Attacks

The Attacks tab lists summaries of attacks or attempts to exploit known vulnerabilities (CVEs). ​

Note: To populate this page, add special JVM startup flags to your Java command.

The attack list is sorted by the Attack ID column by default. Columns in the table:

  • Attack ID: A random numerical value so that you can search for an attack by this value. The ID itself has no special meaning associated with it. One attack ID (also called attack summary) can have multiple attack types (also called attack events) associated with it.

  • Outcome: Current state of the attack:

    • Exploited: A malicious activity was performed to impact the application's security.

  • Types: A list of attack types and counts (in brackets). Attack types differ from event types; multiple event types can trigger a single attack type.

    • DESERIAL: The agent detected a Java class deserialization event.

    • LOG4J: The agent detected a Log4Shell attack.

    • RCE: The agent detected a remote code execution event.

    • SQL: The agent detected a known SQL injection signature event.

    • SSRF: The agent detected a server side request forgery event.

  • CVEs Reached: A list of CVEs which are associated with this attack.

  • Environment: The value you specified in your Secure Application agent otel.resource.attributes parameter or in the OTEL_RESOURCE_ATTRIBUTE environment variable.

  • Service: The value you specified in your Secure Application agent otel.resource.attributes parameter or in the OTEL_RESOURCE_ATTRIBUTE environment variable.

  • Last detected: The time that is elapsed since the last event within the attack. Select this column header to sort the values in ascending or descending order.

There are multiple ways to navigate to the Secure Application Attacks tab:

From the Splunk APM service map

See View security assessments in the service map.

From the Splunk APM overview

  1. From APM > Overview, find your target service in the table.

  2. On the row for your target service, select the link for the attack count in the Application Security column.

From the service view

See View security assessments in the service view.

From the Splunk Application Security overview

  1. Select APM, scroll down to Application Security, and select Attacks.

  2. Filter the attack list by environment, service, or attack type.

  3. To view a specific attack instance select the link in the table's Attack ID column.

Download the attack list

To download a .csv file with all the attacks currently visible in the attack list select Export all.

View attack details

Select any attack summary to navigate to the details page for that specific attack. The details page is associated with one service. In other words, it's the record of the attack on a specific service.

On the attack summary page, you can see a count of the CVEs that are associated with that attack. To see recommended actions:

  1. Select a specific attack to navigate to that attack's details page.

  2. Select the CVE's link in the CVE Reached column to see what the recommended actions are for that CVE. This navigates you to the CVE details page.

  3. On the CVE details page, view the Recommended actions tile.

View the stack trace

Since the stack trace is associated with a specific service, first navigate to the affected service and then look at that service's vulnerable method (the method that called the vulnerable function) or the entire stack trace of that service, which highlights the vulnerable function:

  1. On the attack summary page, select a specific attack event to navigate that specific attack details page.

  2. On the attack details page, select the service name (link) from the pane on the right. This navigates you to the Splunk APM service view where you can see all the security data (vulnerabilities and attacks) related to that service.

  3. On the Splunk APM service view right panel, scroll down to the bottom and select Show more. This displays the stack trace with the method that called the vulnerable function highlighted.