text code block:`mcp_server` (method IN ("read_file", "get_file_contents", "read", "search_files", "find_files", "grep", "search", "list_directory", "read_directory")) (params.path="*.ssh*" OR params.path="*Administrator*" OR params.path="*credentials*" OR params.path="*password*" OR params.path="*.env*" OR params.path="*id_rsa*" OR params.path="*.pem*" OR params.path="*.ppk*" OR params.path="*.key*" OR params.path="*secrets*" OR params.path="*.aws*" OR params.path="*.config*" OR params.pattern="*password*" OR params.pattern="*key*" OR params.pattern="*secret*" OR params.pattern="*credential*" OR params.pattern="*token*" OR params.pattern="*auth*" OR params.pattern="*api_key*" OR params.pattern="*private_key*") | eval dest=host | eval detection_type=case( method IN ("read_file", "get_file_contents", "read"), "PATH_ACCESS", method IN ("search_files", "find_files", "grep", "search"), "PATTERN_SEARCH", method IN ("list_directory", "read_directory"), "DIRECTORY_ENUM", 1=1, "UNKNOWN") | eval target_path=coalesce('params.path', 'params.directory', 'params.file') | eval search_pattern=coalesce('params.pattern', 'params.query', 'params.search') | stats count min(_time) as firstTime max(_time) as lastTime values(detection_type) as detection_types values(target_path) as targeted_paths values(search_pattern) as search_patterns values(method) as methods_used by dest, source | eval time_span_seconds=lastTime-firstTime | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table dest firstTime lastTime count source detection_types methods_used targeted_paths search_patterns time_span_seconds | `mcp_sensitive_system_file_search_filter`
View this rule on Splunk
This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).