LetsDefend Monitoring Alert
Remote Code Execution Detected in Splunk Enterprise
Nov, 21, 2023, 12:24 PM
Event ID: 201
Event Time: Nov, 21, 2023, 12:24 PM
Rule Name: SOC239 - Remote Code Execution Detected in Splunk Enterprise
Alert Type: Unauthorized Access
MITRE Technique:
T1190 - Initial Access - Exploit Public-Facing Application,
T1136 - Persistence - Create Account,
T1199 - Initial Access - Trusted Relationship,
T1059.004 - Execution - Command and Scripting Interpreter: Unix Shell,
T1210 - Lateral Movement - Exploitation of Remote Services,
Real World Example:⭐ Splunk App for Lookup File Editing RCE via User XSLT
Severity: High
Security Analyst