Download PDF
Download page Integrate Cisco Secure Application with Splunk.
Integrate Cisco Secure Application with Splunk
You can send Cisco Secure Application security events to a Splunk deployment over the HTTP and Secure HTTP (HTTPS) protocols. When you enable a new connection with the details of the Splunk server, the vulnerability, the attack, and the observation events are sent from Cisco Secure Application to the specified Splunk instance.
The gear icon 
displays the Settings option. From this option you can use the Connections option to connect to a third-party server for advanced security.
Currently, Cisco Secure Application supports integration with Splunk only.
To create a new connection, click New Connection and specify the following in the New Connection dialog box:
- Name: Any name to identify the connection.
- Service Type: Splunk HTTP Event Collector.
Currently, Cisco Secure Application supports the HTTP event collector only. - Endpoint: The Splunk host endpoint.
- Token: The token generated through Splunk.
The value is hidden after you save the connection.
The Connections page displays the Splunk connection details with its status.You can modify the connection by using the modify icon 
.
After the connection is successful, Cisco Secure Application sends the events every one minute.
Currently, this connection supports Vulnerabilities. The support will extend to Attacks and Observations in later releases.
AppDynamics IP Addresses
If your Splunk instance is blocking public IPs, ensure that you unlock the following list of IPs. All traffic originating from the Oregon environment will have one of the following source IP addresses:
34.218.183.6752.88.49.7534.218.135.5544.224.91.19044.224.93.208100.21.44.4735.163.240.75100.21.168.15044.224.41.204
To view all IPs and their regions, see SaaS Domains and IP Ranges.
Security Events
The supported agents send the security events to Cisco Secure Application to display the attacks and vulnerabilities on the UI. To use these events within Splunk, Cisco Secure Application sends the event attributes to Splunk in the required format. These are the event details:
| Attributes | Type | Description |
|---|---|---|
| tenantId | int32 | The Tenant ID of the server where the AppDynamics Controller is installed. |
| tenantName | String | The name of the server on which AppDynamics Controller is installed. |
| applicationId | int32 | The ID of the application that is vulnerable. |
| applicationname | String | The name of the vulnerable application. |
| applicationUuid | String | The unique ID of the server on which the application is running. |
| tierId | int32 | The tier ID of the application that is vulnerable. |
| tiername | String | The name of the application tier that is vulnerable. |
| tierUuid | String | The unique ID of the server on which the tier is running. |
| timestamp | String | The time the vulnerability is first detected. |
| severity | String | The CVSS3 environmental severity description. |
| severityNumber | Float32 | The risk score of the vulnerability. The higher the number, the higher the risk. |
| resource | String | The source of the security events. This will show the value as Secure App, which means that the security events are sent from Cisco Secure Application. |
| createdAt | String | The time when the vulnerability was first detected. This value is same as the timestamp value. |
| lastSeenAt | String | The time when the vulnerability was last detected. |
| fixedAt | String | The date of CVE remediation. This value is available only if the CVE is fixed. |
| cveId | String | The common vulnerability and exposure ID. |
| packageName | String | The name of the library that the vulnerability has been detected in. |
| packageVersion | String | The version of the package with the vulnerability. |
| fixedVersion | String | The version of the package that fixes the vulnerability. This is the remediation version. |
| Attributes | Type | Description |
|---|---|---|
| TenantId | int32 | The Tenant ID of the server where the AppDynamics Controller is installed. |
| TenantName | String | The name of the server on which AppDynamics Controller is installed. |
| ApplicationId | int32 | The ID of the application that is affected by the attack. |
| ApplicationName | String | The name of the application that is affected by the attack. |
| ApplicationUuid | String | The unique ID of the application that is affected by the attack. |
| Timestamp | String | The time when the attack is detected. |
| SeverityNumber | float32 | The risk score of the attack. The higher the number, the higher the risk. |
| Name | String | The name of the attack event. |
| Resource | String | The entry point of the attack. It is the webserver URL accessed by the client in the transaction that triggered the event. Based on the event type, this field may not be displayed. |
| CreatedAt | String | The timestamp when the attack was first detected. This is same as timestamp. |
| LastSeenAt | String | The time when the attack was last detected. |
| MaliciousIpSource | String | The name of the malicious IP list. This is available if the attack is from a client IP address that is on a known malicious IP list. Currently, the Talos malicious IP list is supported. Therefore, this attribute displays the value Talos when the attack is from a client IP on the Talos list. |