Techniques
Sample rules
Splunk Authentication Token Exposure in Debug Log
- source: splunk
- technicques:
Description
The following analytic identifies exposed authentication tokens in debug logs within Splunk Enterprise.
It leverages logs from the splunkd component with a DEBUG log level, specifically searching for event messages that validate tokens. This activity is significant because exposed tokens can be exploited by attackers to gain unauthorized access to the Splunk environment.
If confirmed malicious, this exposure could lead to unauthorized data access, privilege escalation, and potential compromise of the entire Splunk infrastructure.
Monitoring and addressing this vulnerability is crucial for maintaining the security and integrity of the Splunk deployment.
Detection logic
`splunkd`
component=JsonWebToken
log_level=DEBUG
eventtype="splunkd-log"
event_message="Validating token:*"
| rex "Validating token: (?<token>.*)\.$"
| search token!=None
| stats count min(_time) as firstTime
max(_time) as lastTime
values(log_level) as log_level
values(event_message) as event_message
by index, sourcetype, host, token
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `splunk_authentication_token_exposure_in_debug_log_filter`