Techniques
Sample rules
Splunk Enterprise Information Disclosure
- source: splunk
- technicques:
Description
This search allows you to look for evidence of exploitation for CVE-2018-11409, a Splunk Enterprise Information Disclosure Bug.
Detection logic
index=_internal sourcetype=splunkd_ui_access server-info
| search clientip!=127.0.0.1 uri_path="*raw/services/server/info/server-info"
| rename clientip as src_ip, splunk_server as dest
| stats earliest(_time) as firstTime, latest(_time) as lastTime, values(uri) as uri, values(useragent) as http_user_agent, values(user) as user by src_ip, dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `splunk_enterprise_information_disclosure_filter`