new o11y secure application detection#4108
Conversation
bpluta-splunk
requested review from
ljstella,
nasbench and
patel-bhavin
as code owners
|
Screenshots of search being ran against test data 
|
testing from the show instance. |
| search: |- | ||
| `secureapp_attack` | ||
| | rename attackEvents{}.* AS *, detailJson.* AS *, vulnerabilityInfo.* AS * | ||
| | fields - tag::eventtype, eventtype, host, id, index, linecount, punct, source, sourcetype, splunk_server, tag, SourceType, app, clientAddressType, "attackEvents{}.* status" |
There was a problem hiding this comment.
Is there a time field that we can include to help analysts identify the time range for the investigation?
There was a problem hiding this comment.
@bryan-splunk - thoughts? I believe _time is already a part of the output!
There was a problem hiding this comment.
correct. _time is already part of the output.
There was a problem hiding this comment.
See the screenshot above from @patel-bhavin running the search the output has not _time currently. Let's add it the to the fields command
There was a problem hiding this comment.
i could be wrong, but if _time was not a field, then how would the Time column be populated? That column I believe looks at the _time field
There was a problem hiding this comment.
One of the thing @bryan-splunk is trying here to not add a stats/table command as he would like the entire alert as the detection output. _time is a part of the event, hence it does not need to be listed explicitily!
Co-authored-by: Nasreddine Bencherchali <nbencher@cisco.com>
…ntime_security.yml Co-authored-by: Nasreddine Bencherchali <nbencher@cisco.com>
3 participants
Details
We are keeping the legacy AppD Secure Application detection until we can get a TA to provide the sourcetype for both AppD and o11y.
Checklist
<platform>_<mitre att&ck technique>_<short description>nomenclature