From 4385e7f3f3657383670715e2154e8058e4564fa7 Mon Sep 17 00:00:00 2001 From: Diana O Date: Mon, 22 Jun 2026 09:56:52 +1000 Subject: [PATCH 1/2] Updated Links, Formatting and markups --- .../8-secure-application/01-getting-started.md | 2 +- .../02-unified-visibility.md | 10 +++++----- .../03-runtime-vulnerabilities.md | 8 ++++---- .../04-prioritizing-vulnerability-risk.md | 10 +++++----- .../05-risk-investigation.md | 10 +++++----- .../06-runtime-attack-investigation.md | 17 ++++++++--------- .../07-eliminating-risk-&-technical-debt.md | 6 +++--- .../08-intergrated-defense.md | 4 ++-- .../8-secure-application/09-conclusion.md | 2 +- .../1-modules/8-secure-application/_index.md | 2 +- 10 files changed, 35 insertions(+), 36 deletions(-) diff --git a/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/01-getting-started.md b/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/01-getting-started.md index f92f2e078f..2429e78b5b 100644 --- a/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/01-getting-started.md +++ b/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/01-getting-started.md @@ -13,7 +13,7 @@ During this workshop, we'll explore: For the workshop, a shared tenant is provided that contains Application Security telemetry (runtime vulnerabilities, library inventory, and attack events). -> *"The tenant has been pre-configured with APM-instrumented microservices — without requiring to deploy additional agents beyond existing Observability instrumentation."* +> *"The tenant has been pre-configured with APM-instrumented microservices without requiring to deploy additional agents beyond existing Observability instrumentation."* --- diff --git a/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/02-unified-visibility.md b/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/02-unified-visibility.md index 822db8a567..3af32b66bf 100644 --- a/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/02-unified-visibility.md +++ b/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/02-unified-visibility.md @@ -6,7 +6,7 @@ weight: 2 ## Why unified visibility matters -When reliability and security live in separate tools, prioritization conversations stall. SREs ask *what broke?* while AppSec asks *what is exploitable?* — and neither view shows services that are simultaneously unhealthy and high-risk. +When reliability and security live in separate tools, prioritization conversations stall. SREs ask *what broke?* while AppSec asks *what is exploitable?* and neither view shows services that are simultaneously unhealthy and high-risk. Splunk Secure Application surfaces vulnerability and attack summaries alongside golden signals on **APM Overview**, **Service Map**, and the **per-service Application Security** workspace. Engineering, application security, and SecOps can share one runtime view without a duplicate agent or workflow. @@ -15,21 +15,21 @@ Splunk Secure Application surfaces vulnerability and attack summaries alongside ## 2.1 Security posture on APM Overview 1. Navigate to **APM → Overview**. -2. Set the **environment** filter to `astronomy-shop-*`. +2. Set the **environment** filter to 'astronomy-shop-*'. 3. Scroll to the **Services** tab. Observe each service row: alongside standard health metrics, you should see runtime vulnerability and threat profile summaries for instrumented services- counts of critical and high CVEs and attacks. ![apm](./images/02-overview.png) -> *"We are bringing security together with reliability - allowing teams to review Application Security risks in the same place they understand application performance and behavior."* +> *"We are bringing security together with reliability, allowing teams to review Application Security risks in the same place they understand application performance and behavior."* --- ## 2.2 Service Map runtime security widgets 1. Navigate to **APM → Service Map**. -2. Open the **Services** filter and select **`ad`**. +2. Open the **Services** filter and select **'ad'**. 3. Click the **`ad`** node in the service map. 4. Scroll to the **Runtime Vulnerabilities** and **Attacks** widgets (right-hand side of screen). @@ -39,7 +39,7 @@ The widgets summarize the top vulnerabilities (CVE title, ID, score, libraries) (Optional) - Drill into a vulnerability or attack detail (from the relevant widget) to review the navigation path. -> *"This view highlights Blast-radius thinking - where issues framed next to dependencies and traffic."* +> *"This view highlights Blast-radius thinking where issues framed next to dependencies and traffic."* --- ## What you learned diff --git a/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/03-runtime-vulnerabilities.md b/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/03-runtime-vulnerabilities.md index 4efff63d77..a566ed23a3 100644 --- a/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/03-runtime-vulnerabilities.md +++ b/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/03-runtime-vulnerabilities.md @@ -6,7 +6,7 @@ weight: 3 ## Why a single inventory view matters -Standalone vulnerability scanners often report theoretical findings against code repositories or container images — not what is actually loaded in running JVMs and services. Teams export spreadsheets, cross-reference CMDB entries, and still lack confidence in production exposure. +Standalone vulnerability scanners often report theoretical findings against code repositories or container images - not what is actually loaded in running JVMs and services. Teams export spreadsheets, cross-reference CMDB entries, and still lack confidence in production exposure. Splunk Secure Application discovers vulnerabilities **at runtime**, correlated to deployed applications and the same APM context teams use for performance troubleshooting. A consolidated inventory answers the executive question: *what is our application security risk exposure right now?