From 689277d6ee477e66f8164e907ad08da059062f8a Mon Sep 17 00:00:00 2001 From: pyth0n1c <87383215+pyth0n1c@users.noreply.github.com> Date: Tue, 1 Nov 2022 08:12:14 -0700 Subject: [PATCH 01/11] Added a number of macros, tests, and detections in support of release of Splunk vulnerabilities and patches. --- ...on_via_custom_dashboard_leading_to_rce.yml | 53 ++++++++++++++++ ...om_analytics_workspace_using_sid_query.yml | 62 +++++++++++++++++++ ..._gateway__splunk_mobile_alerts_feature.yml | 54 ++++++++++++++++ ...ected_xss_in_the_templates_lists_radio.yml | 54 ++++++++++++++++ ...ed_xss_via_data_model_objectname_field.yml | 55 ++++++++++++++++ ...ave_table_dialog_header_in_search_page.yml | 56 +++++++++++++++++ macros/splunkd_ui.yml | 4 ++ macros/splunkd_webx.yml | 4 ++ macros/splunkda.yml | 4 ++ ...a_custom_dashboard_leading_to_rce.test.yml | 14 +++++ ...alytics_workspace_using_sid_query.test.yml | 14 +++++ ...way__splunk_mobile_alerts_feature.test.yml | 14 +++++ ..._xss_in_the_templates_lists_radio.test.yml | 14 +++++ ...s_via_data_model_objectname_field.test.yml | 14 +++++ ...able_dialog_header_in_search_page.test.yml | 14 +++++ 15 files changed, 430 insertions(+) create mode 100644 detections/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml create mode 100644 detections/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.yml create mode 100644 detections/application/splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.yml create mode 100644 detections/application/splunk_reflected_xss_in_the_templates_lists_radio.yml create mode 100644 detections/application/splunk_stored_xss_via_data_model_objectname_field.yml create mode 100644 detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml create mode 100644 macros/splunkd_ui.yml create mode 100644 macros/splunkd_webx.yml create mode 100644 macros/splunkda.yml create mode 100644 tests/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.test.yml create mode 100644 tests/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.test.yml create mode 100644 tests/application/splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.test.yml create mode 100644 tests/application/splunk_reflected_xss_in_the_templates_lists_radio.test.yml create mode 100644 tests/application/splunk_stored_xss_via_data_model_objectname_field.test.yml create mode 100644 tests/application/splunk_xss_in_save_table_dialog_header_in_search_page.test.yml diff --git a/detections/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml b/detections/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml new file mode 100644 index 0000000000..6ad561402d --- /dev/null +++ b/detections/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml @@ -0,0 +1,53 @@ +name: Splunk Code Injection via custom dashboard leading to RCE +id: b06b41d7-9570-4985-8137-0784f582a1b3 +version: 1 +date: '2022-10-11' +author: Rod Soto +type: Hunting +datamodel: [] +description: This hunting search provides information about a vulnerability in Splunk Enterprise versions below 8.2.9, 8.1.12, 9.0.2, where an authenticated user can execute arbitrary code via the dashboard pdf generation component. +search: '`splunkd_ui` uri_path=*/data/ui/views/* OR uri_path=*saved/searches/* | dedup uri_path | eval URL=urldecode("uri_path")| rex field=URL "\/saved\/searches\/(?[^\/]*)" | rex field=URL "\/data\/ui\/views\/(?[^\/]*)" | eval NAME=NAME."( Saved Search )",NAME1=NAME1."( Dashboard )" | eval NAME=coalesce(NAME,NAME1) | eval STATUS=case(match(status,"2\d+"),"SUCCESS",match(status,"3\d+"),"REDIRECTION",match(status,"4\d+") OR match(status,"5\d+"),"ERROR") | stats list(NAME) as DASHBOARD_TITLE,list(method) as HTTP_METHOD,list(status) as Status_Code,list(STATUS) as STATUS by user | rename user as User | join file* [ search index=_internal file=export | table search_id,user]| `splunk_code_injection_via_custom_dashboard_leading_to_rce_filter`' +how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. +known_false_positives: Not all exports and downloads are malicious, special attention must be put as well on /en-US/splunkd/__raw/services/pdfgen/render in the context of this search. +references: +- https://www.splunk.com/en_us/product-security.html +tags: + analytic_story: + - Splunk Vulnerabilities + asset_type: Endpoint + cve: CVE-2022-43571 + cis20: + - CIS 3 + - CIS 5 + - CIS 16 + confidence: 50 + context: + - Source:Endpoint + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_code_injection_via_custom_dashboard_leading_to_rce.txt + impact: 50 + kill_chain_phases: + - Exploitation + message: Potential exploitation of Code Injection via Dashboard PDF generation. + mitre_attack_id: + - T1210 + nist: + - DE.CM + observable: + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - user + - clientip + - uri + - uri_path + - method + - status + risk_score: 25 + security_domain: endpoint diff --git a/detections/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.yml b/detections/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.yml new file mode 100644 index 0000000000..b160a900da --- /dev/null +++ b/detections/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.yml @@ -0,0 +1,62 @@ +name: Splunk Data exfiltration from Analytics Workspace using sid query +id: b6d77c6c-f011-4b03-8650-8f10edb7c4a8 +version: 1 +date: '2022-11-1' +author: Rod Soto, Eric McGinnis +type: Hunting +datamodel: [] +description: This hunting search allows operator to discover attempts to exfiltrate data by + executing a prepositioned malicious search ID in Analytic Workspace in Splunk Enterprise + versions 8.2.9,8.1.12,9.0.2. The attack is browser-based. It requires the attacker to + compel a victim to initiate a request within their browser (phishing). + The attacker cannot exploit the vulnerability at will. +search: index=_audit sourcetype=audittrail action=search info=granted search NOT ("index=_audit + sourcetype=audittrail") search NOT ("security_content_summariesonly") AND ((search="*mstats*[*]*" + AND provenance="N/A") OR (search="*mstats*\\\"*[*]*\\\"*"))| eval warning=if(match(search,"\\\\\""), + "POTENTIAL INJECTION STAGING", "POTENTIAL INJECTION EXECUTION") | table search, user, warning, timestamp | `splunk_data_exfiltration_from_analytics_workspace_using_sid_query` +how_to_implement: The vulnerability affects only instances with Splunk Web Enabled. After running this search, please run "Splunk Command and Scripting Interpreter Risky SPL MLTK" to gain more insight into potentially risky commands which could lead to data exfiltration. +known_false_positives: This search may produce false positives. This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. Special attention must be paid to "/en-US/app/search/analytics_workspace?sid=[sid]" which is where the malicious code will be inserted to trigger attack at victim. +references: +- https://www.splunk.com/en_us/product-security.html +tags: + analytic_story: + - Splunk Vulnerabilities + asset_type: Endpoint + cve: + - CVE-2022-43566 + cis20: + - CIS 3 + - CIS 5 + - CIS 16 + confidence: 50 + context: + - Source:Endpoint + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/splunk/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.txt + impact: 50 + kill_chain_phases: + - Actions on Objectives + message: Potential data exfiltration attack using SID query by $user$ + mitre_attack_id: + - T1567 + nist: + - DE.CM + observable: + - name: user + type: User + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - action + - info + - user + - search_id + - metadata + - user + - _time + risk_score: 25 + security_domain: endpoint diff --git a/detections/application/splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.yml b/detections/application/splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.yml new file mode 100644 index 0000000000..b8df2181f6 --- /dev/null +++ b/detections/application/splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.yml @@ -0,0 +1,54 @@ +name: Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature +id: baa41f09-df48-4375-8991-520beea161be +version: 1 +date: '2022-10-11' +author: Rod Soto +type: Hunting +datamodel: [] +description: This hunting search provides information on possible exploitation attempts against Splunk Secure Gateway App Mobile Alerts feature in Splunk versions 9.0, 8.2.x, 8.1.x. An authenticated user can run arbitrary operating system commands remotely through the use of specially crafted requests to the mobile alerts feature in the Splunk Secure Gateway app. +search: '`splunkd_webx` uri_path="/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*" sort="notification.created_at:-1" | table clientip file host method uri_query sort | `splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature_filter`' +how_to_implement: This search only applies if Splunk Mobile Gateway is deployed in the vulnerable Splunk versions. +known_false_positives: This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. Focus of this search is "uri_path=/servicesNS/nobody/splunk_secure_gateway/storage/collections/data/mobile_alerts*" which is the injection point. +references: +- https://www.splunk.com/en_us/product-security.html +tags: + analytic_story: + - Splunk Vulnerabilities + asset_type: Endpoint + cve: + - CVE-2022-43567 + cis20: + - CIS 3 + - CIS 5 + - CIS 16 + confidence: 90 + context: + - Source:Endpoint + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_rce_via_secure_gateway_splunk_mobile_alerts_feature.txt + impact: 90 + kill_chain_phases: + - Exploitation + message: Possible exploitation attempt from $clientip$ + mitre_attack_id: + - T1210 + nist: + - DE.CM + observable: + - name: clientip + type: IP Address + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - uri_path + - clientip + - file + - host + - method + - sort + risk_score: 81 + security_domain: endpoint diff --git a/detections/application/splunk_reflected_xss_in_the_templates_lists_radio.yml b/detections/application/splunk_reflected_xss_in_the_templates_lists_radio.yml new file mode 100644 index 0000000000..4ca19f2679 --- /dev/null +++ b/detections/application/splunk_reflected_xss_in_the_templates_lists_radio.yml @@ -0,0 +1,54 @@ +name: Splunk Reflected XSS in the templates lists radio +id: d532d105-c63f-4049-a8c4-e249127ca425 +version: 1 +date: '2022-10-11' +author: Rod Soto, Chase Franklin +type: Hunting +datamodel: [] +description: Splunk versions below 8.1.12,8.2.9 and 9.0.2 are vulnerable to reflected cross site scripting (XSS). A View allows for a Reflected Cross Site scripting via JavaScript Object Notation (JSON) in a query parameter when ouput_mode=radio. +search: '`splunkd_webx` user=admin status=200 uri=*/lists/entities/x/ui/views* uri_query!=null | stats count earliest(_time) as event_time values(status) as status values(clientip) as clientip by index, sourcetype, _time, host, user, uri | `splunk_reflected_xss_in_the_templates_lists_radio_filter`' +how_to_implement: This vulnerability only affects instances with Splunk Web enabled. