Techniques
Sample rules
Splunk ES DoS Investigations Manager via Investigation Creation
- source: splunk
- technicques:
- T1499
Description
In Splunk Enterprise Security (ES) versions lower than 7.1.2, an attacker can create a malformed Investigation to perform a denial of service (DoS). The malformed investigation prevents the generation and rendering of the Investigations manager until it is deleted.
Detection logic
`splunkd_investigation_rest_handler` method=put msg=*investigation* status=error
| stats count min(_time) as firstTime max(_time) as lastTime by user host method msg
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `splunk_es_dos_investigations_manager_via_investigation_creation_filter`