Data Source: Cisco Secure Application AppDynamics Alerts

Date: 2025-02-04

ID: 5c963eb0-010e-4386-875f-5134879f14a7

Author: Bhavin Patel, Splunk

Description

Data source object for alerts from Cisco Secure Application

Details

Property	Value
Source	`AppDynamics Security`
Sourcetype	`appdynamics_security`

Supported Apps

Splunk Add-on for AppDynamics (version 3.0.0)

Event Fields

+ Fields

  <span class="pill kill-chain">SourceType</span>
  
  <span class="pill kill-chain">apiServerExternal</span>
  
  <span class="pill kill-chain">app_name</span>
  
  <span class="pill kill-chain">application</span>
  
  <span class="pill kill-chain">attackEventTrigger</span>
  
  <span class="pill kill-chain">attackEvents{}.applicationName</span>
  
  <span class="pill kill-chain">attackEvents{}.attackOutcome</span>
  
  <span class="pill kill-chain">attackEvents{}.attackTypes</span>
  
  <span class="pill kill-chain">attackEvents{}.blocked</span>
  
  <span class="pill kill-chain">attackEvents{}.blockedReason</span>
  
  <span class="pill kill-chain">attackEvents{}.clientAddress</span>
  
  <span class="pill kill-chain">attackEvents{}.clientAddressType</span>
  
  <span class="pill kill-chain">attackEvents{}.clientPort</span>
  
  <span class="pill kill-chain">attackEvents{}.cveId</span>
  
  <span class="pill kill-chain">attackEvents{}.detailJson.apiServerExternal</span>
  
  <span class="pill kill-chain">attackEvents{}.detailJson.apiServerInUrl</span>
  
  <span class="pill kill-chain">attackEvents{}.detailJson.classname</span>
  
  <span class="pill kill-chain">attackEvents{}.detailJson.hostContext</span>
  
  <span class="pill kill-chain">attackEvents{}.detailJson.methodName</span>
  
  <span class="pill kill-chain">attackEvents{}.detailJson.ptype</span>
  
  <span class="pill kill-chain">attackEvents{}.detailJson.socketOut</span>
  
  <span class="pill kill-chain">attackEvents{}.eventType</span>
  
  <span class="pill kill-chain">attackEvents{}.jvmId</span>
  
  <span class="pill kill-chain">attackEvents{}.keyInfo</span>
  
  <span class="pill kill-chain">attackEvents{}.maliciousIpOut</span>
  
  <span class="pill kill-chain">attackEvents{}.maliciousIpSource</span>
  
  <span class="pill kill-chain">attackEvents{}.maliciousIpSourceOut</span>
  
  <span class="pill kill-chain">attackEvents{}.matchedCveName</span>
  
  <span class="pill kill-chain">attackEvents{}.serverAddress</span>
  
  <span class="pill kill-chain">attackEvents{}.serverName</span>
  
  <span class="pill kill-chain">attackEvents{}.serverPort</span>
  
  <span class="pill kill-chain">attackEvents{}.stackTrace</span>
  
  <span class="pill kill-chain">attackEvents{}.tierName</span>
  
  <span class="pill kill-chain">attackEvents{}.timestamp</span>
  
  <span class="pill kill-chain">attackEvents{}.vulnerabilityInfo.cveNvdUrl</span>
  
  <span class="pill kill-chain">attackEvents{}.vulnerabilityInfo.cvePublishDate</span>
  
  <span class="pill kill-chain">attackEvents{}.vulnerabilityInfo.cvssScore</span>
  
  <span class="pill kill-chain">attackEvents{}.vulnerabilityInfo.cvssSeverity</span>
  
  <span class="pill kill-chain">attackEvents{}.vulnerabilityInfo.incidentFirstDetected</span>
  
  <span class="pill kill-chain">attackEvents{}.vulnerabilityInfo.kennaActiveInternetBreach</span>
  
  <span class="pill kill-chain">attackEvents{}.vulnerabilityInfo.kennaEasilyExploitable</span>
  
  <span class="pill kill-chain">attackEvents{}.vulnerabilityInfo.kennaMalwareExploitable</span>
  
  <span class="pill kill-chain">attackEvents{}.vulnerabilityInfo.kennaPopularTarget</span>
  
  <span class="pill kill-chain">attackEvents{}.vulnerabilityInfo.kennaPredictedExploitable</span>
  
