You can send Cisco Secure Application security events to a Splunk deployment over the HTTP and Secure HTTP (HTTPS) protocols. When you enable a new connection with the details of the Splunk server, the vulnerability, the attack, and the observation events are sent from Cisco Secure Application to the specified Splunk instance.
The gear icon displays the Settings option. From this option you can use the Connections option to connect to a third-party server for advanced security.
Currently, Cisco Secure Application supports integration with Splunk only.
To create a new connection, click New Connection and specify the following in the New Connection dialog box:
Name: Any name to identify the connection.
Service Type: Splunk HTTP Event Collector. Currently, Cisco Secure Application supports the HTTP event collector only.
Endpoint: The Splunk host endpoint.
Token: The token generated through Splunk. The value is hidden after you save the connection.
The Connections page displays the Splunk connection details with its status.You can modify the connection by using the modify icon.
After the connection is successful, Cisco Secure Application sends the events every one minute.
Currently, this connection supports Vulnerabilities. The support will extend to Attacks and Observations in later releases.
AppDynamics IP Addresses
If your Splunk instance is blocking public IPs, ensure that you unlock the following list of IPs. All traffic originating from the Oregon environment will have one of the following source IP addresses:
The supported agents send the security events to Cisco Secure Application to display the attacks and vulnerabilities on the UI. To use these events within Splunk, Cisco Secure Application sends the event attributes to Splunk in the required format. These are the event details:
Attributes
Type
Description
tenantId
int32
The Tenant ID of the server where the AppDynamics Controller is installed.
tenantName
String
The name of the server on which AppDynamics Controller is installed.
applicationId
int32
The ID of the application that is vulnerable.
applicationname
String
The name of the vulnerable application.
applicationUuid
String
The unique ID of the server on which the application is running.
tierId
int32
The tier ID of the application that is vulnerable.
tiername
String
The name of the application tier that is vulnerable.
tierUuid
String
The unique ID of the server on which the tier is running.
timestamp
String
The time the vulnerability is first detected.
severity
String
The CVSS3 environmental severity description.
severityNumber
Float32
The risk score of the vulnerability. The higher the number, the higher the risk.
resource
String
The source of the security events. This will show the value as Secure App, which means that the security events are sent from Cisco Secure Application.
createdAt
String
The time when the vulnerability was first detected. This value is same as the timestamp value.
lastSeenAt
String
The time when the vulnerability was last detected.
fixedAt
String
The date of CVE remediation. This value is available only if the CVE is fixed.
cveId
String
The common vulnerability and exposure ID.
packageName
String
The name of the library that the vulnerability has been detected in.
packageVersion
String
The version of the package with the vulnerability.
fixedVersion
String
The version of the package that fixes the vulnerability. This is the remediation version.
Attributes
Type
Description
TenantId
int32
The Tenant ID of the server where the AppDynamics Controller is installed.
TenantName
String
The name of the server on which AppDynamics Controller is installed.
ApplicationId
int32
The ID of the application that is affected by the attack.
ApplicationName
String
The name of the application that is affected by the attack.
ApplicationUuid
String
The unique ID of the application that is affected by the attack.
Timestamp
String
The time when the attack is detected.
SeverityNumber
float32
The risk score of the attack. The higher the number, the higher the risk.
Name
String
The name of the attack event.
Resource
String
The entry point of the attack. It is the webserver URL accessed by the client in the transaction that triggered the event. Based on the event type, this field may not be displayed.
CreatedAt
String
The timestamp when the attack was first detected. This is same as timestamp.
LastSeenAt
String
The time when the attack was last detected.
MaliciousIpSource
String
The name of the malicious IP list. This is available if the attack is from a client IP address that is on a known malicious IP list.
Currently, the Talos malicious IP list is supported. Therefore, this attribute displays the value Talos when the attack is from a client IP on the Talos list.
displays the Settings option. From this option you can use the Connections option to connect to a third-party server for advanced security. 
. 
Add Comment