nuclei-templates/http/technologies/splunkhec-detect.yaml

id: splunkhec-detect

info:
  name: Splunk HCE - detect
  author: idealphase
  severity: info
  description: |
    Splunk HCE (HTTP Event Collector (HEC)) was detected.
  reference:
    - https://dev.splunk.com/enterprise/docs/devtools/httpeventcollector/
    - https://community.splunk.com/t5/Getting-Data-In/How-to-check-if-an-HEC-is-up-or-not-before-posting-any-data-to/td-p/417404
  metadata:
    verified: true
    max-request: 1
  tags: tech,splunk,detect

http:
  - method: GET
    path:
      - "{{BaseURL}}/services/collector/health"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_any(body, "{\"text\":\"HEC is healthy\",\"code\":17}")'
        condition: and
Add splunkhec-detect.yaml Add splunkhec-detect.yaml 2024-03-27 11:23:30 +00:00			`id: splunkhec-detect`

			`info:`
			`name: Splunk HCE - detect`
			`author: idealphase`
			`severity: info`
			`description: \|`
			`Splunk HCE (HTTP Event Collector (HEC)) was detected.`
			`reference:`
			`- https://dev.splunk.com/enterprise/docs/devtools/httpeventcollector/`
			`- https://community.splunk.com/t5/Getting-Data-In/How-to-check-if-an-HEC-is-up-or-not-before-posting-any-data-to/td-p/417404`
			`metadata:`
			`verified: true`
			`max-request: 1`
			`tags: tech,splunk,detect`

			`http:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}/services/collector/health"`

			`matchers:`
			`- type: dsl`
			`dsl:`
			`- 'status_code == 200'`
			`- 'contains_any(body, "{\"text\":\"HEC is healthy\",\"code\":17}")'`
			`condition: and`