Splunk SVD-2024-1002 Low-Privilege Privilege Escalation Detection Rule

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Description: - Vulnerability Name: Splunk Low-Priv Search as nobody - Vulnerability Type: Hunting - Description: In Splunk Enterprise versions 9.3.1 and below 9.2.0, and in Splunk Cloud Platform versions 9.2.2403.103, 9.1.2312.200, 9.1.2312.110, and 9.1.2308.208, low-privileged users (without "admin" or "power" Splunk roles) can access restricted data using "nobody" search. 2. Search: - SPL (Search Processing Language) code used: 3. Data Source: - Data Source Name: Splunk - Platform: Splunk - Source Type: 'splunkd_ui_access' - Source: 'splunkd_ui_access.log' - Supported Apps: N/A 4. Macro Usage: - Macro Used: 5. Notes: - This macro is an empty macro used for filtering results (false positives). 6. Default Configuration: - Configuration applies to all Hunting-type detections. 7. Implementation: - Requires access to REST API. 8. Known False Positives: - This search displays valid permissions for SplunkDeploymentServerConfig. If permissions are insufficient, remediation is required. Refer to SVD-2024-1002 for more information on these permissions. 9. Associated Analytics Story: - Splunk Vulnerabilities 10. Risk-Based Analysis (RBA): - Risk Message: Please verify and adjust $label$ permissions on $splunk_server$ according to SVD-2024-1002 Advisory. - Risk Score: 90 - Impact: 90 - Confidence: 100 11. References: - https://advisory.splunk.com/advisories/SVD-2024-1002 12. Detection Testing: - Validation: Passed - Unit Test: Passed - Integration Test: Passed 13. Source: - GitHub - Version: 1 This information helps understand the vulnerability's context, impact, and how to test and remediate it.

Goal Reached Thanks to every supporter — we hit 100%!

Splunk SVD-2024-1002 Low-Privilege Privilege Escalation Detection Rule