Splunk Sensitive Information Disclosure in DEBUG Logging Channels Detection Rule

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Description: - Vulnerability Name: Splunk Sensitive Information Disclosure in DEBUG Logging Channels - Description: In Splunk versions 9.3, 9.2, 9.1, and 9.1.5, applications enabled with DEBUG log level may write sensitive information (such as keys, tokens, or other sensitive strings) to internal indexes. 2. Search Query: - Use SPL (Search Processing Language) to detect sensitive information leakage: 3. Data Source: - Name: Splunk - Platform: Splunk - Source Type: - Source: - Supported Apps: N/A 4. Macro Usage: - Macro Names: and - is a default-empty macro that allows users to filter out any results (false positives) without editing the SPL. 5. Default Configuration: - Disabled: true - Cron Schedule: 0 - Earliest Time: -70m@m - Latest Time: -10m@m - Schedule Window: auto - Create Risk Event: false 6. Known False Positives: - Since not every DEBUG log message exposes sensitive information, false positives are possible. 7. Associated Analytics Story: - Splunk Vulnerabilities 8. Risk-Based Analytics (RBA): - Risk Message: Possible sensitive credential information found in DEBUG logs for component $component$ - Risk Score: 45 - Impact: 50 - Confidence: 90 9. References: - Three links to Splunk security advisories 10. Detection Testing: - Validation: Verified using the tool or UI - Unit Test: Verified using - Integration Test: Verified using 11. Source: - Source: GitHub - Version: 1 This information provides a detailed description and detection method for the vulnerability involving sensitive information disclosure via DEBUG logging channels in Splunk.

Goal Reached Thanks to every supporter — we hit 100%!

Splunk Sensitive Information Disclosure in DEBUG Logging Channels Detection Rule