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. +known_false_positives: This search may produce false positives as it is difficult to pinpoint all possible XSS injection characters in a single search string. Special attention is required to "en-US/list/entities/x/ui/views" which is the vulnerable injection point. +references: +- https://research.splunk.com/stories/splunk_vulnerabilities/ +tags: + analytic_story: + - Splunk Vulnerabilities + asset_type: Endpoint + cve: CVE-2022-43568 + cis20: + - CIS 3 + - CIS 5 + - CIS 16 + confidence: 50 + context: + - Source:Endpoint + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_reflected_xss_in_templates_lists_radio.txt + impact: 50 + kill_chain_phases: + - Exploitation + message: Potential XSS exploitation against radio template by $user$ + mitre_attack_id: + - T1189 + nist: + - DE.CM + observable: + - name: user + type: User + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - host + - clientip + - status + - user + - uri + - uri_query + - uri_path + risk_score: 25 + security_domain: endpoint diff --git a/detections/application/splunk_stored_xss_via_data_model_objectname_field.yml b/detections/application/splunk_stored_xss_via_data_model_objectname_field.yml new file mode 100644 index 0000000000..dd788b768a --- /dev/null +++ b/detections/application/splunk_stored_xss_via_data_model_objectname_field.yml @@ -0,0 +1,55 @@ +name: Splunk Stored XSS via Data Model objectName field +id: 062bff76-5f9c-496e-a386-cb1adcf69871 +version: 1 +date: '2022-10-11' +author: Rod Soto +type: Hunting +datamodel: [] +description: Splunk Enterprise versions 8.1.12, 8.2.9, 9.0.2 are vulnerable to persistent cross site scripting via Data Model object name. An authenticated user can inject and store arbitrary scripts that can lead to persistent cross-site scripting (XSS) in the object name Data Model. +search: '`splunkd_webx` uri=/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model* uri_query!=null | stats count by _time host status clientip user uri | `splunk_stored_xss_via_data_model_objectname_field_filter`' +how_to_implement: This vulnerability only affects Splunk Web enabled instances. This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. +known_false_positives: This search may produce false positives and does not cover exploitation attempts via code obfuscation, focus of search is suspicious requests against "/en-US/splunkd/__raw/servicesNS/*/launcher/datamodel/model" which is the injection point. +references: +- https://www.splunk.com/en_us/product-security.html +- https://portswigger.net/web-security/cross-site-scripting/cheat-sheet +tags: + analytic_story: + - Splunk Vulnerabilities + asset_type: Endpoint + cve: CVE-2022-43569 + cis20: + - CIS 3 + - CIS 5 + - CIS 16 + confidence: 50 + context: + - Source:Endpoint + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_stored_xss_via_data_model_objectname_field.txt + impact: 50 + kill_chain_phases: + - Exploitation + message: A potential XSS attempt has been detected from $user$ + mitre_attack_id: + - T1189 + nist: + - DE.CM + observable: + - name: user + type: User + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - uri + - uri_query + - host + - status + - clientip + - user + - uri_path + risk_score: 25 + security_domain: endpoint diff --git a/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml b/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml new file mode 100644 index 0000000000..16dde54509 --- /dev/null +++ b/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml @@ -0,0 +1,56 @@ +name: Splunk XSS in Save table dialog header in search page +id: a974d1ee-ddca-4837-b6ad-d55a8a239c20 +version: 1 +date: '2022-10-11' +author: Rod Soto +type: Hunting +datamodel: +- Endpoint +description: This is a hunting search to find persistent cross-site scripting XSS code that was included while inputing data in 'Save Table' dialog in Splunk Enterprise (8.1.12,8.2.9,9.0.2). A remote user with "power" Splunk role can store this code that can lead to persistent cross site scripting. +search: '`splunkda` method=POST uri=/en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model | table _time host status clientip user uri | `splunk_xss_in_save_table_dialog_header_in_search_page_filter`' +how_to_implement: Watch for POST requests combined with XSS script strings or obfuscation against the injection point /en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model. +known_false_positives: If host is vulnerable and XSS script strings are inputted they will show up in search. Not all Post requests are malicious as they will show when users create and save dashboards. This search may produce several results with non malicious POST requests. Only affects Splunk Web enabled instances. +references: +- https://www.splunk.com/en_us/product-security.html +- https://portswigger.net/web-security/cross-site-scripting +tags: + analytic_story: + - Splunk Vulnerablities + asset_type: Endpoint + cve: CVE-2022-43561 + cis20: + - CIS 3 + - CIS 5 + - CIS 16 + confidence: 50 + context: + - Source:Endpoint + dataset: + - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_xss_in_save_table_dialog_in_search_page.txt + impact: 50 + kill_chain_phases: + - Exploitation + message: Possible XSS exploitation attempt from $clientip$ + mitre_attack_id: + - T1189 + nist: + - DE.CM + observable: + - name: clientip + type: IP Address + role: + - Attacker + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - host + - _time + - status + - clientip + - user + - uri + - method + risk_score: 25 + security_domain: endpoint diff --git a/macros/splunkd_ui.yml b/macros/splunkd_ui.yml new file mode 100644 index 0000000000..afc9efe8b1 --- /dev/null +++ b/macros/splunkd_ui.yml @@ -0,0 +1,4 @@ +definition: index=_internal sourcetype=splunkd_ui_access +description: customer specific splunk configurations(eg- index, source, sourcetype). + Replace the macro definition with configurations for your Splunk Environmnent. +name: splunkd_ui \ No newline at end of file diff --git a/macros/splunkd_webx.yml b/macros/splunkd_webx.yml new file mode 100644 index 0000000000..a85f20f4ea --- /dev/null +++ b/macros/splunkd_webx.yml @@ -0,0 +1,4 @@ +definition: index=_internal sourcetype=access_combined_wcookie +description: customer specific splunk configurations(eg- index, source, sourcetype). + Replace the macro definition with configurations for your Splunk Environmnent. +name: splunkd_webx \ No newline at end of file diff --git a/macros/splunkda.yml b/macros/splunkda.yml new file mode 100644 index 0000000000..a264dcaf60 --- /dev/null +++ b/macros/splunkda.yml @@ -0,0 +1,4 @@ +definition: index=_internal sourcetype=splunkd_access +description: customer specific splunk configurations(eg- index, source, sourcetype). + Replace the macro definition with configurations for your Splunk Environmnent. +name: splunkda \ No newline at end of file diff --git a/tests/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.test.yml b/tests/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.test.yml new file mode 100644 index 0000000000..8946fb96e4 --- /dev/null +++ b/tests/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.test.yml @@ -0,0 +1,14 @@ +name: Splunk Code Injection via custom dashboard leading to RCE Unit Test +tests: +- name: Splunk Code Injection via custom dashboard leading to RCE + file: application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml + pass_condition: '| stats count | where count > 0' + earliest_time: -24h + latest_time: now + attack_data: + - file_name: splunk_code_injection_via_custom_dashboard_leading_to_rce.txt + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_code_injection_via_custom_dashboard_leading_to_rce.txt + source: /opt/splunk/var/log/splunk/splunkd_ui_access.log + sourcetype: splunkd_ui_access + custom_index: _internal + update_timestamp: true diff --git a/tests/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.test.yml b/tests/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.test.yml new file mode 100644 index 0000000000..74202f1cbb --- /dev/null +++ b/tests/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.test.yml @@ -0,0 +1,14 @@ +name: Splunk Data exfiltration from Analytics Workspace using sid query Unit Test +tests: +- name: Splunk Data exfiltration from Analytics Workspace using sid query + file: application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.yml + pass_condition: '| stats count | where count > 0' + earliest_time: -24h + latest_time: now + attack_data: + - file_name: splunk_data_exfiltration_from_analytics_workspace_using_sid_query.txt + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/splunk/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.txt + source: audittrail + sourcetype: audittrail + custom_index: _audit + update_timestamp: true diff --git a/tests/application/splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.test.yml b/tests/application/splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.test.yml new file mode 100644 index 0000000000..9f51b7d748 --- /dev/null +++ b/tests/application/splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.test.yml @@ -0,0 +1,14 @@ +name: Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature Unit Test +tests: +- name: Splunk RCE via Splunk Secure Gateway Splunk Mobile alerts feature + file: application/splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.yml + pass_condition: '| stats count | where count > 0' + earliest_time: -24h + latest_time: now + attack_data: + - file_name: splunk_rce_via_secure_gateway_splunk_mobile_alerts_feature.txt + data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_rce_via_secure_gateway_splunk_mobile_alerts_feature.txt + source: /opt/splunk/var/log/splunk/web_access.log + sourcetype: access_combined_wcookie + custom_index: _internal + update_timestamp: true diff --git a/tests/application/splunk_reflected_xss_in_the_templates_lists_radio.test.yml b/tests/application/splunk_reflected_xss_in_the_templates_lists_radio.test.yml new file mode 100644 index 0000000000..0bb72eec94 --- /dev/null +++ b/tests/application/splunk_reflected_xss_in_the_templates_lists_radio.test.yml @@ -0,0 +1,14 @@ +name: Splunk Reflected XSS in the templates lists radio Unit Test +tests: +- name: Splunk Reflected XSS in the templates lists radio + file: application/splunk_reflected_xss_in_the_templates_lists_radio.yml + pass_condition: '| stats count | where count > 0' + earliest_time: -24h + latest_time: now + attack_data: + - file_name: splunk_reflected_xss_in_templates_lists_radio.txt + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_reflected_xss_in_templates_lists_radio.txt + source: /opt/splunk/var/log/splunk/web_access.log + sourcetype: access_combined_wcookie + custom_index: _internal + update_timestamp: true diff --git a/tests/application/splunk_stored_xss_via_data_model_objectname_field.test.yml b/tests/application/splunk_stored_xss_via_data_model_objectname_field.test.yml new file mode 100644 index 0000000000..79d82e0948 --- /dev/null +++ b/tests/application/splunk_stored_xss_via_data_model_objectname_field.test.yml @@ -0,0 +1,14 @@ +name: Splunk Stored XSS via Data Model objectName field Unit Test +tests: +- name: Splunk Stored XSS via Data Model objectName field + file: application/splunk_stored_xss_via_data_model_objectname_field.yml + pass_condition: '| stats count | where count > 0' + earliest_time: -24h + latest_time: now + attack_data: + - file_name: splunk_stored_xss_via_data_model_objectname_field.txt + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_stored_xss_via_data_model_objectname_field.txt + source: /opt/splunk/var/log/splunk/web_access.log + sourcetype: access_combined_wcookie + custom_index: _internal + update_timestamp: true diff --git a/tests/application/splunk_xss_in_save_table_dialog_header_in_search_page.test.yml b/tests/application/splunk_xss_in_save_table_dialog_header_in_search_page.test.yml new file mode 100644 index 0000000000..ac78b22a1e --- /dev/null +++ b/tests/application/splunk_xss_in_save_table_dialog_header_in_search_page.test.yml @@ -0,0 +1,14 @@ +name: Splunk XSS in Save table dialog header in search page Unit Test +tests: +- name: Splunk XSS in Save table dialog header in search page + file: application/splunk_xss_in_save_table_dialog_header_in_search_page.yml + pass_condition: '| stats count | where count > 0' + earliest_time: -24h + latest_time: now + attack_data: + - file_name: splunk_xss_in_save_table_dialog_in_search_page.txt + data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_xss_in_save_table_dialog_in_search_page.txt + source: /opt/splunk/var/log/splunk/splunkd_access.log + sourcetype: splunkd_access + custom_index: _internal + update_timestamp: true From a80f89e32c95475eced27640d279743d62da3b33 Mon Sep 17 00:00:00 2001 From: pyth0n1c <87383215+pyth0n1c@users.noreply.github.com> Date: Tue, 1 Nov 2022 08:38:04 -0700 Subject: [PATCH 02/11] Replaced index= and sourcetype= with appropriate macro. Added that macro as well. --- ...om_analytics_workspace_using_sid_query.yml | 36 +++++++++---------- macros/audit_searches.yml | 3 ++ 2 files changed, 21 insertions(+), 18 deletions(-) create mode 100644 macros/audit_searches.yml diff --git a/detections/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.yml b/detections/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.yml index b160a900da..013650d193 100644 --- a/detections/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.yml +++ b/detections/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.yml @@ -5,23 +5,23 @@ date: '2022-11-1' author: Rod Soto, Eric McGinnis type: Hunting datamodel: [] -description: This hunting search allows operator to discover attempts to exfiltrate data by - executing a prepositioned malicious search ID in Analytic Workspace in Splunk Enterprise - versions 8.2.9,8.1.12,9.0.2. The attack is browser-based. It requires the attacker to - compel a victim to initiate a request within their browser (phishing). - The attacker cannot exploit the vulnerability at will. -search: index=_audit sourcetype=audittrail action=search info=granted search NOT ("index=_audit - sourcetype=audittrail") search NOT ("security_content_summariesonly") AND ((search="*mstats*[*]*" +description: This hunting search allows operator to discover attempts to exfiltrate data by + executing a prepositioned malicious search ID in Analytic Workspace in Splunk Enterprise + versions 8.2.9,8.1.12,9.0.2. The attack is browser-based. It requires the attacker to + compel a victim to initiate a request within their browser (phishing). + The attacker cannot exploit the vulnerability at will. +search: '`audit_searches` info=granted search NOT ("audit_searches") + search NOT ("security_content_summariesonly") AND ((search="*mstats*[*]*" AND provenance="N/A") OR (search="*mstats*\\\"*[*]*\\\"*"))| eval warning=if(match(search,"\\\\\""), - "POTENTIAL INJECTION STAGING", "POTENTIAL INJECTION EXECUTION") | table search, user, warning, timestamp | `splunk_data_exfiltration_from_analytics_workspace_using_sid_query` -how_to_implement: The vulnerability affects only instances with Splunk Web Enabled. After running this search, please run "Splunk Command and Scripting Interpreter Risky SPL MLTK" to gain more insight into potentially risky commands which could lead to data exfiltration. -known_false_positives: This search may produce false positives. This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. Special attention must be paid to "/en-US/app/search/analytics_workspace?sid=[sid]" which is where the malicious code will be inserted to trigger attack at victim. + "POTENTIAL INJECTION STAGING", "POTENTIAL INJECTION EXECUTION") | table search, user, warning, timestamp | `splunk_data_exfiltration_from_analytics_workspace_using_sid_query_filter`' +how_to_implement: The vulnerability affects only instances with Splunk Web Enabled. After running this search, please run "Splunk Command and Scripting Interpreter Risky SPL MLTK" to gain more insight into potentially risky commands which could lead to data exfiltration. +known_false_positives: This search may produce false positives. This detection does not require you to ingest any new data. The detection does require the ability to search the _audit index. Special attention must be paid to "/en-US/app/search/analytics_workspace?sid=[sid]" which is where the malicious code will be inserted to trigger attack at victim. references: - https://www.splunk.com/en_us/product-security.html tags: analytic_story: - - Splunk Vulnerabilities - asset_type: Endpoint + - Splunk Vulnerabilities + asset_type: Endpoint cve: - CVE-2022-43566 cis20: @@ -45,18 +45,18 @@ tags: - name: user type: User role: - - Attacker + - Attacker product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud required_fields: - action - - info - - user - - search_id + - info + - user + - search_id - metadata - - user - - _time + - user + - _time risk_score: 25 security_domain: endpoint diff --git a/macros/audit_searches.yml b/macros/audit_searches.yml new file mode 100644 index 0000000000..64520a8aaa --- /dev/null +++ b/macros/audit_searches.yml @@ -0,0 +1,3 @@ +definition: index=_audit sourcetype=audittrail action=search +description: Macro to enable easy searching of audittrail logs for searches +name: audit_searches From 844df50ee5303bd5d69532224b17df6eb51822b7 Mon Sep 17 00:00:00 2001 From: pyth0n1c <87383215+pyth0n1c@users.noreply.github.com> Date: Tue, 1 Nov 2022 08:41:14 -0700 Subject: [PATCH 03/11] Fixed format of CVE tag --- ...lunk_code_injection_via_custom_dashboard_leading_to_rce.yml | 3 ++- .../splunk_reflected_xss_in_the_templates_lists_radio.yml | 3 ++- .../splunk_stored_xss_via_data_model_objectname_field.yml | 3 ++- .../splunk_xss_in_save_table_dialog_header_in_search_page.yml | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/detections/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml b/detections/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml index 6ad561402d..e3327a8992 100644 --- a/detections/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml +++ b/detections/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml @@ -15,7 +15,8 @@ tags: analytic_story: - Splunk Vulnerabilities asset_type: Endpoint - cve: CVE-2022-43571 + cve: + - CVE-2022-43571 cis20: - CIS 3 - CIS 5 diff --git a/detections/application/splunk_reflected_xss_in_the_templates_lists_radio.yml b/detections/application/splunk_reflected_xss_in_the_templates_lists_radio.yml index 4ca19f2679..cd2d7e5cac 100644 --- a/detections/application/splunk_reflected_xss_in_the_templates_lists_radio.yml +++ b/detections/application/splunk_reflected_xss_in_the_templates_lists_radio.yml @@ -15,7 +15,8 @@ tags: analytic_story: - Splunk Vulnerabilities asset_type: Endpoint - cve: CVE-2022-43568 + cve: + - CVE-2022-43568 cis20: - CIS 3 - CIS 5 diff --git a/detections/application/splunk_stored_xss_via_data_model_objectname_field.yml b/detections/application/splunk_stored_xss_via_data_model_objectname_field.yml index dd788b768a..038002d158 100644 --- a/detections/application/splunk_stored_xss_via_data_model_objectname_field.yml +++ b/detections/application/splunk_stored_xss_via_data_model_objectname_field.yml @@ -16,7 +16,8 @@ tags: analytic_story: - Splunk Vulnerabilities asset_type: Endpoint - cve: CVE-2022-43569 + cve: + - CVE-2022-43569 cis20: - CIS 3 - CIS 5 diff --git a/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml b/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml index 16dde54509..07363bf7d0 100644 --- a/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml +++ b/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml @@ -17,7 +17,8 @@ tags: analytic_story: - Splunk Vulnerablities asset_type: Endpoint - cve: CVE-2022-43561 + cve: + - CVE-2022-43561 cis20: - CIS 3 - CIS 5 From 79e8b40a675f4ed47e1393bad5eb2e892434f39c Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 2 Nov 2022 08:40:23 -0700 Subject: [PATCH 04/11] Update splunk_xss_in_save_table_dialog_header_in_search_page.yml --- .../splunk_xss_in_save_table_dialog_header_in_search_page.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml b/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml index 07363bf7d0..cfa3d00f3a 100644 --- a/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml +++ b/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml @@ -4,8 +4,7 @@ version: 1 date: '2022-10-11' author: Rod Soto type: Hunting -datamodel: -- Endpoint +datamodel: [] description: This is a hunting search to find persistent cross-site scripting XSS code that was included while inputing data in 'Save Table' dialog in Splunk Enterprise (8.1.12,8.2.9,9.0.2). A remote user with "power" Splunk role can store this code that can lead to persistent cross site scripting. search: '`splunkda` method=POST uri=/en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model | table _time host status clientip user uri | `splunk_xss_in_save_table_dialog_header_in_search_page_filter`' how_to_implement: Watch for POST requests combined with XSS script strings or obfuscation against the injection point /en-US/splunkd/__raw/servicesNS/nobody/search/datamodel/model. From f5eaa4053481bf9f95a2384054beac1bd45efb77 Mon Sep 17 00:00:00 2001 From: pyth0n1c <87383215+pyth0n1c@users.noreply.github.com> Date: Wed, 2 Nov 2022 09:02:30 -0700 Subject: [PATCH 05/11] Changed media.githubusercontent to raw.githubusercontent links --- ...plunk_code_injection_via_custom_dashboard_leading_to_rce.yml | 2 +- ...ta_exfiltration_from_analytics_workspace_using_sid_query.yml | 2 +- ..._via_splunk_secure_gateway__splunk_mobile_alerts_feature.yml | 2 +- .../splunk_reflected_xss_in_the_templates_lists_radio.yml | 2 +- .../splunk_stored_xss_via_data_model_objectname_field.yml | 2 +- .../splunk_xss_in_save_table_dialog_header_in_search_page.yml | 2 +- ..._code_injection_via_custom_dashboard_leading_to_rce.test.yml | 2 +- ...filtration_from_analytics_workspace_using_sid_query.test.yml | 2 +- .../splunk_reflected_xss_in_the_templates_lists_radio.test.yml | 2 +- .../splunk_stored_xss_via_data_model_objectname_field.test.yml | 2 +- ...lunk_xss_in_save_table_dialog_header_in_search_page.test.yml | 2 +- 11 files changed, 11 insertions(+), 11 deletions(-) diff --git a/detections/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml b/detections/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml index e3327a8992..81f98a8270 100644 --- a/detections/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml +++ b/detections/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml @@ -25,7 +25,7 @@ tags: context: - Source:Endpoint dataset: - - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_code_injection_via_custom_dashboard_leading_to_rce.txt + - https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_code_injection_via_custom_dashboard_leading_to_rce.txt impact: 50 kill_chain_phases: - Exploitation diff --git a/detections/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.yml b/detections/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.yml index 013650d193..71f790584f 100644 --- a/detections/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.yml +++ b/detections/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.yml @@ -32,7 +32,7 @@ tags: context: - Source:Endpoint dataset: - - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/splunk/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.txt + - https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1567/splunk/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.txt impact: 50 kill_chain_phases: - Actions on Objectives diff --git a/detections/application/splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.yml b/detections/application/splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.yml index b8df2181f6..4d09cc9bb8 100644 --- a/detections/application/splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.yml +++ b/detections/application/splunk_rce_via_splunk_secure_gateway__splunk_mobile_alerts_feature.yml @@ -25,7 +25,7 @@ tags: context: - Source:Endpoint dataset: - - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_rce_via_secure_gateway_splunk_mobile_alerts_feature.txt + - https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_rce_via_secure_gateway_splunk_mobile_alerts_feature.txt impact: 90 kill_chain_phases: - Exploitation diff --git a/detections/application/splunk_reflected_xss_in_the_templates_lists_radio.yml b/detections/application/splunk_reflected_xss_in_the_templates_lists_radio.yml index cd2d7e5cac..c4287b4939 100644 --- a/detections/application/splunk_reflected_xss_in_the_templates_lists_radio.yml +++ b/detections/application/splunk_reflected_xss_in_the_templates_lists_radio.yml @@ -25,7 +25,7 @@ tags: context: - Source:Endpoint dataset: - - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_reflected_xss_in_templates_lists_radio.txt + - https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_reflected_xss_in_templates_lists_radio.txt impact: 50 kill_chain_phases: - Exploitation diff --git a/detections/application/splunk_stored_xss_via_data_model_objectname_field.yml b/detections/application/splunk_stored_xss_via_data_model_objectname_field.yml index 038002d158..ddc923cf22 100644 --- a/detections/application/splunk_stored_xss_via_data_model_objectname_field.yml +++ b/detections/application/splunk_stored_xss_via_data_model_objectname_field.yml @@ -26,7 +26,7 @@ tags: context: - Source:Endpoint dataset: - - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_stored_xss_via_data_model_objectname_field.txt + - https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_stored_xss_via_data_model_objectname_field.txt impact: 50 kill_chain_phases: - Exploitation diff --git a/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml b/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml index cfa3d00f3a..49ae8ddb83 100644 --- a/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml +++ b/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml @@ -26,7 +26,7 @@ tags: context: - Source:Endpoint dataset: - - https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_xss_in_save_table_dialog_in_search_page.txt + - https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_xss_in_save_table_dialog_in_search_page.txt impact: 50 kill_chain_phases: - Exploitation diff --git a/tests/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.test.yml b/tests/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.test.yml index 8946fb96e4..ccffdf4289 100644 --- a/tests/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.test.yml +++ b/tests/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.test.yml @@ -7,7 +7,7 @@ tests: latest_time: now attack_data: - file_name: splunk_code_injection_via_custom_dashboard_leading_to_rce.txt - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_code_injection_via_custom_dashboard_leading_to_rce.txt + data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_code_injection_via_custom_dashboard_leading_to_rce.txt source: /opt/splunk/var/log/splunk/splunkd_ui_access.log sourcetype: splunkd_ui_access custom_index: _internal diff --git a/tests/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.test.yml b/tests/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.test.yml index 74202f1cbb..246ce5b85e 100644 --- a/tests/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.test.yml +++ b/tests/application/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.test.yml @@ -7,7 +7,7 @@ tests: latest_time: now attack_data: - file_name: splunk_data_exfiltration_from_analytics_workspace_using_sid_query.txt - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1567/splunk/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.txt + data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1567/splunk/splunk_data_exfiltration_from_analytics_workspace_using_sid_query.txt source: audittrail sourcetype: audittrail custom_index: _audit diff --git a/tests/application/splunk_reflected_xss_in_the_templates_lists_radio.test.yml b/tests/application/splunk_reflected_xss_in_the_templates_lists_radio.test.yml index 0bb72eec94..369abb8345 100644 --- a/tests/application/splunk_reflected_xss_in_the_templates_lists_radio.test.yml +++ b/tests/application/splunk_reflected_xss_in_the_templates_lists_radio.test.yml @@ -7,7 +7,7 @@ tests: latest_time: now attack_data: - file_name: splunk_reflected_xss_in_templates_lists_radio.txt - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_reflected_xss_in_templates_lists_radio.txt + data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_reflected_xss_in_templates_lists_radio.txt source: /opt/splunk/var/log/splunk/web_access.log sourcetype: access_combined_wcookie custom_index: _internal diff --git a/tests/application/splunk_stored_xss_via_data_model_objectname_field.test.yml b/tests/application/splunk_stored_xss_via_data_model_objectname_field.test.yml index 79d82e0948..0eb87e5c5b 100644 --- a/tests/application/splunk_stored_xss_via_data_model_objectname_field.test.yml +++ b/tests/application/splunk_stored_xss_via_data_model_objectname_field.test.yml @@ -7,7 +7,7 @@ tests: latest_time: now attack_data: - file_name: splunk_stored_xss_via_data_model_objectname_field.txt - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_stored_xss_via_data_model_objectname_field.txt + data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_stored_xss_via_data_model_objectname_field.txt source: /opt/splunk/var/log/splunk/web_access.log sourcetype: access_combined_wcookie custom_index: _internal diff --git a/tests/application/splunk_xss_in_save_table_dialog_header_in_search_page.test.yml b/tests/application/splunk_xss_in_save_table_dialog_header_in_search_page.test.yml index ac78b22a1e..39998e2df7 100644 --- a/tests/application/splunk_xss_in_save_table_dialog_header_in_search_page.test.yml +++ b/tests/application/splunk_xss_in_save_table_dialog_header_in_search_page.test.yml @@ -7,7 +7,7 @@ tests: latest_time: now attack_data: - file_name: splunk_xss_in_save_table_dialog_in_search_page.txt - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_xss_in_save_table_dialog_in_search_page.txt + data: https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1189/splunk/splunk_xss_in_save_table_dialog_in_search_page.txt source: /opt/splunk/var/log/splunk/splunkd_access.log sourcetype: splunkd_access custom_index: _internal From c76f6c1ce07ce4cfe6b8bc5869e6782c5eb61c6b Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 2 Nov 2022 09:14:58 -0700 Subject: [PATCH 06/11] Update splunk_xss_in_save_table_dialog_header_in_search_page.yml --- .../splunk_xss_in_save_table_dialog_header_in_search_page.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml b/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml index 49ae8ddb83..a9f2d2ae55 100644 --- a/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml +++ b/detections/application/splunk_xss_in_save_table_dialog_header_in_search_page.yml @@ -14,7 +14,7 @@ references: - https://portswigger.net/web-security/cross-site-scripting tags: analytic_story: - - Splunk Vulnerablities + - Splunk Vulnerabilities asset_type: Endpoint cve: - CVE-2022-43561 From 4351d385d08866cef2a4cbf7d574e6fde854dc93 Mon Sep 17 00:00:00 2001 From: pyth0n1c <87383215+pyth0n1c@users.noreply.github.com> Date: Wed, 2 Nov 2022 10:02:17 -0700 Subject: [PATCH 07/11] Moved detection and test files from production to experimental --- .../splunk_code_injection_via_custom_dashboard_leading_to_rce.yml | 0 ...nk_code_injection_via_custom_dashboard_leading_to_rce.test.yml | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename detections/{ => experimental}/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml (100%) rename tests/{ => experimental}/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.test.yml (100%) diff --git a/detections/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml b/detections/experimental/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml similarity index 100% rename from detections/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml rename to detections/experimental/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml diff --git a/tests/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.test.yml b/tests/experimental/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.test.yml similarity index 100% rename from tests/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.test.yml rename to tests/experimental/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.test.yml From 247d825791a774f11e2c8202ac4d4c7d58f41661 Mon Sep 17 00:00:00 2001 From: pyth0n1c <87383215+pyth0n1c@users.noreply.github.com> Date: Wed, 2 Nov 2022 10:05:12 -0700 Subject: [PATCH 08/11] updated description --- ...on_via_custom_dashboard_leading_to_rce.txt | 100 ++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 bin/docker_detection_tester/attack_data_ggk4iuqv/DATA_9b46fguo/splunk_code_injection_via_custom_dashboard_leading_to_rce.txt diff --git a/bin/docker_detection_tester/attack_data_ggk4iuqv/DATA_9b46fguo/splunk_code_injection_via_custom_dashboard_leading_to_rce.txt b/bin/docker_detection_tester/attack_data_ggk4iuqv/DATA_9b46fguo/splunk_code_injection_via_custom_dashboard_leading_to_rce.txt