This page explains how to send events related to runtime application security, such as Log4j and other remote code executions (RCEs), server-side request forgeries (SSRFs), and other application security attacks, from Cisco Secure Application to Splunk products.

You can use this integration with Splunk Enterprise Security (primary use case), Splunk Enterprise, or Splunk Cloud.

Prerequisites

  1. Install the Cisco Secure Application content pack on Splunk Enterprise Security.
  2. Install the correct add-on for your Splunk deployment:

Setup Notable Detection for Application Attacks in Splunk Enterprise Security

To set up this integration, follow the steps in Detection: Cisco Secure Application Alerts.

Send Attack Alerts from Cisco Secure Application to Splunk

This integration sends alerts related to attacks only. It doesn't send alerts related to vulnerabilities or business risks. Alerts must be of type HTTP, not email.

To set up this integration, follow the steps in Create an HTTP Alert.