Techniques
Sample rules
Splunk ES DoS Through Investigation Attachments
- source: splunk
- technicques:
- T1499
Description
In Splunk Enterprise Security (ES) versions below 7.1.2, an attacker can use investigation attachments to perform a denial of service (DoS) to the Investigation. The attachment endpoint does not properly limit the size of the request which lets an attacker cause the Investigation to become inaccessible.
Detection logic
`splunkd_investigation_rest_handler` status=error object=investigation
| stats min(_time) as firstTime max(_time) as lastTime values(status) as status values(msg) as msg values(id) as investigation_id by user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `splunk_es_dos_through_investigation_attachments_filter`