| ID | Technique | Tactic |
|---|
Detection: Splunk Secure Application Alerts for Runtime Security
EXPERIMENTAL DETECTION
This detection status is set to experimental. The Splunk Threat Research team has not yet fully tested, simulated, or built comprehensive datasets for this detection. As such, this analytic is not officially supported. If you have any questions or concerns, please reach out to us at research@splunk.com.
Description
The following analytic leverages alerts from Splunk Secure Application, which identifies and monitors exploit attempts targeting business applications. Attacks observed include exploiting vulnerabilities in web applications, such as injection attacks (SQL, API abuse), deserialization vulnerabilities, remote code execution, LOG4J, and zero-day attacks. These events are typically aimed at gaining unauthorized access, exfiltrating sensitive data, or disrupting application functionality.
Splunk Secure Application provides real-time detection of these threats by analyzing application-layer events and correlating attack behavior with known vulnerability signatures. This detection methodology helps the Security Operations Center (SOC) by:
- Identifying active exploitation attempts in real-time, allowing for quicker incident response.
- Categorizing attack severity to prioritize remediation efforts based on risk level.
- Providing visibility into attacker tactics, including source IP, attack techniques, and affected applications.
- Generating risk-based scoring and contextual alerts to enhance decision-making within SOC workflows.
- Helping analysts determine whether an attack was merely an attempt or if it successfully exploited a vulnerability.
By leveraging this information, SOC teams can proactively mitigate security threats, patch vulnerable applications, and enforce security controls to prevent further exploitation.
Search
1`secureapp_attack`
2
3| rename attackEvents{}.* AS *, detailJson.* AS *, vulnerabilityInfo.* AS *
4
5| fields - tag::eventtype, eventtype, host, id, index, linecount, punct, source, sourcetype, splunk_server, tag, SourceType, app, clientAddressType, "attackEvents{}.* status"
6
7| eval socketOut=mvjoin(socketOut," AND ")
8
9| eval risk_score=kennaScore
10
11| fillnull risk_score value="0"
12`secureapp_es_field_mappings`
13
14| dedup gid
15
16| eval severity=case(
17 risk_score>=75 OR signature="LOG4J", "critical",
18 risk_score>50 AND risk_score<75, "high",
19 risk_score=0 AND attackOutcome="EXPLOITED", "high",
20 risk_score<=50 AND attackOutcome!="OBSERVED", "medium",
21 risk_score=0 AND attackOutcome="ATTEMPTED", "medium",
22 risk_score=0, "low",
23 risk_score=0 AND attackOutcome="OBSERVED", "low"
24)
25
26| eval rule_description=case(
27 attacktypecount>1, mvjoin(mvappend("Multiple different attack types have been seen against the application", mvdedup(app), "This includes", mvdedup(signature), "attacks. Review the", mvdedup(dest_nt_host), "server for signs of exploitation"), " "),
28 (signature="API" OR signature="LOG4J" OR signature="SSRF"), "An attempt to exploit a ".signature." vulnerability was made from a ".src_category." IP address ".src_ip.". The server ".dest_nt_host." hosting application ".app." was accessed, and data may have been exfiltrated to ".ip.".",
29 (signature="SQL"), "IP address ".src_ip." has attempted a SQL injection via ".src_category.". The server ".dest_nt_host." hosting application ".app." may have executed this SQL statement and should be reviewed.",
30 (signature="DESEREAL"), "The application ".app." deserializes untrusted data without sufficiently verifying that the resulting data will be valid. Data which is untrusted cannot be trusted to be well-formed. Malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code, when deserialized.",
31 (signature="RCE"), "An attacker tried to perform Remote Code Execution by running the command ".command." in the ".file_path." directory. The server ".dest_nt_host." hosting application ".app." ".action." this command."
32)
33
34| `splunk_secure_application_alerts_for_runtime_security_filter`
Data Source
No data sources specified for this detection.
Macros Used
| Name | Value |
|---|---|
| secureapp_attack | sourcetype=secureapp_attack |
| splunk_secure_application_alerts_for_runtime_security_filter | search * |
splunk_secure_application_alerts_for_runtime_security_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | No |
| Creates Intermediate Finding (Risk Event) | Yes |
Anomaly detections generate Intermediate Findings (Risk Events). They do not generate a Finding (Notable) directly.
Implementation
Create the secureapp_attack sourcetype in Splunk Enterprise Security. Configure Splunk Enterprise Security to receive alerts for Observability Cloud via HEC. Configure Secure Application Alerts in Observability Cloud to send alerts to Enterprise Security. Full details can be found in the referenced lantern article.
Known False Positives
No known false positives for this detection. If alerts are noisy, tune this detection with the _filter macro or configure the originating tool.
Associated Analytic Story
Intermediate Findings
| Message | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| $rule_description$ | dest_ip | system | 20 |
Threat Objects
| Field | Type |
|---|---|
| src_ip | ip_address |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | Not Applicable | N/A | N/A | N/A |
| Unit | ❌ Failing | Dataset | not_applicable |
secureapp_attack |
| Integration | ❌ Failing | Dataset | not_applicable |
secureapp_attack |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1