From 0f0d5d9a69d32b127ce40e7e2747d5809b61a92c Mon Sep 17 00:00:00 2001 From: Bryan Pluta Date: Wed, 27 May 2026 08:53:31 -0500 Subject: [PATCH 01/12] new o11y secure application detection --- .../splunk_secure_application_alerts.yml | 87 +++++++++++++++++++ macros/secureapp_field_mappings.yml | 3 + 2 files changed, 90 insertions(+) create mode 100644 detections/application/splunk_secure_application_alerts.yml create mode 100644 macros/secureapp_field_mappings.yml diff --git a/detections/application/splunk_secure_application_alerts.yml b/detections/application/splunk_secure_application_alerts.yml new file mode 100644 index 0000000000..cdbad04e60 --- /dev/null +++ b/detections/application/splunk_secure_application_alerts.yml @@ -0,0 +1,87 @@ +name: Splunk Secure Application Alerts +id: 37365336-e8af-42b1-b9d5-a5183d7b7e73 +version: 1 +date: '2026-05-27' +author: Ryan Long, Bhavin Patel, Bryan Pluta Splunk +status: experimental +type: TTP +description: | + The following analytic is to leverage alerts from Splunk Secure Application, which identifies and monitors exploit attempts targeting business applications. The primary attack observed involves exploiting vulnerabilities in web applications, including injection attacks (SQL, API abuse), deserialization vulnerabilities, remote code execution attempts, LOG4J and zero day attacks. These attacks are typically aimed at gaining unauthorized access, exfiltrating sensitive data, or disrupting application functionality. + + Secure Application attacks detection is not primarily based on exploiting vulnerabilities. It is based on correlating attack events and also mapping in any vulnerable code executed along the way. This detection methodology helps the Security Operations Center (SOC) by: + + * Identifying active exploitation attempts in real-time, allowing for quicker incident response. + * Categorizing attack severity to prioritize remediation efforts based on risk level. + * Providing visibility into attacker tactics, including source IP, attack techniques, and affected applications. + * Generating risk-based scoring and contextual alerts to enhance decision-making within SOC workflows. + * Helping analysts determine whether an attack was merely an attempt or if it successfully exploited a vulnerability. + + By leveraging this information, SOC teams can proactively mitigate security threats, patch vulnerable applications, and enforce security controls to prevent further exploitation. +data_source: + - Splunk Secure Application Alert +search: |- + sourcetype=secureapp_attack + | rename attackEvents{}.* AS *, detailJson.* AS *, vulnerabilityInfo.* AS * + | fields - tag::eventtype, eventtype, host, id, index, linecount, punct, source, sourcetype, splunk_server, tag, SourceType, app clientAddressType, "attackEvents{}.* status" + | eval socketOut=mvjoin(socketOut," AND ") + | eval risk_score=kennaScore + | fillnull risk_score value="0" + `secureapp_es_field_mappings` + | dedup gid + | eval severity=case( + risk_score>=75 OR signature="LOG4J", "critical", + risk_score>50 AND risk_score<75, "high", + risk_score=0 AND attackOutcome="EXPLOITED", "high", + risk_score<=50 AND attackOutcome!="OBSERVED", "medium", + risk_score=0 AND attackOutcome="ATTEMPTED", "medium", + risk_score=0, "low", + risk_score=0 AND attackOutcome="OBSERVED", "low" + ) + | eval rule_description=case( + attacktypecount>1, mvjoin(mvappend("Multiple different attack types have been seen against the application", mvdedup(app), "This includes", mvdedup(signature), "attacks. Review the", mvdedup(dest_nt_host), "server for signs of exploitation"), " "), + (signature="API" OR signature="LOG4J" OR signature="SSRF"), "An attempt to exploit a ".signature." vulnerability was made from a ".src_category." IP address ".src_ip.". The server ".dest_nt_host." hosting application ".app." was accessed, and data may have been exfiltrated to ".ip.".", + (signature="SQL"), "IP address ".src_ip." has attempted a SQL injection via ".src_category.". The server ".dest_nt_host." hosting application ".app." may have executed this SQL statement and should be reviewed.", + (signature="DESEREAL"), "The application ".app." deserializes untrusted data without sufficiently verifying that the resulting data will be valid. Data which is untrusted cannot be trusted to be well-formed. Malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code, when deserialized.", + (signature="RCE"), "An attacker tried to perform Remote Code Execution by running the command ".command." in the ".file_path." directory. The server ".dest_nt_host." hosting application ".app." ".action." this command." + ) + | `splunk_secure_application_alerts_filter` +how_to_implement: In order to properly run this search, you need to ingest alerts data from O11y Cloud Secure Application, specifically ingesting data via HEC. You will also need to ensure that the data is going to sourcetype - `secureapp_attack`. +known_false_positives: No known false positives for this detection. If the alerts are noisy, consider tuning this detection by using the _filter macro in this search, and/or updating the tool this alert originates from. +references: + - https://lantern.splunk.com/Observability_Use_Cases/Detect_Vulnerabilities/Integrating_Secure_Application_and_Enterprise_Security%2C_for_hybrid_applications_security + - https://help.splunk.com/en/splunk-observability-cloud/monitor-application-security/set-up-secure-application/step-1-set-up-notifications-for-vulnerabilities +drilldown_searches: + - name: View the detection results for - "$app" + search: '%original_detection_search% | search app = "$app$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest_ip$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +rba: + message: $rule_description$ + risk_objects: + - field: dest_ip + type: system + score: 20 + threat_objects: + - field: src_ip + type: ip_address +tags: + analytic_story: + - Critical Alerts + asset_type: Web Application + mitre_attack_id: [] + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: threat + manual_test: We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection. Setting these to manual test since otherwise we fail integration testing. The detection is also failing on unit-testing as some of the fields set in the observables are empty. +tests: + - name: True Positive Test + attack_data: + - data: + sourcetype: secureapp_attack + source: Application Security diff --git a/macros/secureapp_field_mappings.yml b/macros/secureapp_field_mappings.yml new file mode 100644 index 0000000000..75f7104872 --- /dev/null +++ b/macros/secureapp_field_mappings.yml @@ -0,0 +1,3 @@ +definition: '| eval location=url | eval ip=socketOut | eval gid=coalesce(attackName,attackId) | eval action=attackOutcome | eval view=blockedReason | eval ids_type=eventType | eval process=jvmId | eval cve=matchedCveName | eval signature_id=vulnerableMethod | eval url=webTransactionUrl | eval mode=attackStatus | eval src_category=attackSource | eval dest_ip=serverAddress | eval dest_nt_host=serverName | eval dest_port=serverPort | eval signature=attackTypes | eval src_ip=clientAddress | eval src_port=clientPort | eval record_type=ptype | eval app=coalesce(application,environment) | eval product=attackBusinessTransaction | eval package_title=coalesce(tier,service) | eval package=coalesce(tierId,serviceId) | eval rule_number=name | eval object_name=keyInfo | eval file_path=workingDir | eval file_name=filename | eval session_id=sql | eval attacktypecount=mvcount(attackTypes)' +description: field mappings for Secure Application +name: secureapp_field_mappings \ No newline at end of file From 960f86b36bb520148881792aa9267760003ee395 Mon Sep 17 00:00:00 2001 From: Bryan Pluta Date: Thu, 28 May 2026 08:46:22 -0500 Subject: [PATCH 02/12] name change --- ...s.yml => splunk_secure_application_for_runtime_security.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename detections/application/{splunk_secure_application_alerts.yml => splunk_secure_application_for_runtime_security.yml} (99%) diff --git a/detections/application/splunk_secure_application_alerts.yml b/detections/application/splunk_secure_application_for_runtime_security.yml similarity index 99% rename from detections/application/splunk_secure_application_alerts.yml rename to detections/application/splunk_secure_application_for_runtime_security.yml index cdbad04e60..628b38b51f 100644 --- a/detections/application/splunk_secure_application_alerts.yml +++ b/detections/application/splunk_secure_application_for_runtime_security.yml @@ -1,4 +1,4 @@ -name: Splunk Secure Application Alerts +name: Splunk Secure Application for Runtime Security id: 37365336-e8af-42b1-b9d5-a5183d7b7e73 version: 1 date: '2026-05-27' From 732bb720daa2c2d1c21dab8fe0eea2a6143dc0c1 Mon Sep 17 00:00:00 2001 From: Bryan Pluta Date: Thu, 28 May 2026 10:45:05 -0500 Subject: [PATCH 03/12] name change --- .../splunk_secure_application_for_runtime_security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/application/splunk_secure_application_for_runtime_security.yml