Initial Access (TA0001)(external, opens in a new tab or window)
network_traffic(external, opens in a new tab or window)
text code block:from logs-network_traffic.http*, logs-zeek.http*, logs-suricata.eve* | where http.request.method == "POST" and ( url.path like "*splunkd/__raw/v1/postgres/recovery/*" or url.path like "/v1/postgres/recovery/*" ) | eval Esql.is_backup = case(url.path like "*/backup", 1, 0) | eval Esql.is_restore = case(url.path like "*/restore", 1, 0) | stats Esql.backup_count = SUM(Esql.is_backup), Esql.restore_count = SUM(Esql.is_restore), Esql.first_seen = MIN(@timestamp), Esql.last_seen = MAX(@timestamp), Esql.statuses = VALUES(http.response.status_code) by source.ip, destination.ip | eval Esql.duration_minutes = DATE_DIFF("minute", Esql.first_seen, Esql.last_seen) | where Esql.backup_count >= 1 and Esql.restore_count >= 1 and Esql.duration_minutes <= 15 | keep source.ip, destination.ip, Esql.*
Install detection rules in Elastic Security
Detect Splunk Enterprise PostgreSQL Backup-to-Restore Potential RCE Sequence in the Elastic Security detection engine by installing this rule into your Elastic Stack.
To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).