SslConfig:sslVerifyServerName", serverCert as "Server.conf:SslConfig:serverCert"
| `splunk_digital_certificates_infrastructure_version_filter`