this is a hunting search and will produce false positives. operator must follow results into instances where curl requests coming from actual users may indicate intent of exploitation.

t1548
splunk server
splunk

Techniques

T1548

Sample rules

Splunk Enterprise KV Store Incorrect Authorization

source: splunk
technicques:
- T1548

Description

In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store KV Store improperly handles permissions for users using the REST application programming interface (API). This can potentially result in the deletion of KV Store collections.

Detection logic

`splunkda` uri=/servicesNS/nobody/search/admin/collections-conf/_reload status=2* method="POST" user=* file=_reload 
| stats count min(_time) as firstTime max(_time) as lastTime values(status) as status by host clientip file method 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `splunk_enterprise_kv_store_incorrect_authorization_filter`