  <span class="pill kill-chain">attackEvents{}.vulnerabilityInfo.kennaScore</span>
  
  <span class="pill kill-chain">attackEvents{}.vulnerabilityInfo.library</span>
  
  <span class="pill kill-chain">attackEvents{}.vulnerabilityInfo.title</span>
  
  <span class="pill kill-chain">attackEvents{}.vulnerabilityInfo.type</span>
  
  <span class="pill kill-chain">attackEvents{}.vulnerableMethod</span>
  
  <span class="pill kill-chain">attackEvents{}.webTransactionUrl</span>
  
  <span class="pill kill-chain">attackId</span>
  
  <span class="pill kill-chain">attackLastDetected</span>
  
  <span class="pill kill-chain">attackOutcome</span>
  
  <span class="pill kill-chain">attackSource</span>
  
  <span class="pill kill-chain">attackStatus</span>
  
  <span class="pill kill-chain">attackTypes</span>
  
  <span class="pill kill-chain">blocked</span>
  
  <span class="pill kill-chain">blockedReason</span>
  
  <span class="pill kill-chain">businessTransaction</span>
  
  <span class="pill kill-chain">classname</span>
  
  <span class="pill kill-chain">clientAddressType</span>
  
  <span class="pill kill-chain">cveId</span>
  
  <span class="pill kill-chain">cveNvdUrl</span>
  
  <span class="pill kill-chain">cvePublishDate</span>
  
  <span class="pill kill-chain">cvssScore</span>
  
  <span class="pill kill-chain">cvssSeverity</span>
  
  <span class="pill kill-chain">dest_ip</span>
  
  <span class="pill kill-chain">dest_nt_host</span>
  
  <span class="pill kill-chain">dest_port</span>
  
  <span class="pill kill-chain">eventType</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">incidentFirstDetected</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">jvmId</span>
  
  <span class="pill kill-chain">kennaActiveInternetBreach</span>
  
  <span class="pill kill-chain">kennaEasilyExploitable</span>
  
  <span class="pill kill-chain">kennaMalwareExploitable</span>
  
  <span class="pill kill-chain">kennaPopularTarget</span>
  
  <span class="pill kill-chain">kennaPredictedExploitable</span>
  
  <span class="pill kill-chain">kennaScore</span>
  
  <span class="pill kill-chain">keyInfo</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">maliciousIpOut</span>
  
  <span class="pill kill-chain">maliciousIpSource</span>
  
  <span class="pill kill-chain">maliciousIpSourceOut</span>
  
  <span class="pill kill-chain">matchedCveName</span>
  
  <span class="pill kill-chain">methodName</span>
  
  <span class="pill kill-chain">ptype</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">socketAddr</span>
  
  <span class="pill kill-chain">socketFromLog4j</span>
  
  <span class="pill kill-chain">socketOut</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">splunk_server_group</span>
  
  <span class="pill kill-chain">src_category</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">src_port</span>
  
  <span class="pill kill-chain">stackTrace</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">tier</span>
  
