this is a hunting search which provides verbose results against this endpoint. operator must consider things such as ip address, useragent and user(specially low privelege) and host to investigate possible attack.

t1134
endpoint
splunk

Techniques

T1134

Sample rules

Splunk RBAC Bypass On Indexing Preview REST Endpoint

source: splunk
technicques:
- T1134

Description

An unauthorized user can use the /services/indexing/preview REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job.

Detection logic

`splunkda` method="POST" uri="*/services/indexing/preview*" 
| table host clientip status useragent user uri_path 
| `splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter`