Integrating Secure Application, Enterprise Security, and SOAR for hybrid applications security
You are a SecOps team member trying to establish an end-to-end security workflow for your organization's hybrid applications, allowing you to effectively detect, investigate, and respond to application attacks, including zero-day threats. You're finding that disparate security tools and manual processes are hindering rapid detection and automated response, so you're looking for a unified integration that helps you streamline event collection, enhance threat detection, and automate response actions.
How to use Splunk software for this use case
This article covers how to set up Splunk AppDynamics Secure Application, Splunk Enterprise Security, and Splunk SOAR to work together, providing an end-to-end unified workflow to detect, investigate, and respond to application attacks, including zero day attacks.
You'll follow a number of steps to do this:
- Configure Splunk Enterprise Security to receive events.
- Configure Secure Application to send events.
- Configure Splunk Enterprise Security detection.
- Configure Splunk SOAR for response.
1. Configure Splunk Enterprise Security to receive HTTP event data
Follow the appropriate Collect HTTP event data instructions for your deployment to configure Splunk Enterprise Security to receive HTTP event data.
During this process you'll generate a HEC token. Make a note of this, as you'll need to refer to it later.
2. Configure Secure Application to send events to Splunk Enterprise Security
Follow the Alerts using Secure Application instructions to configure Secure Application to send data to Splunk Enterprise Security.
You'll set up a vulnerability alert and an attack alert during this process. Make sure you configure these with the following information:
Vulnerability alert
- In step 4, select Vulnerability for the Event Type.
- In step 6d, use the raw HEC endpoint. The URL you enter should end in
/services/collector/raw. - In step 8, select an Authentication Type of Bearer and in the Token enter the HEC token details you generated in step 1, for example.
Splunk <HEC TOKEN>. - In step 12, paste the following JSON payload to include all vulnerability details.
{
"vulnerabilityId": "$vulnerability.id",
"vulnerabilityTitle": "$vulnerability.title",
"vulnerabilityCvssSeverity": "$vulnerability.cvssSeverity",
"vulnerabilityCvssScore": "$vulnerability.cvssScore",
"vulnerabilityReached": "$vulnerability.reached",
"vulnerabilityApplication": "$vulnerability.application",
"vulnerabilityTier": "$vulnerability.tier",
"vulnerabilityLibrary": "$vulnerability.library",
"vulnerabilityStatus": "$vulnerability.status",
"vulnerabilityFirstDetected": "$vulnerability.firstDetected",
"vulnerabilityPublishDate": "$vulnerability.publishDate",
"vulnerabilityType": "$vulnerability.type",
"vulnerabilityDetailsUrl": "$vulnerability.detailsUrl",
"vulnerabilityRemediation": "$vulnerability.remediation",
"vulnerabilityKennaScore": "$vulnerability.kenna.score",
"vulnerabilityKennaEasilyExploitable": "$vulnerability.kenna.easilyExploitable",
"vulnerabilityKennaMalwareExploitable": "$vulnerability.kenna.malwareExploitable",
"vulnerabilityKennaActiveInternetBreach": "$vulnerability.kenna.activeInternetBreach",
"vulnerabilityKennaPopularTarget": "$vulnerability.kenna.popularTarget",
"vulnerabilityKennaPredictedExploitable": "$vulnerability.kenna.predictedExploitable"
}
Attack alert
- In step 4, select Attack for the Event Type.
- In step 6d, use the raw HEC endpoint. The URL you enter should end in
/services/collector/raw. - In step 8, select an Authentication Type of Bearer and in the Token enter the HEC token details you generated in step 1, e.g.
Splunk <HEC TOKEN>. - In step 12, paste the following JSON payload to include all attack details.
{
"attackId": "$attack.id",
"attackSource": "$attack.source",
"attackOutcome": "$attack.outcome",
"attackTypes": "$attack.types",
"attackEventTrigger": "$attack.eventTrigger",
"attackApplication": "$attack.application",
"attackApplicationId": "$attack.appId",
"attackTier": "$attack.tier",
"attackBusinessTransaction": "$attack.businessTransaction",
"attackStatus": "$attack.status",
"attackLastDetected": "$attack.lastDetected",
"attackEvents": "$attack.events"
}
Secure Application should now be configured to send all new vulnerabilities and attacks that are detected.
3. Configure Splunk Enterprise Security detection
The detection you'll be configuring includes pre-defined drilldowns and searches to help with an investigation.
- Install the Cisco Splunk Add-on for AppDynamics. This ensures that all the data is properly parsed and can be fully utilized by Splunk Enterprise Security.
- Install Splunk ES Content Update (ESCU) and ensure it is updated to the latest version.
- In Splunk Enterprise Security, go to Content Management and search for the Splunk AppDynamics Secure Application Alerts detection.
- While you can turn this detection on as-is, you might want to review the detection to ensure it is aligned to your team’s practices. When you're happy, turn on the detection. This will generate a new finding for each new unblocked attack that is detected.
4. Configure Splunk SOAR for response
To configure SOAR to respond to detected attacks, go to SOAR and install the Secure Application app. This app allows you to automate a wide variety of actions that run when specific types of attacks are detected, like creating a new policy or adding rules to a policy. You can create a playbook similar to below to ask a user if a new blocking policy should be implemented, then if authorized, apply the policy and rule in Secure Application.
Additional resources
These resources might help you understand and implement this guidance:
- Splunk Help: Getting started with Secure Application
- Splunkbase: Secure Application