Techniques
Sample rules
Splunk protocol impersonation weak encryption selfsigned
- source: splunk
- technicques:
- T1588.004
Description
On June 14th 2022, Splunk released vulnerability advisory addresing Python TLS validation which was not set before Splunk version 9. This search displays events showing WARNING of using Splunk issued default selfsigned certificates.
Detection logic
`splunkd` certificate event_message="X509 certificate* should not be used*"
| stats count by host CN component log_level
| `splunk_protocol_impersonation_weak_encryption_selfsigned_filter`