* @@ -17,8 +17,8 @@ Splunk Secure Application discovers vulnerabilities **at runtime**, correlated t ### a. Open from service-scoped vulnerabilities 1. From the **APM → Overview** page. -2. Set environment to `astronomy-shop-*`. -3. Scroll to the services list and click on a service with security insights data e.g **`ad`** service. +2. Set environment to 'astronomy-shop-*'. +3. Scroll to the services list and click on a service with security insights data e.g **'ad'** service. 4. Open the **Application Security** tab to view associated security risks scoped to the service. ![apm](./images/03a-runtime-vuln-ad.png) @@ -26,7 +26,7 @@ Splunk Secure Application discovers vulnerabilities **at runtime**, correlated t > [!NOTE] > You can navigate to this view from other alternate paths > 1. **Sevice-Map** → **Vulnerabilities Widget** OR -> 2. From the left navigation, **APM → Application Security** → **Runtime Vulnerabilities** (Filter **environment** : `astronomy-shop-*` to and select **service** : e.g `ad`'') - To view the full vulnerability inventory across all instrumented applications in the environment +> 2. From the left navigation, **APM → Application Security** → **Runtime Vulnerabilities** (Filter **environment** : `astronomy-shop-*` to and select **service** : e.g 'ad') - to view the full vulnerability inventory across all instrumented applications in the environment --- diff --git a/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/04-prioritizing-vulnerability-risk.md b/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/04-prioritizing-vulnerability-risk.md index e20db12281..9cdaccd0bb 100644 --- a/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/04-prioritizing-vulnerability-risk.md +++ b/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/04-prioritizing-vulnerability-risk.md @@ -6,17 +6,17 @@ weight: 04 ## Why CVSS alone is insufficient -CVSS describes theoretical severity — how bad a vulnerability could be in the abstract. It does not tell you whether a public exploit exists, whether malicious activity has been observed, or whether the weakness is reachable in your running services. +CVSS describes theoretical severity - how bad a vulnerability could be in the abstract. It does not tell you whether a public exploit exists, whether malicious activity has been observed, or whether the weakness is reachable in your running services. -Splunk Secure Application adds **Security Risk Score** — threat telemetry combining base CVSS with real-world signals such as exploit availability and observed activity. Operational risk assessment & triage should use both scores, not CVSS alone. +Splunk Secure Application adds **Security Risk Score** - threat telemetry combining base CVSS with real-world signals such as exploit availability and observed activity. Operational risk assessment & triage should use both scores, not CVSS alone. --- ## 4.1 Open service-scoped vulnerabilities 1. Navigate to **APM → Overview**. -2. Set environment to `astronomy-shop-*`. -3. Click the vulnerable **`ad`** service. +2. Set environment to 'astronomy-shop-*'. +3. Click the vulnerable **'ad`** service. 4. Open the **Application Security** tab (or **Runtime Vulnerabilities** scoped to the service). --- @@ -50,7 +50,7 @@ The Risk Score is low, indicating no active exploits. The team can safely deprio Why does this item warrant prioritize-first treatment? {{< details summary="Click here to see the answer" >}} -This reflects a real-world risk grounded in threat intelligence across known exploits against this vulnerability andcorrelated with Observability context for additional risk profiling of risk based on the impacted service and business risk of any exploit against it. +This reflects a real-world risk grounded in threat intelligence across known exploits against this vulnerability and correlated with Observability context for additional risk profiling of risk based on the impacted service and business risk of any exploit against it. {{< /details >}} --- diff --git a/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/05-risk-investigation.md b/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/05-risk-investigation.md index 43879fca79..345d0525f5 100644 --- a/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/05-risk-investigation.md +++ b/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/05-risk-investigation.md @@ -6,7 +6,7 @@ weight: 5 ## Why investigation needs runtime context -Patching without blast-radius analysis leaves opportunities for exploit: engineering upgrades libraries that only affect one service while the same CVE spans critical paths elsewhere — or teams over-escalate isolated findings. +Patching without blast-radius analysis leaves opportunities for exploit: engineering upgrades libraries that only affect one service while the same CVE spans critical paths elsewhere - or teams over-escalate isolated findings. Splunk Secure Application consolidates **library names and versions**, **remediation guidance**, and **affected-service enumeration** in one detail view so upgrade decisions are grounded in what is actually deployed. @@ -14,7 +14,7 @@ Splunk Secure Application consolidates **library names and versions**, **remedia ## 5.1 Guided vulnerability troubleshooting -1. From the **`ad`** service Application Security view, click the **high CVSS / high risk score** vulnerability you identified in the previous module. +1. From the **'ad`** service Application Security view, click the **high CVSS / high risk score** vulnerability you identified in the previous module. 