Techniques
Sample rules
Splunk Authentication Token Exposure in Debug Log
- source: splunk
- technicques:
- T1654
Description
This detection search finds exposed authentication tokens in debug logs. This issue occurs in Splunk Enterprise versions below 9.2.1, 9.1.4, and 9.0.9, which may be affected by a vulnerability where JsonWebTokens can be exposed if the log level is set to DEBUG.
Detection logic
`splunkd` component=JsonWebToken log_level=DEBUG eventtype="splunkd-log" event_message="Validating token:*"
| rex "Validating token: (?<token>.*)\.$"
| search token!=None
| stats count min(_time) as firstTime max(_time) as lastTime values(log_level) as log_level values(event_message) as event_message by index, sourcetype, host, token
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `splunk_authentication_token_exposure_in_debug_log_filter`