b/detections/application/splunk_secure_application_for_runtime_security.yml index 628b38b51f..65ac8572c5 100644 --- a/detections/application/splunk_secure_application_for_runtime_security.yml +++ b/detections/application/splunk_secure_application_for_runtime_security.yml @@ -1,4 +1,4 @@ -name: Splunk Secure Application for Runtime Security +name: Splunk Secure Application Alerts for Runtime Security id: 37365336-e8af-42b1-b9d5-a5183d7b7e73 version: 1 date: '2026-05-27' From a0d5f8bb1bac0ffc96f96231242a0d9aaa5923c7 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 3 Jun 2026 22:08:09 +0530 Subject: [PATCH 04/12] updating as per contentctl ng requirements --- ...pplication_alerts_for_runtime_security.yml | 91 +++++++++++++++++++ ...ecure_application_for_runtime_security.yml | 87 ------------------ macros/secureapp_attack.yml | 8 ++ macros/secureapp_field_mappings.yml | 11 ++- 4 files changed, 107 insertions(+), 90 deletions(-) create mode 100644 detections/application/splunk_secure_application_alerts_for_runtime_security.yml delete mode 100644 detections/application/splunk_secure_application_for_runtime_security.yml create mode 100644 macros/secureapp_attack.yml diff --git a/detections/application/splunk_secure_application_alerts_for_runtime_security.yml b/detections/application/splunk_secure_application_alerts_for_runtime_security.yml new file mode 100644 index 0000000000..fba908ea6e --- /dev/null +++ b/detections/application/splunk_secure_application_alerts_for_runtime_security.yml @@ -0,0 +1,91 @@ +name: Splunk Secure Application Alerts for Runtime Security +id: 37365336-e8af-42b1-b9d5-a5183d7b7e73 +version: 1 +creation_date: '2026-05-27' +modification_date: '2026-06-03' +author: Ryan Long, Bhavin Patel, Bryan Pluta, Splunk +status: production +type: Anomaly +description: | + The following analytic leverages alerts from Splunk Secure Application, which identifies and monitors exploit attempts targeting business applications. Attacks observed include exploiting vulnerabilities in web applications, such as injection attacks (SQL, API abuse), deserialization vulnerabilities, remote code execution, LOG4J, and zero-day attacks. These events are typically aimed at gaining unauthorized access, exfiltrating sensitive data, or disrupting application functionality. + + Splunk Secure Application provides real-time detection of these threats by analyzing application-layer events and correlating attack behavior with known vulnerability signatures. This detection methodology helps the Security Operations Center (SOC) by: + + * Identifying active exploitation attempts in real-time, allowing for quicker incident response. + * Categorizing attack severity to prioritize remediation efforts based on risk level. + * Providing visibility into attacker tactics, including source IP, attack techniques, and affected applications. + * Generating risk-based scoring and contextual alerts to enhance decision-making within SOC workflows. + * Helping analysts determine whether an attack was merely an attempt or if it successfully exploited a vulnerability. + + By leveraging this information, SOC teams can proactively mitigate security threats, patch vulnerable applications, and enforce security controls to prevent further exploitation. +data_source: [] +search: |- + `secureapp_attack` + | rename attackEvents{}.* AS *, detailJson.* AS *, vulnerabilityInfo.* AS * + | fields - tag::eventtype, eventtype, host, id, index, linecount, punct, source, sourcetype, splunk_server, tag, SourceType, app, clientAddressType, "attackEvents{}.* status" + | eval socketOut=mvjoin(socketOut," AND ") + | eval risk_score=kennaScore + | fillnull risk_score value="0" + `secureapp_es_field_mappings` + | dedup gid + | eval severity=case( + risk_score>=75 OR signature="LOG4J", "critical", + risk_score>50 AND risk_score<75, "high", + risk_score=0 AND attackOutcome="EXPLOITED", "high", + risk_score<=50 AND attackOutcome!