LoFP LoFP / there will be false positives as not every message to the debug log will expose sensitive information, such as keys or other secrets.

Techniques

Sample rules

Splunk Sensitive Information Disclosure in DEBUG Logging Channels

Description

In Splunk versions 9.3, 9.2, 9.1, 9.1.5 Applications which have been enabled with logging level DEBUG may write sensitive information such as keys, tokens, or other sensitive strings into the internal index.

Detection logic

`splunkd` log_level="DEBUG" AND component IN ("REST_Calls", "AdminManager", "JSONWebToken")

| stats count min(_time) as firstTime max(_time) as lastTime by host splunk_server log_level component event_message

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `splunk_sensitive_information_disclosure_in_debug_logging_channels_filter`