  <span class="pill kill-chain">tierName</span>
  
  <span class="pill kill-chain">timestamp</span>
  
  <span class="pill kill-chain">vulnLibrary</span>
  
  <span class="pill kill-chain">vulnTitle</span>
  
  <span class="pill kill-chain">vulnType</span>
  
  <span class="pill kill-chain">vulnerableMethod</span>
  
  <span class="pill kill-chain">webTransactionUrl</span>
  
  <span class="pill kill-chain">_bkt</span>
  
  <span class="pill kill-chain">_cd</span>
  
  <span class="pill kill-chain">_eventtype_color</span>
  
  <span class="pill kill-chain">_indextime</span>
  
  <span class="pill kill-chain">_raw</span>
  
  <span class="pill kill-chain">_serial</span>
  
  <span class="pill kill-chain">_si</span>
  
  <span class="pill kill-chain">_sourcetype</span>
  
  <span class="pill kill-chain">_time</span>
  
</div>

Example Log

1{  "SourceType": "secure_app_attacks",  "attackId": "24815279",  "attackSource": "EXTERNAL",  "attackOutcome": "EXPLOITED",  "attackTypes": "{SSRF}",  "attackEventTrigger": "",  "application": "AD-Ecommerce",  "tier": "Order-Processing-Services",  "businessTransaction": "Checkout",  "attackStatus": "OPEN",  "attackLastDetected": "2025-01-31 12:30:22 +0000 UTC",  "attackEvents": [{"attackOutcome":"EXPLOITED","eventType":"SOCKET_RESOLVE","attackTypes":"SSRF","timestamp":"2025-01-31T12:30:22Z","applicationName":"AD-Ecommerce","tierName":"Order-Processing-Services","maliciousIpOut":"","maliciousIpSourceOut":"","detailJson":{"classname":"java.net.SocketPermission","ptype":"SOCKET","socketOut":"www.cisco.com","hostContext":"www.cisco.com","methodName":"sun.net.www.http.HttpClient.openServer","apiServerExternal":true,"apiServerInUrl":true},"blocked":false,"blockedReason":"","vulnerableMethod":"org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)","matchedCveName":"CVE-2020-13934","keyInfo":"","cveId":"a21931cd-52fa-11ec-a8b2-8e3051145156","stackTrace":"java.lang.SecurityManager.checkConnect(SecurityManager.java:1051)\nsun.net.www.http.HttpClient.openServer(HttpClient.java:510)\nsun.net.www.protocol.https.HttpsClient.\u003cinit\u003e(HttpsClient.java:264)\nsun.net.www.protocol.https.HttpsClient.New(HttpsClient.java:367)\nsun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.getNewHttpClient(AbstractDelegateHttpsURLConnection.java:191)\norg.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule.login(SomeFile.java:12)\nsun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1138)\nsun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:1022)\nsun.net.www.protocol.http.HttpURLConnection$6.run(HttpURLConnection.java:1020)\njava.security.AccessController.doPrivileged(Native Method)\njava.security.AccessController.doPrivilegedWithCombiner(AccessController.java:782)\nsun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1019)\nsun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:177)\nsun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1546)\nsun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:91)\nsun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1466)\nsun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1464)\njava.security.AccessController.doPrivileged(Native Method)\njava.security.AccessController.doPrivilegedWithCombiner(AccessController.java:782)\nsun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1463)\nsun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)\nservlet.ArgentoDemoApp$GenericExecution._executeServletCommand(ArgentoDemoApp.java:850)\nservlet.ArgentoDemoApp$GenericExecution.executeServletCommand(ArgentoDemoApp.java:778)\nservlet.ArgentoDemoApp$MyApplicationExecution.executeServletCommand(ArgentoDemoApp.java:718)\nservlet.ArgentoDemoApp._doGet(ArgentoDemoApp.java:441)\nservlet.ArgentoDemoApp.doGet(ArgentoDemoApp.java:376)\njavax.servlet.http.HttpServlet.service(HttpServlet.java:634)\njavax.servlet.http.HttpServlet.service(HttpServlet.java:741)\norg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)\norg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\norg.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)\norg.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\norg.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\norg.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)\norg.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)\norg.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)\norg.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)\norg.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)\norg.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)\norg.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)\norg.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)\norg.apache.coyote.http11.Http11Processor.service(Http11Processor.java:373)\norg.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)\norg.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)\norg.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1590)\norg.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)\njava.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)\njava.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)\norg.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)\njava.lang.Thread.run(Thread.java:745)\n","jvmId":"EEcommerce_MS_NODE","maliciousIpSource":"","webTransactionUrl":"https://localhost:8088/argentoDemoApp/execute?upload=https://www.cisco.com/c/dam/cdc/t/ctm-core.js","clientAddressType":4,"clientAddress":"218.132.217.179","serverPort":"1047","serverAddress":"75.155.150.130","clientPort":"68389","serverName":"/usr/src/argento/prod/demo-run/tomcat-demo-app/webapps/argentoDemoApp/","vulnerabilityInfo":{"cvePublishDate":"2020-07-15T16:40:14.601976Z","cvssScore":5.3,"cvssSeverity":"MEDIUM","cveNvdUrl":"https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHETOMCATEMBED-584427","incidentFirstDetected":"2020-07-15T16:40:14.601976Z","kennaScore":53.0971,"library":"org.apache.tomcat.embed:tomcat-embed-core","title":"Denial of Service (DoS)","type":"java","kennaActiveInternetBreach":false,"kennaEasilyExploitable":false,"kennaMalwareExploitable":false,"kennaPredictedExploitable":true,"kennaPopularTarget":false}}]}

Source: GitHub | Version: 1