="OBSERVED", "medium", + risk_score=0 AND attackOutcome="ATTEMPTED", "medium", + risk_score=0, "low", + risk_score=0 AND attackOutcome="OBSERVED", "low" + ) + | eval rule_description=case( + attacktypecount>1, mvjoin(mvappend("Multiple different attack types have been seen against the application", mvdedup(app), "This includes", mvdedup(signature), "attacks. Review the", mvdedup(dest_nt_host), "server for signs of exploitation"), " "), + (signature="API" OR signature="LOG4J" OR signature="SSRF"), "An attempt to exploit a ".signature." vulnerability was made from a ".src_category." IP address ".src_ip.". The server ".dest_nt_host." hosting application ".app." was accessed, and data may have been exfiltrated to ".ip.".", + (signature="SQL"), "IP address ".src_ip." has attempted a SQL injection via ".src_category.". The server ".dest_nt_host." hosting application ".app." may have executed this SQL statement and should be reviewed.", + (signature="DESEREAL"), "The application ".app." deserializes untrusted data without sufficiently verifying that the resulting data will be valid. Data which is untrusted cannot be trusted to be well-formed. Malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code, when deserialized.", + (signature="RCE"), "An attacker tried to perform Remote Code Execution by running the command ".command." in the ".file_path." directory. The server ".dest_nt_host." hosting application ".app." ".action." this command." + ) + | `splunk_secure_application_alerts_for_runtime_security_filter` +how_to_implement: | + To run this search, ingest alerts data from O11y Cloud Secure Application using HEC, ensuring the data is routed to the `secureapp_attack` sourcetype. +known_false_positives: | + No known false positives for this detection. If alerts are noisy, tune this detection with the `_filter` macro or configure the originating tool. +references: + - https://lantern.splunk.com/Observability_Use_Cases/Detect_Vulnerabilities/Integrating_Secure_Application_and_Enterprise_Security%2C_for_hybrid_applications_security + - https://help.splunk.com/en/splunk-observability-cloud/monitor-application-security/set-up-secure-application/step-1-set-up-notifications-for-vulnerabilities +drilldown_searches: + - name: View the detection results for - "$app$" + search: '%original_detection_search% | search app = "$app$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$dest_ip$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +intermediate_findings: + entities: + - field: app + type: system + score: 50 + message: $rule_description$ +threat_objects: + - field: src_ip + type: ip_address +analytic_story: + - Critical Alerts +asset_type: Web Application +mitre_attack_id: [] +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: application +security_domain: threat +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/secure_application_alerts.log + sourcetype: secureapp_attack + source: not_applicable + description: | + MANUAL TEST - We are dynamically creating the risk_score field based on the severity of the alert in the SPL, which supersedes the risk score set in the detection. Set as manual test to avoid integration and unit test failures due to empty fields in observables. + test_type: experimental diff --git a/detections/application/splunk_secure_application_for_runtime_security.yml b/detections/application/splunk_secure_application_for_runtime_security.yml deleted file mode 100644 index 65ac8572c5..0000000000 --- a/detections/application/splunk_secure_application_for_runtime_security.yml +++ /dev/null @@ -1,87 +0,0 @@ -name: Splunk Secure Application Alerts for Runtime Security -id: 37365336-e8af-42b1-b9d5-a5183d7b7e73 -version: 1 -date: '2026-05-27' -author: Ryan Long, Bhavin Patel, Bryan Pluta Splunk -status: experimental -type: TTP -description: | - The following analytic is to leverage alerts from Splunk Secure Application, which identifies and monitors exploit attempts targeting business applications. The primary attack observed involves exploiting vulnerabilities in web applications, including injection attacks (SQL, API abuse), deserialization vulnerabilities, remote code execution attempts, LOG4J and zero day attacks. These attacks are typically aimed at gaining unauthorized access, exfiltrating sensitive data, or disrupting application functionality. - - Secure Application attacks detection is not primarily based on exploiting vulnerabilities. It is based on correlating attack events and also mapping in any vulnerable code executed along the way. This detection methodology helps the Security Operations Center (SOC) by: - - * Identifying active exploitation attempts in real-time, allowing for quicker incident response. - * Categorizing attack severity to prioritize remediation efforts based on risk level. - * Providing visibility into attacker tactics, including source IP, attack techniques, and affected applications. - * Generating risk-based scoring and contextual alerts to enhance decision-making within SOC workflows. - * Helping analysts determine whether an attack was merely an attempt or if it successfully exploited a vulnerability. - - By leveraging this information, SOC teams can proactively mitigate security threats, patch vulnerable applications, and enforce security controls to prevent further exploitation. -data_source: - - Splunk Secure Application Alert -search: |- - sourcetype=secureapp_attack - | rename attackEvents{}.