Techniques
Sample rules
Splunk Improperly Formatted Parameter Crashes splunkd
- source: splunk
- technicques:
- T1499
Description
In Splunk Enterprise versions below 8.1.13, 8.2.10, and 9.0.4, when the INGEST\_EVAL parameter is improperly formatted, it crashes splunkd. This hunting search provides the user, timing and number of times the crashing command was executed.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Splunk_Audit.Search_Activity where (Search_Activity.search="*makeresults*"AND Search_Activity.search="*ingestpreview*transforms*") Search_Activity.search_type=adhoc Search_Activity.search!="*splunk_improperly_formatted_parameter_crashes_splunkd_filter*" Search_Activity.user!=splunk-system-user by Search_Activity.search, Search_Activity.info, Search_Activity.total_run_time, Search_Activity.user, Search_Activity.search_type
| `drop_dm_object_name(Search_Activity)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `splunk_improperly_formatted_parameter_crashes_splunkd_filter`