Update splunk_unauthenticated_log_injection_web_service_log.yml

patel-bhavin · web-flow · commit 8a05a0f4c29f · 2023-07-31T09:02:03.000-07:00
diff --git a/detections/application/splunk_unauthenticated_log_injection_web_service_log.yml b/detections/application/splunk_unauthenticated_log_injection_web_service_log.yml
@@ -6,7 +6,7 @@ author: Rod Soto
 status: production
 type: Hunting
 data_source: []
-description: An attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute. This following analytic detects potential log injection attempts into the Splunk Server.
+description: An attacker can use a specially crafted web URL in their browser to cause log file injection, in which the attack inserts American National Standards Institute (ANSI) escape codes into specific files using a terminal program that supports those escape codes. The attack requires a terminal program that supports the translation of ANSI escape codes and requires additional user interaction to successfully execute. This following analytic detects potential log injection attempts into the Splunk server.
 search: '`splunkd_webx`  uri_path IN ("*\x1B*", "*\u001b*", "*\033*", "*\0x9*", "*\0x8*") | stats count by uri_path method host status clientip | `splunk_unauthenticated_log_injection_web_service_log_filter`'
 how_to_implement: This only affects web enabled Splunk instances. The detection does require the ability to search the _internal index.
 known_false_positives: This hunting search will produce false positives if ANSI escape characters are included in URLs either voluntarily or by accident. This search will not detect obfuscated ANSI characters. 
