Monitor Attacks

The Attacks page includes details of all the open and closed attacks on the managed applications. By default, this page displays an overview of the selected application. See Monitor Application Security Using Cisco Secure Application.

Attacks

The Attacks page displays these details:

Field Name	Description
Attacks By Outcome	This provides information on these state of the attack: Exploited: When malicious activity is performed to impact the application's security. Blocked: When the events are blocked based on the attack policy. Attempted: When the malicious activity is determined but not exploited.
Top Applications	This chart displays the top 10 applications based on open attacks per application. If you select a specific application scope, then only that application is displayed. To view all the applications, reset the application scope. See Monitor Application Security Using Cisco Secure Application. These applications are in either an exploited, blocked, attempted, or state versus the total number of open attacks on the application. Hover over each state to view the number of blocked, exploited, and open attacks.
Top Attack Types	This chart displays the top 10 attack events that are in an exploited, blocked, or attempted state versus the total number of open attacks on the events. Hover on each state to view the number of blocked, exploited, attempted, and open attacks. Attack Types include: DESERIAL: The agent detected a Java class deserialization event. SQL: The agent detected a known SQL injection signature event. RCE: The agent detected a remote code execution event. LOG4J: The agent detected a Log4Shell attack. SSRF: The agent detected a server side request forgery event. MALIP: The agent detected either an inbound, or outbound socket connection to a known malicious IP address.
ID	The ID of the corresponding Attack. Cisco Secure Application generates this ID. You can modify this ID on the attacks details page. To view the attack details page, click the desired row. Click this field to sort the ID numerically.
Outcome	The outcome of the corresponding attack. This provides information on these state of the attack: Exploited: When malicious activity is performed to impact the application's security. Blocked: When the events are blocked based on the attack policy. Attempted: When the malicious activity is determined but not exploited. Click this field to sort the values alphabetically.
Attack Type (Events)	The type of the attack and count of that attack type.
Event Trigger	Relevant information from the runtime behavior resulting from the event where Secure Application determined a potential attack.
Application	The application affected by the attack.
Business Transaction	When you click an Attack ID, you receive a summary for each Attack, and a Business Transition type, if you have a Business Transaction enabled. See Monitor Business Transactions.
Tier	The tier name and the number of nodes. You can click to launch the application flow map in the Splunk AppDynamics dashboard. The info icon () next to an affected tier indicates that the attacked nodes in the tier include critical or medium vulnerability.
Last Detected	The time that is elapsed since the last event within the attack. Click this field to sort the values in ascending or descending order.
Status	The status of the attack is defined as either open or closed. If you have Configure permissions, click the checkboxes for the required rows and then click the Set Status option to set the appropriate status. Click this field to sort based on the Open or Closed state.

View Attack Details

The Attack details page provides information of the attack. The top pane provides a summary of the attack. To view the application flow map, you can click the flow map icon () next to the application name. The bottom pane is split into left pane (a list of events correlated to the attack automatically) and right pane (the details of a selected event).

You can use the Search filter to filter by: Outcome, Event Type, Attack Type, or Affected Tiers.

Field Name	Description
Outcome	The outcome of the event. This provides information on whether the selected event is Exploited, Blocked, or Attempted.
Event Type	The type of the attack event or the vulnerability name.
Attack Type	The type of the attack such as RCE and so on.
Application	The affected application.
Tier	The affected tier.
Timestamp	The time the event is detected.
Timestamp	The date and time when the event is detected.
Affected Node	The name of the affected node. You can click the flow map icon () to view the Tiers and Nodes flow map on the Splunk AppDynamics dashboard.
Event Trigger	It displays the attack target. It can be a file, host, command, etc.
Vulnerabilities	The type of vulnerability used for the attack. Based on the event type, this field may not be displayed. If the value is displayed, click the value to view the vulnerability details. For information about Vulnerabilities, see Monitor Vulnerabilities.
Entry Point	The webserver URL accessed by the client in the transaction that triggered the event. Based on the event type, this field may not be displayed.
Client IP	The IP address of the remote endpoint of the connection in the transaction. This IP address can be the IP address of client machine, load balancer or proxy in a client network. The warning icon () next to IP address indicates that a known malicious IP is detected. This is available if the attack is from a client IP address that is on a known malicious IP list. Currently, the Talos malicious IP list is supported. Therefore, this attribute displays the value Talos when the attack is from a client IP on the Talos list.
Network Flow	The network flow as observed from the node that includes the source and the destination IP address.
Details	The details about the resulting behavior of the node triggered by an inbound request. The details may change based on the event and attack type. Click Show More to view the Details dialog box. You can copy the details as per your requirement.
Stack Trace	Details of the stack trace for the corresponding event. Click Show More to view the Stack Trace dialog box. You can use this information to guide developers to the lines of code that were used to achieve the result of the event. You can copy the details as per your requirement.
Socket Address	The destination IP address. It can be a host, network, subnetwork, etc. The warning icon () next to IP address indicates that a known malicious IP is detected. This is available if the attack is from a client IP address that is on a known malicious IP list. Currently, the Talos malicious IP list is supported. Therefore, this attribute displays the value Talos when the attack is from a client IP on the Talos list.
Policy	The action that is used for this event based on the existing policy when the event is detected. If you have the Configure permission, you can change the policy by clicking this value. See Cisco Secure Application Policies.

You can click the Export button to download the table data. It downloads all of the rows, columns, and related data in a .csv file. A separate .json file includes the following: link to the Cisco Secure Application website where the table is exported from, global filters (if any) applied to the pages, and search filters applied to the columns. These two files are compressed into a .zip file for downloading. The maximum number of rows that can be exported is 10,000. If table data exceeds 10,000 rows you may apply filters to narrow your search, or export the first 10,000 results.