Detection: Cisco Secure Application Alerts

Updated Date: 2025-02-04 ID: 9982bff4-fc5d-49a3-ab9e-2dbbab2a711b Author: Ryan Long, Bhavin Patel, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic is to leverage alerts from Cisco SecureApp, which identifies and monitors exploit attempts targeting business applications. The primary attack observed involves exploiting vulnerabilities in web applications, including injection attacks (SQL, API abuse), deserialization vulnerabilities, remote code execution attempts, LOG4J and zero day attacks. These attacks are typically aimed at gaining unauthorized access, exfiltrating sensitive data, or disrupting application functionality.

Cisco SecureApp provides real-time detection of these threats by analyzing application-layer events and correlating attack behavior with known vulnerability signatures. This detection methodology helps the Security Operations Center (SOC) by:

Identifying active exploitation attempts in real-time, allowing for quicker incident response.
Categorizing attack severity to prioritize remediation efforts based on risk level.
Providing visibility into attacker tactics, including source IP, attack techniques, and affected applications.
Generating risk-based scoring and contextual alerts to enhance decision-making within SOC workflows.
Helping analysts determine whether an attack was merely an attempt or if it successfully exploited a vulnerability.

By leveraging this information, SOC teams can proactively mitigate security threats, patch vulnerable applications, and enforce security controls to prevent further exploitation.

Search

 1`appdynamics_security` blocked=false 
 2
 3| rename attackEvents{}.attackOutcome AS attackOutcome, "attackEvents{}.vulnerabilityInfo.*" AS * 
 4
 5| fields - tag::eventtype, eventtype, host, id, index, linecount, punct, source, sourcetype, splunk_server, tag, SourceType, app clientAddressType, application, tier, "attackEvents{}.*" 
 6
 7| eval socketOut=mvjoin(socketOut," AND ") 
 8
 9| eval risk_score=kennaScore 
10
11| fillnull risk_score value="0" 
12
13| eval risk_object=app_name 
14
15| stats values(*) as * by attackId 
16
17| eval severity=case(
18    risk_score>=100 OR signature="LOG4J", "critical",
19    risk_score>50 AND risk_score<75, "high",
20    risk_score=0 AND attackOutcome="EXPLOITED", "high",
21    risk_score<=50 AND attackOutcome!="OBSERVED", "medium",
22    risk_score=0 AND attackOutcome="ATTEMPTED", "medium",
23    risk_score=0, "low",
24    risk_score=0 AND attackOutcome="OBSERVED", "low"
25    ) 
26
27| eval risk_message=case(
28  (signature="API" OR signature="LOG4J" OR signature="SSRF"), "An attempt to exploit a ".signature." vulnerability was made from a ".src_category." IP address ".src_ip.". The server ".dest_nt_host." hosting application ".app_name." was accessed, and data may have been exfiltrated to ".socketOut.".",
29  (signature="MALIP" OR signature="SQL"), "A vulnerability is being ".attackOutcome." from a ".src_category." IP address ".src_ip.". The server ".dest_nt_host." hosting application ".app_name." was accessed.",
30  (signature="DESEREAL"), "The application ".app_name." deserializes untrusted data without sufficiently verifying that the resulting data will be valid. Data which is untrusted cannot be trusted to be well-formed. Malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code, when deserialized."
31  )
32
33| `cisco_secure_application_alerts_filter`

Data Source

Name	Platform	Sourcetype	Source
Cisco Secure Application AppDynamics Alerts	N/A	`'appdynamics_security'`	`'AppDynamics Security'`

Macros Used

Name	Value
appdynamics_security	`sourcetype=appdynamics_security`
cisco_secure_application_alerts_filter	`search *`

cisco_secure_application_alerts_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic

DE.AE

CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	True

This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

In order to properly run this search, you need to ingest alerts data from AppD SecureApp, specifically ingesting data via HEC. You will also need to ensure that the data is going to sourcetype - appdynamics_security. You will need to install the Splunk Add-on for AppDynamics.

Known False Positives

No known false positives for this detection. If the alerts are noisy, consider tuning this detection by using the _filter macro in this search, and/or updating the tool this alert originates from.

Associated Analytic Story

Critical Alerts

Risk Based Analytics (RBA)

Risk Message:

$risk_message$

Risk Object	Risk Object Type	Risk Score	Threat Objects
app_name	other	10	src_ip

References

https://docs.appdynamics.com/appd/24.x/latest/en/application-security-monitoring/integrate-cisco-secure-application-with-splunk

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`AppDynamics Security`	`appdynamics_security`
Integration	✅ Passing	Dataset	`AppDynamics Security`	`appdynamics_security`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1