Enhancing Application Security with Contrast ADR and Splunk

Have you silenced WAF alerts in your SIEM or just stopped sending them altogether? You're not alone. Many SOCs find themselves overwhelmed by the sheer volume of noise generated by traditional WAFs, forcing them to choose between alert fatigue or a critical visibility gap on the application layer.

Contrast Application Detection and Response (ADR), integrated with Splunk, illuminates this critical blindspot. By providing deep, real-time Application Security (AppSec) insights directly within Splunk, Contrast ADR empowers SOC teams by providing high-fidelity detection and in-line response to neutralize sophisticated attacks in real time, often before an analyst needs to intervene. Furthermore, it delivers deep application-layer visibility, offering crucial context that can be correlated with other security data sources to accelerate triage, investigation, and response.

Overview of Contrast Security and Splunk 

Before we dive into the specifics of Contrast ADR and Splunk, it's important to understand that these two solutions complement each other in a unique way. They address different, yet interconnected, aspects of the security challenge. 

To better understand this synergy, consider the following analogy, imagine security operations as a control room monitoring a bank. They have cameras and alarms covering the perimeter and the vault, but a critical blind spot exists between the lobby and the vault. Contrast ADR is like placing cameras, and a highly trained security guard in that blind spot. These cameras observe and report on suspicious activity while the guard intervenes and stops threats before they reach the vault. This is the power of integrating Contrast ADR with Splunk: the SOC gains eyes and ears – and a first line of defense – exactly where it’s needed most.

Contrast Security Application Detection & Response

With deep visibility into application behavior and data flow, Contrast ADR offers context-aware detection of application threats, enabling real-time attack blocking and minimizing both low false-positive rates and false negatives. This ensures that genuine threats are identified and stopped, including previously unknown (zero-day) attacks.

Splunk 

Splunk is an industry-leading security information and event management (SIEM) platform that empowers organizations to gain valuable insights from their data and effectively combat security threats. Splunk ES provides centralized log aggregation and analysis from diverse sources.  Splunk ES delivers advanced correlation and analytics capabilities, real-time threat detection and alerting, customizable dashboards and reporting, and seamless integration with a wide range of security tools and data sources.

The Contrast ADR Splunk App: Deep application insights in real time

The Contrast ADR Splunk App is a purpose-built integration that brings the power of Contrast's deep AppSec analysis directly into any Splunk environment. This isn't just about viewing data in Splunk; it's about enriching existing security workflows with real-time application context.

Key capabilities:

• Seamless data ingestion: The app leverages Splunk's HTTP Event Collector to receive a continuous stream of security events directly from Contrast ADR. Our custom-developed parser ensures this data is seamlessly mapped to the Splunk Common Information Model (CIM), making it instantly usable for analysis and correlation.
• On-demand enrichment: Need more details about a specific security event? The app allows analysts to pull additional context directly from the Contrast platform with a simple click. This includes detailed stack traces, HTTP request information and more.
• Automated threat detection: The app automatically generates Splunk notable events based on the severity of Contrast ADR alerts. This ensures that critical AppSec incidents are immediately brought to the attention of your SOC team, reducing response times and minimizing potential damage.
• Actionable guidance: Built-in runbooks provide analysts with step-by-step guidance for investigating and responding to common AppSec incidents. This helps standardize response procedures and ensures consistent action is taken, even for less experienced team members.
• Integration across the entire Splunk platform: The app seamlessly extends Contrast's AppSec insights across the entire Splunk platform. Leverage Splunk's powerful analytics capabilities to enrich the entire security workflows regardless of specific Splunk deployment.

Seeing is believing: Sample security events in Splunk

To truly grasp the power of the Contrast ADR Splunk App, let's examine some real-world examples of how security events appear in Splunk.

Example 1: Exploited SQL Injection

Here's how a typical exploited SQL injection attack would be displayed in Splunk after being processed by the Contrast ADR app:

{
    "eventUuid": "bb5f93ee-4401-4548-b529-556fcfa52319",
    "organizationUuid": "203ae021-7e10-4356-ad6e-0c4b94d8511e",
    "productName": "ContrastADR",
    "server": {
        "name": "Petclinic-Contrast",
        "id": 27390
    },
    "application": {
        "id": "0d548a73-2b14-4fd6-86f1-7f68c5470dd2",
        "name": "Web-Application-Petclinic",
        "agentLanguage": "java"
    },
    "sourceIp": "172.18.0.1",
    "cloudResourceId": arn:aws:ec2:*:*:instance/*,
    "cloudProvider": "AWS",
    "result": "EXPLOITED",
    "rule": "sql-injection",
    "severity": "HIGH",
    "detectedTime": "2025-02-04T15:31:21.486Z",
    "uiUrl": "<url_to_event_in_Contrast_UI>",
    "apiUri": "<url_to_event_in_Contrast_API>",
    "mitreTactics": [],
    "mitreCapec": [],
    "environment": "PRODUCTION",
    "attackPayload": {
        "attackerInput": {
            "name": "lastName",
            "type": "PARAMETER_VALUE",
            "documentType": "NORMAL",
            "documentPath": ""
        },
        "url": "/customers",
        "value": "' or 1=1; # "
    },
    "virtualPatchUuid": null,
    "denyListUuid": null
}