* AS *, detailJson.* AS *, vulnerabilityInfo.* AS * - | fields - tag::eventtype, eventtype, host, id, index, linecount, punct, source, sourcetype, splunk_server, tag, SourceType, app clientAddressType, "attackEvents{}.* status" - | eval socketOut=mvjoin(socketOut," AND ") - | eval risk_score=kennaScore - | fillnull risk_score value="0" - `secureapp_es_field_mappings` - | dedup gid - | eval severity=case( - risk_score>=75 OR signature="LOG4J", "critical", - risk_score>50 AND risk_score<75, "high", - risk_score=0 AND attackOutcome="EXPLOITED", "high", - risk_score<=50 AND attackOutcome!="OBSERVED", "medium", - risk_score=0 AND attackOutcome="ATTEMPTED", "medium", - risk_score=0, "low", - risk_score=0 AND attackOutcome="OBSERVED", "low" - ) - | eval rule_description=case( - attacktypecount>1, mvjoin(mvappend("Multiple different attack types have been seen against the application", mvdedup(app), "This includes", mvdedup(signature), "attacks. Review the", mvdedup(dest_nt_host), "server for signs of exploitation"), " "), - (signature="API" OR signature="LOG4J" OR signature="SSRF"), "An attempt to exploit a ".signature." vulnerability was made from a ".src_category." IP address ".src_ip.". The server ".dest_nt_host." hosting application ".app." was accessed, and data may have been exfiltrated to ".ip.".", - (signature="SQL"), "IP address ".src_ip." has attempted a SQL injection via ".src_category.". The server ".dest_nt_host." hosting application ".app." may have executed this SQL statement and should be reviewed.", - (signature="DESEREAL"), "The application ".app." deserializes untrusted data without sufficiently verifying that the resulting data will be valid. Data which is untrusted cannot be trusted to be well-formed. Malformed data or unexpected data could be used to abuse application logic, deny service, or execute arbitrary code, when deserialized.", - (signature="RCE"), "An attacker tried to perform Remote Code Execution by running the command ".command." in the ".file_path." directory. The server ".dest_nt_host." hosting application ".app." ".action." this command." - ) - | `splunk_secure_application_alerts_filter` -how_to_implement: In order to properly run this search, you need to ingest alerts data from O11y Cloud Secure Application, specifically ingesting data via HEC. You will also need to ensure that the data is going to sourcetype - `secureapp_attack`. -known_false_positives: No known false positives for this detection. If the alerts are noisy, consider tuning this detection by using the _filter macro in this search, and/or updating the tool this alert originates from. -references: - - https://lantern.splunk.com/Observability_Use_Cases/Detect_Vulnerabilities/Integrating_Secure_Application_and_Enterprise_Security%2C_for_hybrid_applications_security - - https://help.splunk.com/en/splunk-observability-cloud/monitor-application-security/set-up-secure-application/step-1-set-up-notifications-for-vulnerabilities -drilldown_searches: - - name: View the detection results for - "$app" - search: '%original_detection_search% | search app = "$app$"' - earliest_offset: $info_min_time$ - latest_offset: $info_max_time$ - - name: View risk events for the last 7 days for - "$dest_ip$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' - earliest_offset: 7d - latest_offset: "0" -rba: - message: $rule_description$ - risk_objects: - - field: dest_ip - type: system - score: 20 - threat_objects: - - field: src_ip - type: ip_address -tags: - analytic_story: - - Critical Alerts - asset_type: Web Application - mitre_attack_id: [] - product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud - security_domain: threat - manual_test: We are dynamically creating the risk_score field based on the severity of the alert in the SPL and that supersedes the risk score set in the detection. Setting these to manual test since otherwise we fail integration testing. The detection is also failing on unit-testing as some of the fields set in the observables are empty. -tests: - - name: True Positive Test - attack_data: - - data: - sourcetype: secureapp_attack - source: Application Security diff --git a/macros/secureapp_attack.yml b/macros/secureapp_attack.yml new file mode 100644 index 0000000000..11ad8b394d --- /dev/null +++ b/macros/secureapp_attack.yml @@ -0,0 +1,8 @@ +name: secureapp_attack +id: a4e47c1d-9fb1-4fee-b3e2-68d2f3a8bd2a +version: 1 +creation_date: '2020-04-30' +modification_date: '2026-05-13' +author: Bhavin Patel, Bryan Pluta, Splunk +description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment. +definition: sourcetype=secureapp_attack \ No newline at end of file diff --git a/macros/secureapp_field_mappings.yml b/macros/secureapp_field_mappings.yml index 75f7104872..0019b7eab8 100644 --- a/macros/secureapp_field_mappings.yml +++ b/macros/secureapp_field_mappings.yml @@ -1,3 +1,8 @@ -definition: '| eval location=url | eval ip=socketOut | eval gid=coalesce(attackName,attackId) | eval action=attackOutcome | eval view=blockedReason | eval ids_type=eventType | eval process=jvmId | eval cve=matchedCveName | eval signature_id=vulnerableMethod | eval url=webTransactionUrl | eval mode=attackStatus | eval src_category=attackSource | eval dest_ip=serverAddress | eval dest_nt_host=serverName | eval dest_port=serverPort | eval signature=attackTypes | eval src_ip=clientAddress | eval src_port=clientPort | eval record_type=ptype | eval app=coalesce(application,environment) | eval product=attackBusinessTransaction | eval package_title=coalesce(tier,service) | eval package=coalesce(tierId,serviceId) | eval rule_number=name | eval object_name=keyInfo | eval file_path=workingDir | eval file_name=filename | eval session_id=sql | eval attacktypecount=mvcount(attackTypes)' -description: field mappings for Secure Application -name: secureapp_field_mappings \ No newline at end of file +name: secureapp_field_mappings +id: 99e8a6b7-bf73-41b0-ad23-d396dd7e11bb +version: 1 +creation_date: '2020-04-30' +modification_date: '2026-05-13' +author: Ryan Long, Bhavin Patel, Bryan Pluta, Splunk +description: Field mappings for Secure Application +definition: '| eval location=url | eval ip=socketOut | eval gid=coalesce(attackName,attackId) | eval action=attackOutcome | eval view=blockedReason | eval ids_type=eventType | eval process=jvmId | eval cve=matchedCveName | eval signature_id=vulnerableMethod | eval url=webTransactionUrl | eval mode=attackStatus | eval src_category=attackSource | eval dest_ip=serverAddress | eval dest_nt_host=serverName | eval dest_port=serverPort | eval signature=attackTypes | eval src_ip=clientAddress | eval src_port=clientPort | eval record_type=ptype | eval app=coalesce(application,environment) | eval product=attackBusinessTransaction | eval package_title=coalesce(tier,service) | eval package=coalesce(tierId,serviceId) | eval rule_number=name | eval object_name=keyInfo | eval file_path=workingDir | eval file_name=filename | eval session_id=sql | eval attacktypecount=mvcount(attackTypes)' \ No newline at end of file From 193d6468c74e04f541c42e7caf315b324cb993b4 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 3 Jun 2026 22:11:39 +0530 Subject: [PATCH 05/12] adding dest_ip for entitiy --- .../splunk_secure_application_alerts_for_runtime_security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/application/splunk_secure_application_alerts_for_runtime_security.yml b/detections/application/splunk_secure_application_alerts_for_runtime_security.yml index fba908ea6e..c3130acc0d 100644 --- a/detections/application/splunk_secure_application_alerts_for_runtime_security.yml +++ b/detections/application/splunk_secure_application_alerts_for_runtime_security.yml @@ -63,7 +63,7 @@ drilldown_searches: latest_offset: "0" intermediate_findings: entities: - - field: app + - field: dest_ip type: system score: 50 message: $rule_description$ From 854f1cd1153b351eb28098718dfeee7ef4b97ef2 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 3 Jun 2026 22:26:12 +0530 Subject: [PATCH 06/12] updating dataset --- .../splunk_secure_application_alerts_for_runtime_security.