| ID | Technique | Tactic |
|---|---|---|
| T1499 | Endpoint Denial of Service | Impact |
Detection: Splunk ES DoS Investigations Manager via Investigation Creation
Description
The following analytic detects the creation of malformed Investigations in Splunk Enterprise Security (ES) versions lower than 7.1.2, which can lead to a denial of service (DoS). It leverages internal Splunk logs, specifically monitoring the splunkd_investigation_rest_handler with error statuses during investigation creation. This activity is significant as it can disrupt the functionality of the Investigations manager, hindering incident response efforts. If confirmed malicious, this could prevent security teams from accessing critical investigation data, severely impacting their ability to manage and respond to security incidents effectively.
Search
1`splunkd_investigation_rest_handler` method=put msg=*investigation* status=error
2| stats count min(_time) as firstTime max(_time) as lastTime by user host method msg
3| `security_content_ctime(firstTime)`
4| `security_content_ctime(lastTime)`
5| `splunk_es_dos_investigations_manager_via_investigation_creation_filter`
Data Source
| Name | Platform | Sourcetype | Source | Supported App |
|---|---|---|---|---|
| Splunk |  Splunk |
'splunkd_ui_access' |
'splunkd_ui_access.log' |
N/A |
Macros Used
| Name | Value |
|---|---|
| security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
| splunk_es_dos_investigations_manager_via_investigation_creation_filter | search * |
splunk_es_dos_investigations_manager_via_investigation_creation_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
KillChainPhase.ACTIONS_ON_OBJECTIVES
NistCategory.DE_CM
Cis18Value.CIS_10
Sandworm Team
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
This search requires access to internal indexes. Only affects Splunk Enterprise Security versions lower than 7.1.2.
Known False Positives
The vulnerability requires an authenticated session and access to create an Investigation. It only affects the availability of the Investigations manager, but without the manager, the Investigations functionality becomes unusable for most users. This search gives the exact offending event.
Associated Analytic Story
Risk Based Analytics (RBA)
| Risk Message | Risk Score | Impact | Confidence |
|---|---|---|---|
| Denial of Service Attack against Splunk ES Investigation Manager by $user$ | 100 | 100 | 100 |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | /opt/splunk/var/log/splunk/investigation_handler.log |
investigation_rest_handler |
| Integration | ✅ Passing | Dataset | /opt/splunk/var/log/splunk/investigation_handler.log |
investigation_rest_handler |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 2