Techniques
Sample rules
Splunk RBAC Bypass On Indexing Preview REST Endpoint
- source: splunk
- technicques:
- T1134
Description
An unauthorized user can use the /services/indexing/preview REST endpoint to overwrite search results if they know the search ID (SID) of an existing search job.
Detection logic
`splunkda` method="POST" uri="*/services/indexing/preview*"
| table host clientip status useragent user uri_path
| `splunk_rbac_bypass_on_indexing_preview_rest_endpoint_filter`