no known false positives for this detection. if the alerts are noisy, consider tuning this detection by using the _filter macro in this search, and/or updating the tool this alert originates from.

Techniques

Sample rules

Cisco Secure Application Alerts

source: splunk
technicques:

Description

The following analytic is to leverage alerts from Cisco SecureApp, which identifies and monitors exploit attempts targeting business applications. The primary attack observed involves exploiting vulnerabilities in web applications, including injection attacks (SQL, API abuse), deserialization vulnerabilities, remote code execution attempts, LOG4J and zero day attacks. These attacks are typically aimed at gaining unauthorized access, exfiltrating sensitive data, or disrupting application functionality.

Cisco SecureApp provides real-time detection of these threats by analyzing application-layer events and correlating attack behavior with known vulnerability signatures. This detection methodology helps the Security Operations Center (SOC) by:

Identifying active exploitation attempts in real-time, allowing for quicker incident response.
Categorizing attack severity to prioritize remediation efforts based on risk level.
Providing visibility into attacker tactics, including source IP, attack techniques, and affected applications.
Generating risk-based scoring and contextual alerts to enhance decision-making within SOC workflows.
Helping analysts determine whether an attack was merely an attempt or if it successfully exploited a vulnerability.

By leveraging this information, SOC teams can proactively mitigate security threats, patch vulnerable applications, and enforce security controls to prevent further exploitation.

Detection logic

`appdynamics_security` blocked=false 

| rename attackEvents{}.attackOutcome AS attackOutcome, "attackEvents{}.vulnerabilityInfo.*" AS * 

| fields - tag::eventtype, eventtype, host, id, index, linecount, punct, source, sourcetype, splunk_server, tag, SourceType, app clientAddressType, application, tier, "attackEvents{}.*" 

| eval socketOut=mvjoin(socketOut," AND ") 

| eval risk_score=kennaScore 

| fillnull risk_score value="0" 

| eval risk_object=app_name 

| stats values(*) as * by attackId 

| eval severity=case(
    risk_score>=100 OR signature="LOG4J", "critical",
    risk_score>50 AND risk_score<75, "high",
    risk_score=0 AND attackOutcome="EXPLOITED", "high",
    risk_score<=50 AND attackOutcome!="OBSERVED", "medium",
    risk_score=0 AND attackOutcome="ATTEMPTED", "medium",
    risk_score=0, "low",
    risk_score=0 AND attackOutcome="OBSERVED", "low"
    ) 

| eval risk_message=case(
  (signature="API" OR signature="LOG4J" OR signature="SSRF"), "An attempt to exploit a ".signature." vulnerability was made from a ".src_category." IP address ".src_ip.". The server ".dest_nt_host." hosting application ".app_name." was accessed, and data may have been exfiltrated to ".socketOut.".",
  (signature="MALIP" OR signature="SQL"), "A vulnerability is being ".attackOutcome." from a ".src_category." IP address ".src_ip.". The server ".dest_nt_host." hosting application ".app_name." was accessed.",
  (signature="DESEREAL"), "The application ".app_name." deserializes untrusted data without sufficiently verifying that the resulting data will be valid. Data which is untrusted cannot be trusted to be well-formed. Malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code, when deserialized."
  )

| `cisco_secure_application_alerts_filter`