new file mode 100644 index 0000000000..6fc81752c0 --- /dev/null +++ b/bin/docker_detection_tester/attack_data_ggk4iuqv/DATA_9b46fguo/splunk_code_injection_via_custom_dashboard_leading_to_rce.txt @@ -0,0 +1,100 @@ +10.56.227.188 - admin [06/Oct/2022:21:59:29.816 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653201 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms +10.56.227.188 - admin [06/Oct/2022:21:59:09.944 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653185 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms +10.56.227.188 - admin [06/Oct/2022:21:57:28.652 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653166 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms +10.56.227.188 - admin [06/Oct/2022:21:57:22.032 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653161 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms +10.56.227.188 - admin [06/Oct/2022:21:57:14.623 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653156 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms +10.56.227.188 - admin [06/Oct/2022:21:56:39.943 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653112 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms +10.56.227.188 - admin [06/Oct/2022:21:56:30.409 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653099 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms +10.56.227.188 - admin [06/Oct/2022:21:56:26.353 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653094 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms +10.56.227.188 - admin [06/Oct/2022:21:56:10.019 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653080 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms +10.56.227.188 - admin [06/Oct/2022:21:56:02.898 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653070 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms +10.56.227.188 - admin [06/Oct/2022:21:55:19.632 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653048 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms +10.56.227.188 - admin [06/Oct/2022:21:55:07.176 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653033 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms +10.56.227.188 - admin [06/Oct/2022:21:54:54.900 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653021 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms +10.56.227.188 - admin [06/Oct/2022:21:54:32.182 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653004 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms +10.56.227.188 - admin [06/Oct/2022:21:54:23.773 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652986 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms +10.56.227.188 - admin [06/Oct/2022:21:54:02.631 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652962 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms +10.56.227.188 - admin [06/Oct/2022:21:53:38.880 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652946 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms +10.56.227.188 - admin [06/Oct/2022:21:53:20.773 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652935 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms +10.56.227.188 - admin [06/Oct/2022:21:52:12.999 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652908 HTTP/1.1" 200 6590 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms +10.56.227.188 - admin [06/Oct/2022:21:51:39.089 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652892 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms +10.56.227.188 - admin [06/Oct/2022:21:51:31.041 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652879 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms +10.56.227.188 - admin [06/Oct/2022:21:50:29.190 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652857 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms +10.56.227.188 - admin [06/Oct/2022:21:50:10.051 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652840 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms +10.56.227.188 - admin [06/Oct/2022:21:49:54.124 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652818 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms +10.56.227.188 - admin [06/Oct/2022:21:49:40.654 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652804 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms +10.56.227.188 - admin [06/Oct/2022:21:48:57.761 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652786 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms +10.56.227.188 - admin [06/Oct/2022:21:48:42.681 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652778 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms +10.56.227.188 - admin [06/Oct/2022:21:48:35.549 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652772 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms +10.56.227.188 - admin [06/Oct/2022:21:47:12.074 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652737 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms +10.56.227.188 - admin [06/Oct/2022:21:46:07.008 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652714 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms +10.56.227.188 - admin [06/Oct/2022:21:44:21.056 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652691 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms +10.56.227.188 - user [06/Oct/2022:21:43:02.645 +0000] "GET /en-US/splunkd/__raw/services/saved/searches/_new?output_mode=json&_=1665092581952 HTTP/1.1" 200 2856 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 5feabb3aea8b52c6144ee016d2168dde 3ms +10.56.227.188 - user [06/Oct/2022:21:43:02.634 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/data/ui/views/test?output_mode=json&_=1665092581949 HTTP/1.1" 200 1194 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 5feabb3aea8b52c6144ee016d2168dde 1ms +10.56.227.188 - user [06/Oct/2022:21:43:02.276 +0000] "GET /en-US/splunkd/__raw/services/saved/searches/_new?output_mode=json&_=1665092581942 HTTP/1.1" 200 2856 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 5feabb3aea8b52c6144ee016d2168dde 3ms +10.56.227.188 - admin [06/Oct/2022:21:34:25.780 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092043109 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms +10.56.227.188 - admin [06/Oct/2022:21:33:49.973 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/data/ui/views/ssg_e2e_wss_test?output_mode=json&_=1665092029286 HTTP/1.1" 200 2192 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 5ms +10.56.227.188 - admin [06/Oct/2022:21:33:49.834 +0000] "GET /en-US/splunkd/__raw/services/saved/searches/_new?output_mode=json&_=1665092029281 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms +10.56.227.188 - admin [06/Oct/2022:21:33:49.596 +0000] "GET /en-US/splunkd/__raw/services/saved/searches/_new?output_mode=json&_=1665092029275 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 5ms +10.56.227.188 - admin [06/Oct/2022:21:31:41.360 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089910169 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms +10.56.227.188 - admin [06/Oct/2022:21:31:29.252 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089910158 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms +10.56.227.188 - admin [06/Oct/2022:21:30:55.568 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089910147 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms +10.56.227.188 - admin [06/Oct/2022:21:30:37.501 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089910136 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms +10.56.227.188 - admin [06/Oct/2022:21:30:19.327 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089910112 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms +10.56.227.188 - admin [06/Oct/2022:21:29:52.529 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089910084 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms +10.56.227.188 - admin [06/Oct/2022:21:29:03.138 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089910059 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms +10.56.227.188 - admin [06/Oct/2022:21:28:52.894 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089910046 HTTP/1.1" 200 6590 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms +10.56.227.188 - admin [06/Oct/2022:21:26:52.090 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089910005 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms +10.56.227.188 - admin [06/Oct/2022:21:26:43.277 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909993 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms +10.56.227.188 - admin [06/Oct/2022:21:24:06.470 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909955 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms +10.56.227.188 - admin [06/Oct/2022:21:24:03.843 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909947 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms +10.56.227.188 - admin [06/Oct/2022:21:14:09.004 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909864 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms +10.56.227.188 - admin [06/Oct/2022:21:11:50.674 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909838 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms +10.56.227.188 - admin [06/Oct/2022:21:07:03.047 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909788 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms +10.56.227.188 - admin [06/Oct/2022:21:06:56.591 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909780 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms +10.56.227.188 - admin [06/Oct/2022:21:05:45.657 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909766 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms +10.56.227.188 - admin [06/Oct/2022:21:03:50.667 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909744 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms +10.56.227.188 - admin [06/Oct/2022:21:02:09.822 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909721 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms +10.56.227.188 - admin [06/Oct/2022:21:01:54.230 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909713 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms +10.56.227.188 - admin [06/Oct/2022:21:01:38.179 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909701 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms +10.56.227.188 - admin [06/Oct/2022:21:01:00.165 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909681 HTTP/1.1" 200 6588 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms +10.56.227.188 - admin [06/Oct/2022:21:00:56.098 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909673 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms +10.56.227.188 - admin [06/Oct/2022:21:00:16.555 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909647 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms +10.56.227.188 - admin [06/Oct/2022:20:58:33.107 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909598 