text code block:`cisco_ai_defense` | rename genai_application.application_name as application_name | rename connection.connection_name as connection_name ```Aggregating data by model name, connection name, application name, application ID, and user ID``` | stats count values(user_id) as user_id values(event_message_type) as event_message_type values(event_action) as event_action values(policy.policy_name) as policy_name values(event_policy_guardrail_assocs{}.policy_guardrail_assoc.guardrail_avail_entity.guardrail_entity_name) as guardrail_entity_name values(event_policy_guardrail_assocs{}.policy_guardrail_assoc.guardrail_avail_ruleset.guardrail_ruleset_type) as guardrail_ruleset_type by model.model_name connection_name application_name application_id ```Evaluating severity based on policy name and guardrail ruleset type``` | eval severity=case( policy_name IN ("AI Runtime Latency Testing - Prompt Injection"), "critical", policy_name IN ("AI Runtime Latency Testing - Code Detection"), "high", guardrail_ruleset_type IN ("Toxicity"), "medium", true(), "low" ) ```Calculating risk score based on severity level``` | eval risk_score=case( severity="critical", 100, severity="high", 75, severity="medium", 50, severity="low", 25 ) | table model.model_name, user_id, event_action, application_id, application_name, severity, risk_score, policy_name, connection_name, guardrail_ruleset_type, guardrail_entity_name | `cisco_ai_defense_security_alerts_by_application_name_filter`
View this rule on Splunk
This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).