this searches finds self signed certificates issued by splunk which are not recommended from splunk version 9 forward.

T1588.004
endpoint
splunk

Techniques

T1588.004

Sample rules

Splunk protocol impersonation weak encryption selfsigned

source: splunk
technicques:
- T1588.004

Description

On June 14th 2022, Splunk released vulnerability advisory addresing Python TLS validation which was not set before Splunk version 9. This search displays events showing WARNING of using Splunk issued default selfsigned certificates.

Detection logic

`splunkd` certificate event_message="X509 certificate* should not be used*" 
| stats count by host CN component log_level 
| `splunk_protocol_impersonation_weak_encryption_selfsigned_filter`