updating test

Author: patel-bhavin

detections/application/cisco_ai_defense_security_alerts.yml

@@ -8,7 +8,12 @@ type: Anomaly
 description: The search surfaces alerts from the Cisco AI Defense product for potential attacks agaisnt the AI models running in your environment. This analytic identifies security events within Cisco AI Defense by examining event messages, actions, and policy names. It focuses on connections and applications associated with specific guardrail entities and ruleset types. By aggregating and analyzing these elements, the search helps detect potential policy violations and security threats, enabling proactive defense measures and ensuring network integrity.
 data_source:
 - Cisco AI Defense Alerts
-search: '`cisco_ai_defense ` | stats count values(event_message_type) values(event_action) values(policy.policy_name) as policy_name values(event_policy_guardrail_assocs{}.policy_guardrail_assoc.guardrail_avail_entity.guardrail_entity_name) as guardrail_entity_name values(event_policy_guardrail_assocs{}.policy_guardrail_assoc.guardrail_avail_ruleset.guardrail_ruleset_type) as guardrail_ruleset_type by connection.connection_name genai_application.application_name  application_id| `cisco_ai_defense_security_alerts_filter`'
+search: '`cisco_ai_defense ` | rename genai_application.application_name as application_name | rename connection.connection_name as connection_name | stats count values(event_message_type) values(event_action) values(policy.policy_name) as policy_name values(event_policy_guardrail_assocs{}.policy_guardrail_assoc.guardrail_avail_entity.guardrail_entity_name) as guardrail_entity_name values(event_policy_guardrail_assocs{}.policy_guardrail_assoc.guardrail_avail_ruleset.guardrail_ruleset_type) as guardrail_ruleset_type by connection_name application_name 
+| eval severity=case(
+    policy_name="AI Runtime Latency Testing - Prompt Injection", "critical",
+    policy_name="AI Runtime Latency Testing - Code Detection", "high", 
+    guardrail_ruleset_type IN ("Toxicity"), "medium" ) 
+| table severity policy_name connection_name application_name guardrail_ruleset_type guardrail_entity_name | where severity != "" |`cisco_ai_defense_security_alerts_filter`'
 how_to_implement: To enable this detection, you need to ingest alerts from the Cisco AI Defense product. This can be done by using this app from splunkbase - Cisco Security Cloud and ingest alerts into the cisco:ai:defense sourcetype.
 known_false_positives: False positives may vary based on Cisco AI Defense configuration; monitor and filter out the alerts that are not relevant to your environment.
 references:
@@ -29,9 +34,6 @@ rba:
   - field: application_id
     type: other
     score: 10
-  threat_objects:
-  - field: user_id
-    type: user
 tags:
   analytic_story:
   - Critical Alerts
@@ -44,7 +46,7 @@ tags:
 tests:
 - name: True Positive Test
   attack_data:
-  - data: __UPDATE__ the data file to replay. Go to https://github.com/splunk/contentctl/wiki
-      for information about the format of this field
-    sourcetype: __UPDATE__ the sourcetype of your data file.
-    source: __UPDATE__ the source of your datafile
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/cisco_ai_defense_alerts/cisco_ai_defense.log
+    source: cisco_ai_defense
+    sourcetype: cisco:ai:defense
+