Techniques
Sample rules
Splunk Enterprise KV Store Incorrect Authorization
- source: splunk
- technicques:
Description
The following analytic detects unauthorized attempts to reload Splunk KV Store collections via the REST API. It leverages internal index logs to identify POST requests to the /servicesNS/nobody/search/admin/collections-conf/_reload endpoint, focusing on status codes starting with ‘2’. This activity is significant as it may indicate improper permission handling, potentially leading to unauthorized deletion of KV Store collections. If confirmed malicious, this could result in data loss or unauthorized data manipulation, impacting the integrity and availability of critical Splunk data.
Detection logic
`splunkda` uri=/servicesNS/nobody/search/admin/collections-conf/_reload status=2* method="POST" user=* file=_reload
| stats count min(_time) as firstTime max(_time) as lastTime values(status) as status by host clientip file method
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `splunk_enterprise_kv_store_incorrect_authorization_filter`