this search will show the exact dos event via error message and investigation id. the error however does not point exactly at the uploader as any users associated with the investigation will be affected. operator must investigate using investigation id the possible origin of the malicious upload. attack only affects specific investigation not the investigation manager.

t1499
endpoint
splunk

Techniques

T1499

Sample rules

Splunk ES DoS Through Investigation Attachments

source: splunk
technicques:
- T1499

Description

In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the Investigation. The attachment endpoint does not properly limit the size of the request which lets an attacker cause the Investigation to become inaccessible.

Detection logic

`splunkd_investigation_rest_handler` status=error object=investigation 
| stats min(_time) as firstTime max(_time) as lastTime values(status) as status values(msg) as msg values(id) as investigation_id by user 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `splunk_es_dos_through_investigation_attachments_filter`