Techniques
Sample rules
Splunk Enterprise KV Store Incorrect Authorization
- source: splunk
- technicques:
- T1548
Description
In Splunk Enterprise versions below 9.0.8 and 9.1.3, Splunk app key value store KV Store improperly handles permissions for users using the REST application programming interface (API). This can potentially result in the deletion of KV Store collections.
Detection logic
`splunkda` uri=/servicesNS/nobody/search/admin/collections-conf/_reload status=2* method="POST" user=* file=_reload
| stats count min(_time) as firstTime max(_time) as lastTime values(status) as status by host clientip file method
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `splunk_enterprise_kv_store_incorrect_authorization_filter`