Deployable detection rules
2,088 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 2,088Azure AD User Consent Blocked for Risky Application
The following analytic detects instances where Azure AD has blocked a user's attempt to grant consent to a risky or potentially malicious application. This detection leverages Azure AD audit logs, focusing on user consent actions and system-driven blocks. Monitoring these blocked consent attempts is crucial as it highlights potential threats early on, indicating that a user might be targeted or that malicious applications are attempting to infiltrate the organization. If confirmed malicious, this activity suggests that Azure's security measures successfully prevented a harmful application from accessing organizational data, warranting immediate investigation to understand the context and take preventive measures.
Show query
`azure_monitor_aad` operationName="Consent to application" properties.result=failure | rename properties.* as * | eval reason_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Reason") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Reason"), -1) | eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Permissions") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Permissions"), -1) | search reason_index >= 0 | eval reason = mvindex('targetResources{}.modifiedProperties{}.newValue',reason_index) | eval permissions = mvindex('targetResources{}.modifiedProperties{}.newValue',permissions_index) | search reason = "\"Risky application detected\"" | rex field=permissions "Scope: (?<Scope> [ ^,]+)" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest user src vendor_account vendor_product reason Scope signature | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_user_consent_blocked_for_risky_application_filter`Azure AD User Consent Denied for OAuth Application
The following analytic identifies instances where a user has denied consent to an OAuth application seeking permissions within the Azure AD environment. This detection leverages Azure AD's audit logs, specifically focusing on user consent actions with error code 65004. Monitoring denied consent actions is significant as it can indicate users recognizing potentially suspicious or untrusted applications. If confirmed malicious, this activity could suggest attempts by unauthorized applications to gain access, potentially leading to data breaches or unauthorized actions within the environment. Understanding these denials helps refine security policies and enhance user awareness.
Show query
`azure_monitor_aad` operationName="Sign-in activity" properties.status.errorCode=65004
| rename properties.* as *
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product appDisplayName
status.failureReason signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_user_consent_denied_for_oauth_application_filter`Azure AD User Enabled And Password Reset
The following analytic detects an Azure AD user enabling a previously disabled account and resetting its password within 2 minutes. It uses Azure Active Directory events to identify this sequence of actions. This activity is significant because it may indicate an adversary with administrative access attempting to establish a backdoor identity within the Azure AD tenant. If confirmed malicious, this could allow the attacker to maintain persistent access, escalate privileges, and potentially exfiltrate sensitive information from the environment.
Show query
`azure_monitor_aad` (operationName="Enable account" OR operationName="Reset password (by admin)" OR operationName="Update user")
| transaction user startsWith=(operationName="Enable account") endsWith=(operationName="Reset password (by admin)") maxspan=2m
| rename properties.* as *
| rename initiatedBy.user.userPrincipalName as initiatedBy
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product initiatedBy
signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_user_enabled_and_password_reset_filter`Azure AD User ImmutableId Attribute Updated
The following analytic identifies the modification of the SourceAnchor (ImmutableId) attribute for an Azure Active Directory user. This detection leverages Azure AD audit logs, specifically monitoring the "Update user" operation and changes to the SourceAnchor attribute. This activity is significant as it is a step in setting up an Azure AD identity federation backdoor, allowing an adversary to establish persistence. If confirmed malicious, the attacker could impersonate any user, bypassing password and MFA requirements, leading to unauthorized access and potential data breaches.
Show query
`azure_monitor_aad` operationName="Update user" properties.targetResources{}.modifiedProperties{}.displayName=SourceAnchor
| rename properties.* as *
| rename initiatedBy.user.userPrincipalName as initiatedBy
| rename targetResources{}.modifiedProperties{}.newValue as modifiedProperties
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product initiatedBy
signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_user_immutableid_attribute_updated_filter`Azure Active Directory High Risk Sign-in
The following analytic detects high-risk sign-in attempts against Azure Active Directory, identified by Azure Identity Protection. It leverages the RiskyUsers and UserRiskEvents log categories from Azure AD events ingested via EventHub. This activity is significant as it indicates potentially compromised accounts, flagged by heuristics and machine learning. If confirmed malicious, attackers could gain unauthorized access to sensitive resources, leading to data breaches or further exploitation within the environment.
Show query
`azure_monitor_aad` category=UserRiskEvents properties.riskLevel=high
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product category
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_active_directory_high_risk_sign_in_filter`Azure Automation Account Created
The following analytic detects the creation of a new Azure Automation account within an Azure tenant. It leverages Azure Audit events, specifically the Azure Activity log category, to identify when an account is created or updated. This activity is significant because Azure Automation accounts can be used to automate tasks and orchestrate actions across Azure and on-premise environments. If an attacker creates an Automation account with elevated privileges, they could maintain persistence, execute malicious runbooks, and potentially escalate privileges or execute code on virtual machines, posing a significant security risk.
