You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: detections/application/cisco_secure_application_alerts.yml
+8-8Lines changed: 8 additions & 8 deletions
Original file line number
Diff line number
Diff line change
@@ -38,13 +38,13 @@ search: |-
38
38
risk_score=0 AND attackOutcome="OBSERVED", "low"
39
39
)
40
40
| eval risk_message=case(
41
-
(signature="API" OR signature="LOG4J" OR signature="SSRF"), "An ".attackOutcome." ".signature." vulnerability is attempted to be abused from ".src_category." IP address ".src_ip." and was seen connecting to server ".dest_nt_host." hosting application ".app_name." and possibly exfiltrating data to ".socketOut."",
42
-
(signature="MALIP" OR signature="SQL"), "A vulnerability is being ".attackOutcome." to be abused from ".src_category." IP address ".src_ip." and was seen connecting to server ".dest_nt_host." hosting application ".app_name.".",
43
-
(signature="DESEREAL"), "The application ".app_name." deserializes untrusted data without sufficiently verifying that the resulting data will be valid. Data which is untrusted cannot be trusted to be well-formed. Malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code, when deserialized."
44
-
)
45
-
| `cisco_secure_application_alerts_filter`
46
-
how_to_implement: In order to properly run this search, you need to ingest alerts data from AppD SecureApp, specifically ingesting data via HEC. You will also need to ensure that the data is going to sourcetype appdynamics_security. You will need to install the Splunk Add-on for AppDynamics. This add-on will give the needed field aliases to properly run this search. In a future update you will be able to run this detection if ingesting data via the TA.
47
-
known_false_positives: None known at this time
41
+
(signature="API" OR signature="LOG4J" OR signature="SSRF"), "An attempt to exploit a ".signature." vulnerability was made from a ".src_category." IP address ".src_ip.". The server ".dest_nt_host." hosting application ".app_name." was accessed, and data may have been exfiltrated to ".socketOut.".",
42
+
(signature="MALIP" OR signature="SQL"), "A vulnerability is being ".attackOutcome." from a ".src_category." IP address ".src_ip.". The server ".dest_nt_host." hosting application ".app_name." was accessed.",
43
+
(signature="DESEREAL"), "The application ".app_name." deserializes untrusted data without sufficiently verifying that the resulting data will be valid. Data which is untrusted cannot be trusted to be well-formed. Malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code, when deserialized."
44
+
)
45
+
| `cisco_secure_application_alerts_filter`
46
+
how_to_implement: In order to properly run this search, you need to ingest alerts data from AppD SecureApp, specifically ingesting data via HEC. You will also need to ensure that the data is going to sourcetype - `appdynamics_security`. You will need to install the Splunk Add-on for AppDynamics.
47
+
known_false_positives: None known at this time but if there are false positives, please reach filter out these using the filter macro to reduce alert fatigue
manual_test: We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection. Setting these to manual test since otherwise we fail integration testing. The detection is also failing on unit-testing as some of the fields set in the observables are empty.
82
+
#manual_test: We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection. Setting these to manual test since otherwise we fail integration testing. The detection is also failing on unit-testing as some of the fields set in the observables are empty.
0 commit comments