The richness of data provided by Contrast ADR extends beyond alerting on the incident. Each alert includes a complete stack trace captured during the same SQL injection attack.The stack trace, combined with other context provided by Contrast ADR (HTTP request, parameters, etc.), gives developers what they need to reproduce and fix the vulnerability.  SOC analysts can easily share this information directly with Dev/AppSec teams, accelerating remediation and preventing future attacks. Here is an excerpt of a complete stack trace capture during the same SQL injection attack:

...
com.mysql.cj.jdbc.StatementImpl.executeQuery(StatementImpl.java:-1)
com.zaxxer.hikari.pool.ProxyStatement.executeQuery(ProxyStatement.java:110)
com.zaxxer.hikari.pool.HikariProxyStatement.executeQuery(HikariProxyStatement.java:-1)
org.springframework.samples.petclinic.customer.CustomerRepository.findByLastName(CustomerRepository.java:31)
...

Key takeaways:

• Rich context: The event includes details about the attack type (SQL injection), the vulnerable parameter (lastName), the application (Web-Application-Petclinic), the server (172.18.0.1) and even the cloud provider (AWS).
• Clear outcome: The result=EXPLOITED field indicates that the attack was successful, allowing analysts to prioritize their response accordingly.
• Splunk-ready format: The event is formatted and mapped to the Common Information Model’s Intrusion Detection data model, making it easy to parse and analyze within Splunk.

Example 2: Blocked JNDI injection

This example shows how a blocked Java Naming and Directory Interface (JNDI) injection attempt appears in Splunk:

{
    "eventUuid": "e9e7d7c9-da8a-47ba-877b-d094377cba68",
    "organizationUuid": "203ae021-7e10-4356-ad6e-0c4b94d8511e",
    "productName": "ContrastADR",
    "server": {
        "name": "Petclinic-Contrast",
        "id": 27390
    },
    "application": {
        "id": "62aea842-373d-4d89-bc34-95f88b833bfb",
        "name": "Email-Service-Contrast",
        "agentLanguage": "java"
    },
    "sourceIp": "172.18.0.5",
    "cloudResourceId": arn:aws:ec2:*:*:instance/*,
    "cloudProvider": "AWS",
    "result": "BLOCKED",
    "rule": "jndi-injection",
    "severity": "HIGH",
    "detectedTime": "2025-02-04T22:46:57.861Z",
    "uiUrl": "<url_to_event_in_Contrast_UI>",
    "apiUri": "<"url_to_event_in_Contrast_API>",
    "mitreTactics": [],
    "mitreCapec": [],
    "environment": "PRODUCTION",
    "attackPayload": {
        "attackerInput": {
            "name": "",
            "type": "UNKNOWN",
            "documentType": "NORMAL",
            "documentPath": ""
        },
        "url": "/registerEmail",
        "value": "ldap://log4shell-service:1389/jdk8"
    },
    "virtualPatchUuid": null,
    "denyListUuid": null
}

Stack trace excerpt:
...
javax.naming.InitialContext.getURLOrDefaultInitCtx(InitialContext.java:-1)
javax.naming.InitialContext.lookup(InitialContext.java:417)
org.apache.logging.log4j.core.net.JndiManager.lookup(JndiManager.java:172)
org.apache.logging.log4j.core.lookup.JndiLookup.lookup(JndiLookup.java:56)
...

Key takeaways:

• Actionable insights: Even though the attack was blocked (result=BLOCKED), the event provides valuable information about the attack vector (JNDI injection) and the targeted application (Email-Service-Contrast).
• Proactive security: This data allows security teams to proactively investigate the potential vulnerability and correlate this event with other security events occurring at the same time across different systems.
• Enhanced visibility: By capturing both blocked and exploited attacks, the Contrast ADR Splunk App gives a complete picture of the AppSec landscape.

These are just two examples of how the Contrast ADR Splunk App provides rich, actionable security data within your Splunk environment. By combining this deep application context with Splunk's powerful analytics and visualization capabilities, SOCs can gain unparalleled insights into your AppSec posture.

Ready to elevate your AppSec with Contrast ADR and Splunk?

Stop flying blind and empower your SOC team. Contrast ADR integrated with Splunk provides the visibility and control needed to defend against sophisticated attacks, all within the familiar Splunk environment.

Download the Contrast ADR Splunk App from Splunkbase and start enriching your security workflows today. 

Learn more:

• Contrast blog: 12 things to know about ADR
• Contrast blog: Smarter AppSec: How ADR, secure by design and 'shift smart' are redefining cybersecurity
• Contrast blog: If only I’d known ADR was possible when I was a SOC analyst!