2. Review the vulnerability detail panel: | Field | What to look for | @@ -26,14 +26,14 @@ Splunk Secure Application consolidates **library names and versions**, **remedia ![apm](./images/05-runtime-details.png) -> *"No tedious research across multiple portals - context is in the same place."* +> *"No tedious research across multiple portals - context is in the same place".* --- ## 5.2 Assess affected services (blast radius) 1. Scroll to the **Affected services** section at the bottom of the vulnerability detail. -2. Determine whether the same CVE spans additional critical services or is isolated to `ad`. +2. Determine whether the same CVE spans additional critical services or is isolated to 'ad'. ![apm](./images/05-runtime-services.png) @@ -42,7 +42,7 @@ Splunk Secure Application consolidates **library names and versions**, **remedia > impacted service. Reviewing other deployed packages that may need attention beyond the single CVE under > investigation. -> *"Before engaging application teams, you can review all available resources and external references to understand extended risk exposure across the stack. "* +> *"Before engaging application teams, you can review all available resources and external references to understand extended risk exposure across the stack."* --- diff --git a/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/06-runtime-attack-investigation.md b/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/06-runtime-attack-investigation.md index 27578e4dbb..562587858d 100644 --- a/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/06-runtime-attack-investigation.md +++ b/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/06-runtime-attack-investigation.md @@ -6,7 +6,7 @@ weight: 6 ## Why runtime attacks change the conversation -Periodic scanning tells you what *could* be wrong. Runtime attack detection tells you what *is happening* — +Periodic scanning tells you what *could* be wrong. Runtime attack detection tells you what *is happening* - exploit attempts against known weaknesses, with forensic context for immediate investigation and mitigation. Splunk Secure Application correlates attack telemetry to vulnerabilities already cataloged, keeping SOC-style @@ -36,13 +36,12 @@ investigations inside Observability Cloud. 1. Select one attack activity to open the detailed view. 2. Review forensic fields: - -- Attacked **host**, **environment**, and **service** -- **Sequence of events** and actions performed -- Impacted **business context** -- **Client IP** and **HTTP method** -- Specific **event** and **trigger** -- **Code executed** during the exploit + - Attacked **host**, **environment**, and **service** + - **Sequence of events** and actions performed + - Impacted **business context** + - **Client IP** and **HTTP method** + - Specific **event** and **trigger** + - **Code executed** during the exploit ![apm](./images/06-attack--details.png) @@ -56,7 +55,7 @@ investigations inside Observability Cloud. ![apm](./images/06-attack-forensics.png) -> *"Identify exactly which line of code was accessed during this exploit — shorter loop from alert to remediation."* +> *"Identify exactly which line of code was accessed during this exploit shorter loop from alert to remediation."* --- diff --git a/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/07-eliminating-risk-&-technical-debt.md b/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/07-eliminating-risk-&-technical-debt.md index 456f20af42..0cc8f02fc8 100644 --- a/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/07-eliminating-risk-&-technical-debt.md +++ b/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/07-eliminating-risk-&-technical-debt.md @@ -10,7 +10,7 @@ Unmanaged vulnerability backlogs create risk, noise, stale detections, and confi Teams spend remediation capacity on some CVSS resolutions while long-tail legacy library sprawl accumulates tech debt. -> *"Having governance of vulnerability status transitions and org-wide library inventory, turns an overwhelming list into an actionable, trackable queue — eliminating debt in the triage process."* +> *"Having governance of vulnerability status transitions and org-wide library inventory, turns an overwhelming list into an actionable, trackable queue - eliminating debt in the triage process."