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms +10.56.227.188 - user [06/Oct/2022:20:57:38.226 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/saved/searches/_new?output_mode=json&_=1665089832944 HTTP/1.1" 200 2856 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 3ms +10.56.227.188 - user [06/Oct/2022:20:57:34.259 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/saved/searches/_new?output_mode=json&_=1665089832938 HTTP/1.1" 200 2856 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 3ms +10.56.227.188 - user [06/Oct/2022:20:57:30.088 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/saved/searches/_new?output_mode=json&_=1665089832932 HTTP/1.1" 200 2856 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 3ms +10.56.227.188 - user [06/Oct/2022:20:57:25.413 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/saved/searches/_new?output_mode=json&_=1665089832929 HTTP/1.1" 200 2855 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 3ms +10.56.227.188 - user [06/Oct/2022:20:57:16.791 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/saved/searches/_new?output_mode=json&_=1665089832925 HTTP/1.1" 200 2856 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 3ms +10.56.227.188 - user [06/Oct/2022:20:56:23.430 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/saved/searches/_new?output_mode=json&_=1665089578497 HTTP/1.1" 200 2855 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 3ms +10.56.227.188 - user [06/Oct/2022:20:55:40.103 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/saved/searches/_new?output_mode=json&_=1665089578491 HTTP/1.1" 200 2856 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 3ms +10.56.227.188 - user [06/Oct/2022:20:54:45.518 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/saved/searches/_new?output_mode=json&_=1665089578484 HTTP/1.1" 200 2856 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 3ms +10.56.227.188 - user [06/Oct/2022:19:36:05.377 +0000] "POST /en-US/splunkd/__raw/servicesNS/user/search/data/ui/views/test HTTP/1.1" 200 1152 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 5ms +10.56.227.188 - user [06/Oct/2022:19:36:04.923 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/data/ui/views/test?output_mode=json&_=1665082021618 HTTP/1.1" 200 1191 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 1ms +10.56.227.188 - user [06/Oct/2022:19:26:18.831 +0000] "POST /en-US/splunkd/__raw/servicesNS/user/search/data/ui/views/test HTTP/1.1" 200 1151 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 5ms +10.56.227.188 - user [06/Oct/2022:19:26:18.301 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/data/ui/views/test?output_mode=json&_=1665082021599 HTTP/1.1" 200 799 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 1ms +10.56.227.188 - user [06/Oct/2022:18:50:01.494 +0000] "POST /en-US/splunkd/__raw/servicesNS/user/search/data/ui/views/test HTTP/1.1" 200 759 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 5ms +10.56.227.188 - user [06/Oct/2022:18:50:01.329 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/data/ui/views/test?output_mode=json&_=1665082021556 HTTP/1.1" 200 606 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 1ms +10.56.227.188 - user [06/Oct/2022:18:47:02.298 +0000] "GET /en-US/splunkd/__raw/services/saved/searches/_new?output_mode=json&_=1665082021540 HTTP/1.1" 200 2857 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 3ms +10.56.227.188 - user [06/Oct/2022:18:47:02.291 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/data/ui/views/test?output_mode=json&_=1665082021537 HTTP/1.1" 200 606 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 1ms +10.56.227.188 - user [06/Oct/2022:18:47:01.915 +0000] "GET /en-US/splunkd/__raw/services/saved/searches/_new?output_mode=json&_=1665082021530 HTTP/1.1" 200 2857 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 4ms +10.56.227.188 - user [06/Oct/2022:18:44:30.563 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/data/ui/views/_new?output_mode=json HTTP/1.1" 200 473 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 3ms +10.56.227.188 - user [06/Oct/2022:18:42:50.744 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/launcher/saved/searches/_new?output_mode=json&_=1665081769815 HTTP/1.1" 200 2862 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 05876b5304785d93a94e0d4ba00d2e43 3ms +10.56.227.188 - user [06/Oct/2022:18:41:51.172 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/launcher/saved/searches/_new?output_mode=json&_=1665081710088 HTTP/1.1" 200 2862 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 05876b5304785d93a94e0d4ba00d2e43 4ms +10.56.227.188 - admin [06/Oct/2022:18:11:47.635 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108912 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms +10.56.227.188 - admin [06/Oct/2022:18:11:00.978 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108894 HTTP/1.1" 200 6588 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms +10.56.227.188 - admin [06/Oct/2022:18:10:07.059 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108875 HTTP/1.1" 200 6590 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms +10.56.227.188 - admin [06/Oct/2022:18:08:52.147 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108863 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms +10.56.227.188 - admin [06/Oct/2022:18:08:29.939 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108858 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms +10.56.227.188 - admin [06/Oct/2022:18:08:19.789 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108852 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 4ms +10.56.227.188 - admin [06/Oct/2022:18:06:10.708 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108820 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms +10.56.227.188 - admin [06/Oct/2022:18:04:14.924 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108780 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms +10.56.227.188 - admin [06/Oct/2022:18:03:33.552 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108769 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms +10.56.227.188 - admin [06/Oct/2022:18:03:13.155 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108754 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms +10.56.227.188 - admin [06/Oct/2022:18:03:09.757 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108741 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms +10.56.227.188 - admin [06/Oct/2022:18:03:04.530 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108733 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 5ms +10.56.227.188 - admin [06/Oct/2022:18:02:54.082 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108722 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 4ms +10.56.227.188 - admin [06/Oct/2022:18:02:16.713 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108692 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms +10.56.227.188 - admin [06/Oct/2022:18:02:14.574 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108685 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms +10.56.227.188 - admin [06/Oct/2022:18:02:07.205 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108673 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms +10.56.227.188 - admin [06/Oct/2022:18:00:21.882 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108626 HTTP/1.1" 200 6590 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 4ms From dba5af84c9f49bec20a7d311f965ab1131a71238 Mon Sep 17 00:00:00 2001 From: pyth0n1c <87383215+pyth0n1c@users.noreply.github.com> Date: Wed, 2 Nov 2022 10:09:55 -0700 Subject: [PATCH 09/11] removed file that should not have been added --- ...on_via_custom_dashboard_leading_to_rce.yml | 54 ------------------- 1 file changed, 54 deletions(-) delete mode 100644 detections/experimental/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml diff --git a/detections/experimental/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml b/detections/experimental/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml deleted file mode 100644 index 81f98a8270..0000000000 --- a/detections/experimental/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml +++ /dev/null @@ -1,54 +0,0 @@ -name: Splunk Code Injection via custom dashboard leading to RCE -id: b06b41d7-9570-4985-8137-0784f582a1b3 -version: 1 -date: '2022-10-11' -author: Rod Soto -type: Hunting -datamodel: [] -description: This hunting search provides information about a vulnerability in Splunk Enterprise versions below 8.2.9, 8.1.12, 9.0.2, where an authenticated user can execute arbitrary code via the dashboard pdf generation component. -search: '`splunkd_ui` uri_path=*/data/ui/views/* OR uri_path=*saved/searches/* | dedup uri_path | eval URL=urldecode("uri_path")| rex field=URL "\/saved\/searches\/(?[^\/]*)" | rex field=URL "\/data\/ui\/views\/(?[^\/]*)" | eval NAME=NAME."( Saved Search )",NAME1=NAME1."( Dashboard )" | eval NAME=coalesce(NAME,NAME1) | eval STATUS=case(match(status,"2\d+"),"SUCCESS",match(status,"3\d+"),"REDIRECTION",match(status,"4\d+") OR match(status,"5\d+"),"ERROR") | stats list(NAME) as DASHBOARD_TITLE,list(method) as HTTP_METHOD,list(status) as Status_Code,list(STATUS) as STATUS by user | rename user as User | join file* [ search index=_internal file=export | table search_id,user]| `splunk_code_injection_via_custom_dashboard_leading_to_rce_filter`' -how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. -known_false_positives: Not all exports and downloads are malicious, special attention must be put as well on /en-US/splunkd/__raw/services/pdfgen/render in the context of this search. -references: -- https://www.splunk.com/en_us/product-security.html -tags: - analytic_story: - - Splunk Vulnerabilities - asset_type: Endpoint - cve: - - CVE-2022-43571 - cis20: - - CIS 3 - - CIS 5 - - CIS 16 - confidence: 50 - context: - - Source:Endpoint - dataset: - - https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_code_injection_via_custom_dashboard_leading_to_rce.txt - impact: 50 - kill_chain_phases: - - Exploitation - message: Potential exploitation of Code Injection via Dashboard PDF generation. - mitre_attack_id: - - T1210 - nist: - - DE.CM - observable: - - name: user - type: User - role: - - Victim - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - required_fields: - - user - - clientip - - uri - - uri_path - - method - - status - risk_score: 25 - security_domain: endpoint From c2279092c37c9d70febf50afeb31acef23b8e836 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 2 Nov 2022 10:12:08 -0700 Subject: [PATCH 10/11] Delete splunk_code_injection_via_custom_dashboard_leading_to_rce.txt --- ...on_via_custom_dashboard_leading_to_rce.txt | 100 ------------------ 1 file changed, 100 deletions(-) delete mode 100644 bin/docker_detection_tester/attack_data_ggk4iuqv/DATA_9b46fguo/splunk_code_injection_via_custom_dashboard_leading_to_rce.txt diff --git