Techniques
Sample rules
Splunk Sensitive Information Disclosure in DEBUG Logging Channels
- source: splunk
- technicques:
Description
In Splunk versions 9.3, 9.2, 9.1, 9.1.5 Applications which have been enabled with logging level DEBUG may write sensitive information such as keys, tokens, or other sensitive strings into the internal index.
Detection logic
`splunkd` log_level="DEBUG" AND component IN ("REST_Calls", "AdminManager", "JSONWebToken")
| stats count min(_time) as firstTime max(_time) as lastTime by host splunk_server log_level component event_message
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `splunk_sensitive_information_disclosure_in_debug_logging_channels_filter`