LoFP LoFP / only applies to affected versions of splunk enterprise below 9.2.1, 9.1.4, and 9.0.9

Techniques

Sample rules

Splunk Authentication Token Exposure in Debug Log

Description

The following analytic identifies exposed authentication tokens in debug logs within Splunk Enterprise. It leverages logs from the splunkd component with a DEBUG log level, specifically searching for event messages that validate tokens. This activity is significant because exposed tokens can be exploited by attackers to gain unauthorized access to the Splunk environment. If confirmed malicious, this exposure could lead to unauthorized data access, privilege escalation, and potential compromise of the entire Splunk infrastructure. Monitoring and addressing this vulnerability is crucial for maintaining the security and integrity of the Splunk deployment.

Detection logic

`splunkd`
component=JsonWebToken
log_level=DEBUG
eventtype="splunkd-log"
event_message="Validating token:*"

| rex "Validating token: (?<token>.*)\.$"

| search token!=None

| stats count min(_time) as firstTime
              max(_time) as lastTime
              values(log_level) as log_level
              values(event_message) as event_message
  by index, sourcetype, host, token

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `splunk_authentication_token_exposure_in_debug_log_filter`