this search tries to address validation of server and client certificates within splunk infrastructure, it might produce results from accidental or unintended requests to port 8089.

T1588.004
endpoint
splunk

Techniques

T1588.004

Sample rules

Splunk protocol impersonation weak encryption simplerequest

source: splunk
technicques:
- T1588.004

Description

On Splunk version 9 on Python3 client libraries verify server certificates by default and use CA certificate store. This search warns a user about a failure to validate a certificate using python3 request.

Detection logic

`splunk_python` "simpleRequest SSL certificate validation is enabled without hostname verification" 
| stats count by host path 
| `splunk_protocol_impersonation_weak_encryption_simplerequest_filter`