Merge pull request #2178 from splunk/TR1807fix

Removing false positives
splunk · Apr 27, 2022 · ab74318 · ab74318
2 parents 106e451 + 2856666
commit ab74318
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/detections/application/splunk_dos_via_malformed_s2s_request.yml b/detections/application/splunk_dos_via_malformed_s2s_request.yml
@@ -1,12 +1,12 @@
 name: Splunk DoS via Malformed S2S Request
 id: fc246e56-953b-40c1-8634-868f9e474cbd
-version: 1
+version: 2
 date: '2022-03-24'
 author: Lou Stella, Splunk
 type: TTP
 datamodel: []
 description: On March 24th, 2022, Splunk published a security advisory for a possible Denial of Service stemming from the lack of validation in a specific key-value field in the Splunk-to-Splunk (S2S) protocol. This detection will alert on attempted exploitation in patched versions of Splunk. 
-search: '`splunkd` log_level=ERROR component=TcpInputProc thread_name=FwdDataReceiverThread | table host, src | `splunk_dos_via_malformed_s2s_request_filter`'
+search: '`splunkd` log_level="ERROR" component="TcpInputProc" thread_name="FwdDataReceiverThread" "Invalid _meta atom" | table host, src | `splunk_dos_via_malformed_s2s_request_filter`'
 how_to_implement: This detection does not require you to ingest any new data. The detection does require the ability to search the _internal index. This detection will only find attempted exploitation on versions of Splunk already patched for CVE-2021-3422.
 known_false_positives: None.
 references: