Attacks

The Attacks page displays these details:

Field NameDescription
Attacks By Outcome

This provides information on these state of the attack:

  • Exploited: When malicious activity is performed to impact the application's security.
  • Blocked: When the events are blocked based on the attack policy.
  • Attempted: When the malicious activity is determined but not exploited.
Top Applications

This chart displays the top 10 applications based on open attacks per application. If you select a specific application scope, then only that application is displayed. To view all the applications, reset the application scope. See Monitor Application Security Using . These applications are in either an exploited, blocked, attempted, or state versus the total number of open attacks on the application. Hover over each state to view the number of blocked, exploited, and open attacks.

Top Attack Types

This chart displays the top 10 attack events that are in an exploited,blocked, or attempted state versus the total number of open attacks on the events. Hover on each state to view the number of blocked, exploited, attempted, and open attacks. Attack Types include:

  • DESERIAL: The agent detected a Java class deserialization event.
  • SQL: The agent detected a known SQL injection signature event.
  • RCE: The agent detected a remote code execution event.
  • LOG4J: The agent detected a Log4Shell attack.
  • SSRF: The agent detected a server side request forgery event.
  • MALIP: The agent detected either an inbound, or outbound socket connection to a known malicious IP address.
ID

The ID of the corresponding Attack. generates this ID. You can modify this ID on the attacks details page. To view the attack details page, click the desired row. Click this field to sort the ID numerically.

Outcome

The outcome of the corresponding attack. This provides information on these state of the attack:

  • Exploited: When malicious activity is performed to impact the application's security.
  • Blocked: When the events are blocked based on the attack policy.
  • Attempted: When the malicious activity is determined but not exploited.

Click this field to sort the values alphabetically.

Attack Type (Events) The type of the attack and count of that attack type.
Event Trigger Relevant information from the runtime behavior resulting from the event where Secure Application determined a potential attack.
Application

The application affected by the attack.

Business Transaction

When you click an Attack ID, you receive a summary for each Attack, and a Business Transition type, if you have a Business Transaction enabled. See Monitor Business Transactions.

Tier

The tier name and the number of nodes. You can click to launch the application flow map in the Splunk AppDynamics dashboard. The info icon () next to an affected tier indicates that the attacked nodes in the tier include critical or medium vulnerability.

Last Detected

The time that is elapsed since the last event within the attack. Click this field to sort the values in ascending or descending order.

Status

The status of the attack is defined as either open or closed. If you have Configure permissions, click the checkboxes for the required rows and then click the Set Status option to set the appropriate status. Click this field to sort based on the Open or Closed state.