* --- @@ -44,7 +44,7 @@ accumulates tech debt. ## 6.3 Filter and export for collaboration 1. Open the **Status** dropdown and select **Not Vulnerable**. -2. Observe which libraries may show no known CVE data — which means that they are healthy relative to known and existing risk. +2. Observe which libraries may show no known CVE data, which means that they are healthy relative to known and existing risk. 3. Select **Export** (or equivalent) to produce a shareable subset for a mock engineering or SecOps handoff. ![apm](./images/07-export.png) @@ -52,7 +52,7 @@ accumulates tech debt. > [!NOTE] > The risk profile changes as new vulnerabilities are discovered. So while some of these may have no > known vulnerabilities at this time, the status may change and hence it is critical to have real-time active -> detection in place to track these shifts including `Zero Day Vulnerabilities` - across all your active workloads +> detection in place to track these shifts including `Zero Day Vulnerabilities` across all your active workloads --- diff --git a/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/08-intergrated-defense.md b/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/08-intergrated-defense.md index f45f5708d0..d809f5430e 100644 --- a/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/08-intergrated-defense.md +++ b/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/08-intergrated-defense.md @@ -6,7 +6,7 @@ weight: 8 ## Why integration completes the enterprise defense story -Detecting vulnerabilities and attacks inside Observability is only part the security journey. SecOps teams are also part of the equation, from an enterprise-level defense scale & typically live in SIEM workflows — if vulnerability and attack events & findings do not reach those tools, it creates gaps in security management and often reverts to duplicate ticketing and stale exports. +Detecting vulnerabilities and attacks inside Observability is only part the security journey. SecOps teams are also part of the equation, from an enterprise-level defense scale & typically live in SIEM workflows. If vulnerability and attack events & findings do not reach those tools, it creates gaps in security management and often reverts to duplicate ticketing and stale exports. Splunk Secure Application closes the loop with **notification rules** that stream findings to SIEM solutions like Splunk Enterprise Security. @@ -28,7 +28,7 @@ Notification integrations are configured to send vulnerability and attack events ![apm](./images/06-notification.png) -> *"Single pipeline from runtime findings to SOC visibility - SecOps gets these events with full context — no duplicate workflow."* +> *"Single pipeline from runtime findings to SOC visibility with no duplicate workflow - SecOps gets these events with full context."* --- diff --git a/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/09-conclusion.md b/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/09-conclusion.md index 8fb77fff86..d41926eded 100644 --- a/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/09-conclusion.md +++ b/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/09-conclusion.md @@ -6,7 +6,7 @@ weight: 9 ## Workshop recap -When teams ask *what's happening in production, and where should we look first?* — Observability answers the reliability question. **Splunk Secure Application** extends that same story into application security **without bolting on another agent or living in a second product**. +When teams ask *what's happening in production, and where should we look first?*, Observability answers the reliability question. **Splunk Secure Application** extends that same story into application security **without bolting on another agent or living in a second product**. In this workshop, we covered how to move from fragmented application security tooling to an operational model where security is embedded in how teams already understand production. We covered ways to diff --git a/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/_index.md b/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/_index.md index 7d08ff405e..4238de6852 100644 --- a/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/_index.md +++ b/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/_index.md @@ -31,7 +31,7 @@ Application security data is often scattered across standalone scanners, spreads To address these challenges you need a way to: -- **Maintain visibility**: Unify reliability and security in existing & shared workspaces — without bolting on a second agent or product. +- **Maintain visibility**: Unify reliability and security in existing & shared workspaces without bolting on a second agent or product. - **Update and upgrade with context**: Tie remediation guidance to vulnerability risk profile, library names, versions, and affected-service blast radius before engaging engineering. - **Eliminate technical debt**: Govern vulnerability queues with status lifecycle management and hygiene across shared context. - **Prioritize known threats**: Compare CVSS scores with exploitation risk and pivot from cataloged CVEs to runtime attack forensics with code-level stack traces. From 7d34d05b78fcd06ef50c31db873c1ff551b07bcd Mon Sep 17 00:00:00 2001 From: Diana O Date: Mon, 22 Jun 2026 10:03:48 +1000 Subject: [PATCH 2/2] Updated Links, Formatting and markups --- .../o11y-rookies-26/1-modules/8-secure-application/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/_index.md b/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/_index.md index 4238de6852..701e8b74b1 100644 --- a/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/_index.md +++ b/content/en/splunk4rookies/o11y-rookies-26/1-modules/8-secure-application/_index.md @@ -3,13 +3,13 @@ title: Application Security linkTitle: 8. Application Security weight: 8 archetype: chapter -time: 60 minutes +time: 45 minutes authors: ["Diana Omuoyo"] description: Detect and investigate runtime vulnerabilities before attackers find them first. draft: true hidden: true aliases: - - /o11y-rookies-26/6-secure-application/ + - /o11y-rookies-26/8-secure-application/ params: images: - images/secureapp.avif