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/application/splunk_secure_application_alerts_for_runtime_security.yml b/detections/application/splunk_secure_application_alerts_for_runtime_security.yml index c3130acc0d..ce97d66016 100644 --- a/detections/application/splunk_secure_application_alerts_for_runtime_security.yml +++ b/detections/application/splunk_secure_application_alerts_for_runtime_security.yml @@ -4,7 +4,7 @@ version: 1 creation_date: '2026-05-27' modification_date: '2026-06-03' author: Ryan Long, Bhavin Patel, Bryan Pluta, Splunk -status: production +status: experimental type: Anomaly description: | The following analytic leverages alerts from Splunk Secure Application, which identifies and monitors exploit attempts targeting business applications. Attacks observed include exploiting vulnerabilities in web applications, such as injection attacks (SQL, API abuse), deserialization vulnerabilities, remote code execution, LOG4J, and zero-day attacks. These events are typically aimed at gaining unauthorized access, exfiltrating sensitive data, or disrupting application functionality. @@ -83,7 +83,7 @@ security_domain: threat tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/secure_application_alerts.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/suspicious_behaviour/alerts/secure_app_alerts_runtime_security.log sourcetype: secureapp_attack source: not_applicable description: | From 2cfe9b5edd220cef22b36151419c727e7f97b7b2 Mon Sep 17 00:00:00 2001 From: Bryan Pluta Date: Wed, 3 Jun 2026 12:25:54 -0500 Subject: [PATCH 07/12] how to implement update --- .../splunk_secure_application_alerts_for_runtime_security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/application/splunk_secure_application_alerts_for_runtime_security.yml b/detections/application/splunk_secure_application_alerts_for_runtime_security.yml index ce97d66016..8b47e04a97 100644 --- a/detections/application/splunk_secure_application_alerts_for_runtime_security.yml +++ b/detections/application/splunk_secure_application_alerts_for_runtime_security.yml @@ -46,7 +46,7 @@ search: |- ) | `splunk_secure_application_alerts_for_runtime_security_filter` how_to_implement: | - To run this search, ingest alerts data from O11y Cloud Secure Application using HEC, ensuring the data is routed to the `secureapp_attack` sourcetype. + Create the secureapp_attack sourcetype in Splunk Enterprise Security. Configure Splunk Enterprise Security to receive alerts for Observability Cloud via HEC. Configure Secure Application Alerts in Observability Cloud to send alerts to Enterprise Security. Full details can be found in the referenced lantern article. known_false_positives: | No known false positives for this detection. If alerts are noisy, tune this detection with the `_filter` macro or configure the originating tool. references: From c1c48eef3a2107bc85febd96a36ce32316d59690 Mon Sep 17 00:00:00 2001 From: Bryan Pluta Date: Wed, 3 Jun 2026 14:10:53 -0500 Subject: [PATCH 08/12] updated lantern link --- .../splunk_secure_application_alerts_for_runtime_security.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/application/splunk_secure_application_alerts_for_runtime_security.yml b/detections/application/splunk_secure_application_alerts_for_runtime_security.yml index 8b47e04a97..a402e0ba61 100644 --- a/detections/application/splunk_secure_application_alerts_for_runtime_security.yml +++ b/detections/application/splunk_secure_application_alerts_for_runtime_security.yml @@ -50,7 +50,7 @@ how_to_implement: | known_false_positives: | No known false positives for this detection. If alerts are noisy, tune this detection with the `_filter` macro or configure the originating tool. references: - - https://lantern.splunk.com/Observability_Use_Cases/Detect_Vulnerabilities/Integrating_Secure_Application_and_Enterprise_Security%2C_for_hybrid_applications_security + - https://lantern.splunk.com/@go/page/10379 - https://help.splunk.com/en/splunk-observability-cloud/monitor-application-security/set-up-secure-application/step-1-set-up-notifications-for-vulnerabilities drilldown_searches: - name: View the detection results for - "$app$" From 8ad653147d19a3019f30a3f90f9cc4c6a3885dad Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 4 Jun 2026 10:37:22 +0530 Subject: [PATCH 09/12] testing yaml lint --- .../splunk_secure_application_alerts_for_runtime_security.