Splunk Enterprise Ingest Eval Parameter Crash Detection Rule

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Description: - Vulnerability Name: Splunk Improperly Formatted Parameter Crashes splunkd - Vulnerability Type: TTP (Tactic, Technique, Procedure) - Description: Detection of an improperly formatted INGEST_EVAL parameter executed in Splunk Enterprise, which may cause the splunkd service to crash. It leverages the Splunk_Audit.Search_Activity data model to identify ad-hoc searches containing specific keywords. 2. Impact: - Impact: May disrupt Splunk operations, potentially leading to data loss and service interruption. - Severity: If confirmed malicious, attackers could exploit this vulnerability to cause a denial-of-service, affecting the availability and reliability of the Splunk environment. 3. Detection Method: - Detection Code: Specific SPL (Splunk Search Processing Language) code is provided for detecting improperly formatted parameters. - Data Source: Detection utilizes the Splunk_Audit.Search_Activity data model. 4. Exploitation: - Known False Positives: This is a hunting search and should focus on affected products; otherwise, false positives may occur. 5. Risk Assessment: - Risk Score: 100 - Impact: 100 - Confidence: 100 - Risk Message: Detected user attempt to exploit ingest eval parameter. 6. Detection Testing: - Test Type: Validation, Unit Test, Integration Test - Test Status: Validation unavailable, Unit Test and Integration Test failed 7. References: - Two links to Splunk security advisories, providing additional information about this vulnerability. 8. Additional Information: - Authors: Chase Franklin, Rod Soto, Splunk - Product: Splunk Enterprise Security - Update Date: October 14, 2024 - Version: 3 This information helps security teams understand the nature, impact, and detection methods of the vulnerability, enabling them to take appropriate measures to protect their Splunk environment.

Goal Reached Thanks to every supporter — we hit 100%!

Splunk Enterprise Ingest Eval Parameter Crash Detection Rule