LoFP LoFP / this is a hunting search and will produce false positives. operator must follow results into instances where curl requests coming from actual users may indicate intent of exploitation.

Techniques

Sample rules

Splunk Enterprise KV Store Incorrect Authorization

Description

The following analytic detects unauthorized attempts to reload Splunk KV Store collections via the REST API. It leverages internal index logs to identify POST requests to the /servicesNS/nobody/search/admin/collections-conf/_reload endpoint, focusing on status codes starting with ‘2’. This activity is significant as it may indicate improper permission handling, potentially leading to unauthorized deletion of KV Store collections. If confirmed malicious, this could result in data loss or unauthorized data manipulation, impacting the integrity and availability of critical Splunk data.

Detection logic

`splunkda` uri=/servicesNS/nobody/search/admin/collections-conf/_reload status=2* method="POST" user=* file=_reload 
| stats count min(_time) as firstTime max(_time) as lastTime values(status) as status by host clientip file method 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `splunk_enterprise_kv_store_incorrect_authorization_filter`