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/application/splunk_secure_application_alerts_for_runtime_security.yml b/detections/application/splunk_secure_application_alerts_for_runtime_security.yml index a402e0ba61..f123fe6e88 100644 --- a/detections/application/splunk_secure_application_alerts_for_runtime_security.yml +++ b/detections/application/splunk_secure_application_alerts_for_runtime_security.yml @@ -46,7 +46,7 @@ search: |- ) | `splunk_secure_application_alerts_for_runtime_security_filter` how_to_implement: | - Create the secureapp_attack sourcetype in Splunk Enterprise Security. Configure Splunk Enterprise Security to receive alerts for Observability Cloud via HEC. Configure Secure Application Alerts in Observability Cloud to send alerts to Enterprise Security. Full details can be found in the referenced lantern article. + Create the secureapp_attack sourcetype in Splunk Enterprise Security. Configure Splunk Enterprise Security to receive alerts for Observability Cloud via HEC. Configure Secure Application Alerts in Observability Cloud to send alerts to Enterprise Security. Full details can be found in the referenced lantern article. known_false_positives: | No known false positives for this detection. If alerts are noisy, tune this detection with the `_filter` macro or configure the originating tool. references: @@ -65,7 +65,7 @@ intermediate_findings: entities: - field: dest_ip type: system - score: 50 + score: 20 message: $rule_description$ threat_objects: - field: src_ip From c8d077d963db29ff4626002903e013d1662d73c0 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Fri, 12 Jun 2026 17:17:10 +0530 Subject: [PATCH 10/12] Update macros/secureapp_attack.yml Co-authored-by: Nasreddine Bencherchali --- macros/secureapp_attack.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/macros/secureapp_attack.yml b/macros/secureapp_attack.yml index 11ad8b394d..205e9ebb3a 100644 --- a/macros/secureapp_attack.yml +++ b/macros/secureapp_attack.yml @@ -1,8 +1,8 @@ name: secureapp_attack id: a4e47c1d-9fb1-4fee-b3e2-68d2f3a8bd2a version: 1 -creation_date: '2020-04-30' -modification_date: '2026-05-13' +creation_date: '2026-06-12' +modification_date: '2026-06-12' author: Bhavin Patel, Bryan Pluta, Splunk description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment. definition: sourcetype=secureapp_attack \ No newline at end of file From 0d8996a985f4f2321ed8ba1ada4055fbac6c0012 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Fri, 12 Jun 2026 17:17:21 +0530 Subject: [PATCH 11/12] Update detections/application/splunk_secure_application_alerts_for_runtime_security.yml Co-authored-by: Nasreddine Bencherchali --- .../splunk_secure_application_alerts_for_runtime_security.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/application/splunk_secure_application_alerts_for_runtime_security.yml b/detections/application/splunk_secure_application_alerts_for_runtime_security.yml index f123fe6e88..7a9a439215 100644 --- a/detections/application/splunk_secure_application_alerts_for_runtime_security.yml +++ b/detections/application/splunk_secure_application_alerts_for_runtime_security.yml @@ -1,8 +1,8 @@ name: Splunk Secure Application Alerts for Runtime Security id: 37365336-e8af-42b1-b9d5-a5183d7b7e73 version: 1 -creation_date: '2026-05-27' -modification_date: '2026-06-03' +creation_date: '2026-06-12' +modification_date: '2026-06-12' author: Ryan Long, Bhavin Patel, Bryan Pluta, Splunk status: experimental type: Anomaly From db413c18965a911a0e2363fc77c7eb0cd8659975 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Fri, 12 Jun 2026 18:35:40 +0530 Subject: [PATCH 12/12] removing macro --- macros/secureapp_field_mappings.yml | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 macros/secureapp_field_mappings.yml diff --git a/macros/secureapp_field_mappings.yml b/macros/secureapp_field_mappings.yml deleted file mode 100644 index 0019b7eab8..0000000000 --- a/macros/secureapp_field_mappings.yml +++ /dev/null @@ -1,8 +0,0 @@ -name: secureapp_field_mappings -id: 99e8a6b7-bf73-41b0-ad23-d396dd7e11bb -version: 1 -creation_date: '2020-04-30' -modification_date: '2026-05-13' -author: Ryan Long, Bhavin Patel, Bryan Pluta, Splunk -description: Field mappings for Secure Application -definition: '| eval location=url | eval ip=socketOut | eval gid=coalesce(attackName,attackId) | eval action=attackOutcome | eval view=blockedReason | eval ids_type=eventType | eval process=jvmId | eval cve=matchedCveName | eval signature_id=vulnerableMethod | eval url=webTransactionUrl | eval mode=attackStatus | eval src_category=attackSource | eval dest_ip=serverAddress | eval dest_nt_host=serverName | eval dest_port=serverPort | eval signature=attackTypes | eval src_ip=clientAddress | eval src_port=clientPort | eval record_type=ptype | eval app=coalesce(application,environment) | eval product=attackBusinessTransaction | eval package_title=coalesce(tier,service) | eval package=coalesce(tierId,serviceId) | eval rule_number=name | eval object_name=keyInfo | eval file_path=workingDir | eval file_name=filename | eval session_id=sql | eval attacktypecount=mvcount(attackTypes)' \ No newline at end of file