a/bin/docker_detection_tester/attack_data_ggk4iuqv/DATA_9b46fguo/splunk_code_injection_via_custom_dashboard_leading_to_rce.txt b/bin/docker_detection_tester/attack_data_ggk4iuqv/DATA_9b46fguo/splunk_code_injection_via_custom_dashboard_leading_to_rce.txt deleted file mode 100644 index 6fc81752c0..0000000000 --- a/bin/docker_detection_tester/attack_data_ggk4iuqv/DATA_9b46fguo/splunk_code_injection_via_custom_dashboard_leading_to_rce.txt +++ /dev/null @@ -1,100 +0,0 @@ -10.56.227.188 - admin [06/Oct/2022:21:59:29.816 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653201 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms -10.56.227.188 - admin [06/Oct/2022:21:59:09.944 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653185 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms -10.56.227.188 - admin [06/Oct/2022:21:57:28.652 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653166 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms -10.56.227.188 - admin [06/Oct/2022:21:57:22.032 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653161 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms -10.56.227.188 - admin [06/Oct/2022:21:57:14.623 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653156 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms -10.56.227.188 - admin [06/Oct/2022:21:56:39.943 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653112 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms -10.56.227.188 - admin [06/Oct/2022:21:56:30.409 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653099 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms -10.56.227.188 - admin [06/Oct/2022:21:56:26.353 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653094 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms -10.56.227.188 - admin [06/Oct/2022:21:56:10.019 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653080 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms -10.56.227.188 - admin [06/Oct/2022:21:56:02.898 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653070 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms -10.56.227.188 - admin [06/Oct/2022:21:55:19.632 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653048 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms -10.56.227.188 - admin [06/Oct/2022:21:55:07.176 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653033 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms -10.56.227.188 - admin [06/Oct/2022:21:54:54.900 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653021 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms -10.56.227.188 - admin [06/Oct/2022:21:54:32.182 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092653004 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms -10.56.227.188 - admin [06/Oct/2022:21:54:23.773 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652986 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms -10.56.227.188 - admin [06/Oct/2022:21:54:02.631 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652962 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms -10.56.227.188 - admin [06/Oct/2022:21:53:38.880 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652946 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms -10.56.227.188 - admin [06/Oct/2022:21:53:20.773 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652935 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms -10.56.227.188 - admin [06/Oct/2022:21:52:12.999 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652908 HTTP/1.1" 200 6590 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms -10.56.227.188 - admin [06/Oct/2022:21:51:39.089 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652892 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms -10.56.227.188 - admin [06/Oct/2022:21:51:31.041 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652879 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms -10.56.227.188 - admin [06/Oct/2022:21:50:29.190 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652857 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms -10.56.227.188 - admin [06/Oct/2022:21:50:10.051 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652840 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms -10.56.227.188 - admin [06/Oct/2022:21:49:54.124 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652818 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms -10.56.227.188 - admin [06/Oct/2022:21:49:40.654 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652804 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms -10.56.227.188 - admin [06/Oct/2022:21:48:57.761 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652786 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms -10.56.227.188 - admin [06/Oct/2022:21:48:42.681 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652778 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms -10.56.227.188 - admin [06/Oct/2022:21:48:35.549 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652772 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms -10.56.227.188 - admin [06/Oct/2022:21:47:12.074 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652737 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms -10.56.227.188 - admin [06/Oct/2022:21:46:07.008 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652714 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 4ms -10.56.227.188 - admin [06/Oct/2022:21:44:21.056 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092652691 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - ecddcc31daf732bc9f05b474df57ca1b 3ms -10.56.227.188 - user [06/Oct/2022:21:43:02.645 +0000] "GET /en-US/splunkd/__raw/services/saved/searches/_new?output_mode=json&_=1665092581952 HTTP/1.1" 200 2856 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 5feabb3aea8b52c6144ee016d2168dde 3ms -10.56.227.188 - user [06/Oct/2022:21:43:02.634 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/data/ui/views/test?output_mode=json&_=1665092581949 HTTP/1.1" 200 1194 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 5feabb3aea8b52c6144ee016d2168dde 1ms -10.56.227.188 - user [06/Oct/2022:21:43:02.276 +0000] "GET /en-US/splunkd/__raw/services/saved/searches/_new?output_mode=json&_=1665092581942 HTTP/1.1" 200 2856 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 5feabb3aea8b52c6144ee016d2168dde 3ms -10.56.227.188 - admin [06/Oct/2022:21:34:25.780 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665092043109 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms -10.56.227.188 - admin [06/Oct/2022:21:33:49.973 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/data/ui/views/ssg_e2e_wss_test?output_mode=json&_=1665092029286 HTTP/1.1" 200 2192 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 5ms -10.56.227.188 - admin [06/Oct/2022:21:33:49.834 +0000] "GET /en-US/splunkd/__raw/services/saved/searches/_new?output_mode=json&_=1665092029281 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms -10.56.227.188 - admin [06/Oct/2022:21:33:49.596 +0000] "GET /en-US/splunkd/__raw/services/saved/searches/_new?output_mode=json&_=1665092029275 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 5ms -10.56.227.188 - admin [06/Oct/2022:21:31:41.360 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089910169 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms -10.56.227.188 - admin [06/Oct/2022:21:31:29.252 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089910158 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms -10.56.227.188 - admin [06/Oct/2022:21:30:55.568 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089910147 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms -10.56.227.188 - admin [06/Oct/2022:21:30:37.501 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089910136 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms -10.56.227.188 - admin [06/Oct/2022:21:30:19.327 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089910112 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms -10.56.227.188 - admin [06/Oct/2022:21:29:52.529 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089910084 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms -10.56.227.188 - admin [06/Oct/2022:21:29:03.138 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089910059 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms -10.56.227.188 - admin [06/Oct/2022:21:28:52.894 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089910046 HTTP/1.1" 200 6590 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms -10.56.227.188 - admin [06/Oct/2022:21:26:52.090 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089910005 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms -10.56.227.188 - admin [06/Oct/2022:21:26:43.277 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909993 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms -10.56.227.188 - admin [06/Oct/2022:21:24:06.470 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909955 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms -10.56.227.188 - admin [06/Oct/2022:21:24:03.843 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909947 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms -10.56.227.188 - admin [06/Oct/2022:21:14:09.004 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909864 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms -10.56.227.188 - admin [06/Oct/2022:21:11:50.674 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909838 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms -10.56.227.188 - admin [06/Oct/2022:21:07:03.047 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909788 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms -10.56.227.188 - admin [06/Oct/2022:21:06:56.591 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909780 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms -10.56.227.188 - admin [06/Oct/2022:21:05:45.657 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909766 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms -10.56.227.188 - admin [06/Oct/2022:21:03:50.667 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909744 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms -10.56.227.188 - admin [06/Oct/2022:21:02:09.822 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909721 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms -10.56.227.188 - admin [06/Oct/2022:21:01:54.230 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909713 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms -10.56.227.188 - admin [06/Oct/2022:21:01:38.179 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909701 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms -10.56.227.188 - admin [06/Oct/2022:21:01:00.165 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909681 HTTP/1.1" 200 6588 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms -10.56.227.188 - admin [06/Oct/2022:21:00:56.098 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909673 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 4ms -10.56.227.188 - admin [06/Oct/2022:21:00:16.555 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909647 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms -10.56.227.188 - admin [06/Oct/2022:20:58:33.107 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665089909598 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - bfe5d9f06d10f4e035646a9edce9003b 3ms -10.56.227.188 - user [06/Oct/2022:20:57:38.226 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/saved/searches/_new?output_mode=json&_=1665089832944 HTTP/1.1" 200 2856 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 3ms -10.56.227.188 - user [06/Oct/2022:20:57:34.259 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/saved/searches/_new?output_mode=json&_=1665089832938 HTTP/1.1" 200 2856 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 3ms -10.56.227.188 - user [06/Oct/2022:20:57:30.088 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/saved/searches/_new?output_mode=json&_=1665089832932 HTTP/1.1" 200 2856 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 3ms -10.56.227.188 - user [06/Oct/2022:20:57:25.413 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/saved/searches/_new?output_mode=json&_=1665089832929 HTTP/1.1" 200 2855 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 3ms -10.56.227.188 - user [06/Oct/2022:20:57:16.791 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/saved/searches/_new?output_mode=json&_=1665089832925 HTTP/1.1" 200 2856 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 3ms -10.56.227.188 - user [06/Oct/2022:20:56:23.430 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/saved/searches/_new?output_mode=json&_=1665089578497 HTTP/1.1" 200 2855 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 3ms -10.56.227.188 - user [06/Oct/2022:20:55:40.103 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/saved/searches/_new?output_mode=json&_=1665089578491 HTTP/1.1" 200 2856 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 3ms -10.56.227.188 - user [06/Oct/2022:20:54:45.518 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/saved/searches/_new?output_mode=json&_=1665089578484 HTTP/1.1" 200 2856 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 3ms -10.56.227.188 - user [06/Oct/2022:19:36:05.377 +0000] "POST /en-US/splunkd/__raw/servicesNS/user/search/data/ui/views/test HTTP/1.1" 200 1152 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 5ms -10.56.227.188 - user [06/Oct/2022:19:36:04.923 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/data/ui/views/test?output_mode=json&_=1665082021618 HTTP/1.1" 200 1191 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 1ms -10.56.227.188 - user [06/Oct/2022:19:26:18.831 +0000] "POST /en-US/splunkd/__raw/servicesNS/user/search/data/ui/views/test HTTP/1.1" 200 1151 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 5ms -10.56.227.188 - user [06/Oct/2022:19:26:18.301 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/data/ui/views/test?output_mode=json&_=1665082021599 HTTP/1.1" 200 799 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 1ms -10.56.227.188 - user [06/Oct/2022:18:50:01.494 +0000] "POST /en-US/splunkd/__raw/servicesNS/user/search/data/ui/views/test HTTP/1.1" 200 759 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 5ms -10.56.227.188 - user [06/Oct/2022:18:50:01.329 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/data/ui/views/test?output_mode=json&_=1665082021556 HTTP/1.1" 200 606 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 1ms -10.56.227.188 - user [06/Oct/2022:18:47:02.298 +0000] "GET /en-US/splunkd/__raw/services/saved/searches/_new?output_mode=json&_=1665082021540 HTTP/1.1" 200 2857 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 3ms -10.56.227.188 - user [06/Oct/2022:18:47:02.291 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/data/ui/views/test?output_mode=json&_=1665082021537 HTTP/1.1" 200 606 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 1ms -10.56.227.188 - user [06/Oct/2022:18:47:01.915 +0000] "GET /en-US/splunkd/__raw/services/saved/searches/_new?output_mode=json&_=1665082021530 HTTP/1.1" 200 2857 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 4ms -10.56.227.188 - user [06/Oct/2022:18:44:30.563 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/search/data/ui/views/_new?output_mode=json HTTP/1.1" 200 473 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - e8c2bae907e55cf1da14ae1043a54187 3ms -10.56.227.188 - user [06/Oct/2022:18:42:50.744 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/launcher/saved/searches/_new?output_mode=json&_=1665081769815 HTTP/1.1" 200 2862 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 05876b5304785d93a94e0d4ba00d2e43 3ms -10.56.227.188 - user [06/Oct/2022:18:41:51.172 +0000] "GET /en-US/splunkd/__raw/servicesNS/user/launcher/saved/searches/_new?output_mode=json&_=1665081710088 HTTP/1.1" 200 2862 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 05876b5304785d93a94e0d4ba00d2e43 4ms -10.56.227.188 - admin [06/Oct/2022:18:11:47.635 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108912 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms -10.56.227.188 - admin [06/Oct/2022:18:11:00.978 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108894 HTTP/1.1" 200 6588 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms -10.56.227.188 - admin [06/Oct/2022:18:10:07.059 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108875 HTTP/1.1" 200 6590 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms -10.56.227.188 - admin [06/Oct/2022:18:08:52.147 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108863 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms -10.56.227.188 - admin [06/Oct/2022:18:08:29.939 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108858 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms -10.56.227.188 - admin [06/Oct/2022:18:08:19.789 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108852 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 4ms -10.56.227.188 - admin [06/Oct/2022:18:06:10.708 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108820 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms -10.56.227.188 - admin [06/Oct/2022:18:04:14.924 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108780 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms -10.56.227.188 - admin [06/Oct/2022:18:03:33.552 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108769 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms -10.56.227.188 - admin [06/Oct/2022:18:03:13.155 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108754 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms -10.56.227.188 - admin [06/Oct/2022:18:03:09.757 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108741 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms -10.56.227.188 - admin [06/Oct/2022:18:03:04.530 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108733 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 5ms -10.56.227.188 - admin [06/Oct/2022:18:02:54.082 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108722 HTTP/1.1" 200 6592 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 4ms -10.56.227.188 - admin [06/Oct/2022:18:02:16.713 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108692 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms -10.56.227.188 - admin [06/Oct/2022:18:02:14.574 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108685 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms -10.56.227.188 - admin [06/Oct/2022:18:02:07.205 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108673 HTTP/1.1" 200 6591 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 3ms -10.56.227.188 - admin [06/Oct/2022:18:00:21.882 +0000] "GET /en-US/splunkd/__raw/servicesNS/admin/search/saved/searches/_new?output_mode=json&_=1665079108626 HTTP/1.1" 200 6590 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36" - 47dba4d5a0c5ab0b792ca53ee7ac6746 4ms From 834adb334c77f9e18281a0daed7bf2dbfa80e167 Mon Sep 17 00:00:00 2001 From: pyth0n1c <87383215+pyth0n1c@users.noreply.github.com> Date: Wed, 2 Nov 2022 10:17:07 -0700 Subject: [PATCH 11/11] Create splunk_code_injection_via_custom_dashboard_leading_to_rce.yml --- ...on_via_custom_dashboard_leading_to_rce.yml | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 detections/experimental/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml diff --git a/detections/experimental/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml b/detections/experimental/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml new file mode 100644 index 0000000000..8941cbc846 --- /dev/null +++ b/detections/experimental/application/splunk_code_injection_via_custom_dashboard_leading_to_rce.yml @@ -0,0 +1,54 @@ +name: Splunk Code Injection via custom dashboard leading to RCE +id: b06b41d7-9570-4985-8137-0784f582a1b3 +version: 1 +date: '2022-10-11' +author: Rod Soto +type: Hunting +datamodel: [] +description: This hunting search provides information about a vulnerability in Splunk Enterprise versions below 8.2.9, 8.1.12, 9.0.2, where an authenticated user can execute arbitrary code via the dashboard pdf generation component. Please review events with file=export in the _internal index for the potential targets of exploitation. +search: '`splunkd_ui` uri_path=*/data/ui/views/* OR uri_path=*saved/searches/* | dedup uri_path | eval URL=urldecode("uri_path")| rex field=URL "\/saved\/searches\/(?[^\/]*)" | rex field=URL "\/data\/ui\/views\/(?[^\/]*)" | eval NAME=NAME."( Saved Search )",NAME1=NAME1."( Dashboard )" | eval NAME=coalesce(NAME,NAME1) | eval STATUS=case(match(status,"2\d+"),"SUCCESS",match(status,"3\d+"),"REDIRECTION",match(status,"4\d+") OR match(status,"5\d+"),"ERROR") | stats list(NAME) as DASHBOARD_TITLE,list(method) as HTTP_METHOD,list(status) as Status_Code,list(STATUS) as STATUS by user | rename user as User | `splunk_code_injection_via_custom_dashboard_leading_to_rce_filter`' +how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. +known_false_positives: Not all exports and downloads are malicious, special attention must be put as well on /en-US/splunkd/__raw/services/pdfgen/render in the context of this search. +references: +- https://www.splunk.com/en_us/product-security.html +tags: + analytic_story: + - Splunk Vulnerabilities + asset_type: Endpoint + cve: + - CVE-2022-43571 + cis20: + - CIS 3 + - CIS 5 + - CIS 16 + confidence: 50 + context: + - Source:Endpoint + dataset: + - https://raw.githubusercontent.com/splunk/attack_data/master/datasets/attack_techniques/T1210/splunk/splunk_code_injection_via_custom_dashboard_leading_to_rce.txt + impact: 50 + kill_chain_phases: + - Exploitation + message: Potential exploitation of Code Injection via Dashboard PDF generation. + mitre_attack_id: + - T1210 + nist: + - DE.CM + observable: + - name: user + type: User + role: + - Victim + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + required_fields: + - user + - clientip + - uri + - uri_path + - method + - status + risk_score: 25 + security_domain: endpoint