Splunk KVStore Maintenance Mode CSRF Vulnerability Detection Rule (SVD-2024-1007)

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Description: - Vulnerability Name: Splunk Disable KVStore via CSRF Enabling Maintenance Mode - Vulnerability Type: TTP (Tool, Technique, Procedure) - Description: In Splunk Enterprise versions 9.3.1, 9.2.3, 9.1.6, and Splunk Cloud Platform versions 9.2.2403.108, 9.1.2312.204, 9.1.2308.211, low-privileged users can change the App Key Value Store (KVStore) maintenance mode status via Cross-Site Request Forgery (CSRF). 2. Search Query: - Uses a MySQL query to detect changes in maintenance mode. 3. Data Source: - Data source: Splunk, data type: 'splunkd_ui_access', log file: 'splunkd_ui_access.log'. 4. Macros Used: - Two macros are used: and . 5. Default Configuration: - Configures rule disable status, cron scheduling, earliest and latest time, whether to create significant events, rule title, rule description, significant event fields, whether to create risk events, etc. 6. Known False Positives: - The search may generate false positives; validation is required to check the context of access and usage of GET requests for changing KVStore maintenance mode, especially by non-administrator users. 7. Associated Analytics Story: - Splunk Vulnerabilities 8. Risk-Based Analysis (RBA): - Vulnerability Description: Potential CSRF attack by placing KVStore in maintenance mode. - Risk Score: 25 - Impact: 50 - Confidence: 50 9. Reference Links: - https://advisory.splunk.com/advisories/SVD-2024-1007 10. Detection Testing: - Validation, unit tests, and integration tests all passed. 11. Source: - Source: GitHub, version: 1. This information provides detailed descriptions of the vulnerability, detection methods, configuration settings, and risk assessment.

Goal Reached Thanks to every supporter — we hit 100%!

Splunk KVStore Maintenance Mode CSRF Vulnerability Detection Rule (SVD-2024-1007)