Merge pull request #3412 from splunk/cisco_ai_defense

patel-bhavin · web-flow · commit 13800a7ec124 · 2025-03-26T14:01:00.000-07:00
Cisco AI defense - Move to prod
diff --git a/detections/application/cisco_ai_defense_security_alerts_by_application_name.yml b/detections/application/cisco_ai_defense_security_alerts_by_application_name.yml
@@ -1,9 +1,9 @@
 name: Cisco AI Defense Security Alerts by Application Name
 id: 105e4a69-ec55-49fc-be1f-902467435ea8
-version: 1
-date: '2025-02-14'
+version: 2
+date: '2025-03-21'
 author: Bhavin Patel, Splunk
-status: experimental
+status: production
 type: Anomaly
 description: The search surfaces alerts from the Cisco AI Defense product for potential attacks against the AI models running in your environment. This analytic identifies security events within Cisco AI Defense by examining event messages, actions, and policy names. It focuses on connections and applications associated with specific guardrail entities and ruleset types. By aggregating and analyzing these elements, the search helps detect potential policy violations and security threats, enabling proactive defense measures and ensuring network integrity.
 data_source:
@@ -43,8 +43,12 @@ references:
 - https://www.robustintelligence.com/blog-posts/prompt-injection-attack-on-gpt-4
 - https://docs.aws.amazon.com/prescriptive-guidance/latest/llm-prompt-engineering-best-practices/common-attacks.html
 drilldown_searches:
-- name: View risk events for the last 7 days for - "$application_id$"
-  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$application_id$" ) starthoursago=168  | stats count min(_time)
+- name: View the detection results for - "$application_name$"
+  search: '%original_detection_search% | search  application_name = "$application_name$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$application_name$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$application_name$") starthoursago=168  | stats count min(_time)
     as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message)
     as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
     as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
@@ -67,9 +71,10 @@ tags:
     - Splunk Enterprise Security
     - Splunk Cloud
     security_domain: endpoint
+    manual_test: We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection.
 tests:
   - name: True Positive Test
     attack_data:
-    - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/cisco_ai_defense_alerts/cisco_ai_defense.log
+    - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/cisco_ai_defense_alerts/cisco_ai_defense_alerts.json
       source: cisco_ai_defense
       sourcetype: cisco:ai:defense
