Techniques
Sample rules
Splunk Information Disclosure on Account Login
- source: splunk
- technicques:
Description
This is a composed hunting search that looks for possible user enumeration attempts when SAML is enabled on a Splunk instance by capturing different responses from server.
Detection logic
`splunkd` component=UiAuth status=failure action=login TcpChannelThread
| stats count min(_time) as firstTime max(_time) as lastTime by user status action clientip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `splunk_information_disclosure_on_account_login_filter`