| ID | Technique | Tactic |
|---|---|---|
| T1499 | Endpoint Denial of Service | Impact |
Detection: Splunk DoS via POST Request Datamodel Endpoint
Description
The following is a hunting search that allows investigation of error messages indicating Splunk HTTP engine shutdown as a result of a crafted posted request against '/datamodel/model' endpoint.
Search
1`splunkd_webs` log_level=INFO message="ENGINE: HTTP Server cherrypy._cpwsgi_server.CPWSGIServer(('127.0.0.1', 8065)) shut down"
2| stats count min(_time) as firstTime max(_time) as lastTime by splunk_server message
3| `security_content_ctime(firstTime)`
4| `security_content_ctime(lastTime)`
5| `splunk_dos_via_post_request_datamodel_endpoint_filter`
Data Source
| Name | Platform | Sourcetype | Source | Supported App |
|---|---|---|---|---|
| N/A | N/A | N/A | N/A | N/A |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| splunk_dos_via_post_request_datamodel_endpoint_filter | search * |
splunk_dos_via_post_request_datamodel_endpoint_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
KillChainPhase.ACTIONS_ON_OBJECTIVES
NistCategory.DE_AE
Cis18Value.CIS_10
Sandworm Team
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Risk Event | False |
This configuration file applies to all detections of type hunting.
Implementation
Need access to the internal indexes.
Known False Positives
This is a hunting search and will produce false positives as other causes can also shut down splunk HTTP engine, however this denial of service error is associated to a request to the datamodel/model endpoing which operator can research and find proximity of request and message in logs.
Associated Analytic Story
Risk Based Analytics (RBA)
| Risk Message | Risk Score | Impact | Confidence |
|---|---|---|---|
| Possible Denial of Service attack against $splunk_server$ | 50 | 100 | 50 |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | /opt/splunk/var/log/splunk/web_service.log |
splunk_web_service |
| Integration | ✅ Passing | Dataset | /opt/splunk/var/log/splunk/web_service.log |
splunk_web_service |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1