Show query
`azure_audit` operationName.value="Microsoft.Automation/automationAccounts/write" status.value=Succeeded
| dedup object
| rename claims.ipaddr as src, subscriptionId as vendor_account, operationName.value as signature
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product object
object_path signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_automation_account_created_filter`Azure Automation Runbook Created
The following analytic detects the creation of a new Azure Automation Runbook within an Azure tenant. It leverages Azure Audit events, specifically the Azure Activity log category, to identify when a new Runbook is created or updated. This activity is significant because adversaries with privileged access can use Runbooks to maintain persistence, escalate privileges, or execute malicious code. If confirmed malicious, this could lead to unauthorized actions such as creating Global Administrators, executing code on VMs, and compromising the entire Azure environment.
Show query
`azure_audit` operationName.value="Microsoft.Automation/automationAccounts/runbooks/write" object!=AzureAutomationTutorial* status.value=Succeeded
| dedup object
| rename claims.ipaddr as src, subscriptionId as vendor_account, operationName.value as operationName
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product object
object_path
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_automation_runbook_created_filter`Azure Runbook Webhook Created
The following analytic detects the creation of a new Automation Runbook Webhook within an Azure tenant. It leverages Azure Audit events, specifically the "Create or Update an Azure Automation webhook" operation, to identify this activity. This behavior is significant because Webhooks can trigger Automation Runbooks via unauthenticated URLs exposed to the Internet, posing a security risk. If confirmed malicious, an attacker could use this to execute code, create users, or maintain persistence within the environment, potentially leading to unauthorized access and control over Azure resources.
Show query
`azure_audit` operationName.value="Microsoft.Automation/automationAccounts/webhooks/write" status.value=Succeeded
| dedup object
| rename claims.ipaddr as src_ip
| rename caller as user
| stats count min(_time) as firstTime max(_time) as lastTime values(dest) as dest
BY object user, src_ip,
resourceGroupName, object_path
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_runbook_webhook_created_filter`BCDEdit Failure Recovery Modification
The following analytic detects modifications to the Windows error recovery boot configurations using bcdedit.exe with flags such as "recoveryenabled" and "no". It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, parent processes, and command-line executions. This activity is significant because ransomware often disables recovery options to prevent system restoration, making it crucial for SOC analysts to investigate. If confirmed malicious, this could hinder recovery efforts, allowing ransomware to cause extensive damage and complicate remediation.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name = bcdedit.exe Processes.process="*recoveryenabled*" (Processes.process="* no*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `bcdedit_failure_recovery_modification_filter`BITS Job Persistence
The following analytic detects the use of `bitsadmin.exe` to schedule a BITS job for persistence on an endpoint. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line parameters such as `create`, `addfile`, and `resume`. This activity is significant because BITS jobs can be used by attackers to maintain persistence, download malicious payloads, or exfiltrate data. If confirmed malicious, this could allow an attacker to persist in the environment, execute arbitrary code, or transfer sensitive information, necessitating further investigation and potential remediation.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_bitsadmin` Processes.process IN (*create*, *addfile*, *setnotifyflags*, *setnotifycmdline*, *setminretrydelay*, *setcustomheaders*, *resume* )
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `bits_job_persistence_filter`BITSAdmin Download File
The following analytic detects the use of `bitsadmin.exe` with the `transfer` parameter to download a remote object. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because `bitsadmin.exe` can be exploited to download and execute malicious files without immediate detection. If confirmed malicious, an attacker could use this technique to download and execute payloads, potentially leading to code execution, privilege escalation, or persistent access within the environment. Review parallel and child processes, especially `svchost.exe`, for associated artifacts.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_bitsadmin` Processes.process IN ("*transfer*", "*addfile*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `bitsadmin_download_file_filter`Batch File Write to System32
The following analytic detects the creation of a batch file (.bat) within the Windows system directory tree, specifically in the System32 or SysWOW64 folders. It leverages data from the Endpoint datamodel, focusing on process and filesystem events to identify this behavior. This activity is significant because writing batch files to system directories can be indicative of malicious intent, such as persistence mechanisms or system manipulation. If confirmed malicious, this could allow an attacker to execute arbitrary commands with elevated privileges, potentially compromising the entire system.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\system32\\*","*\\syswow64\\*") Filesystem.file_name="*.bat" by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product | `drop_dm_object_name(Filesystem)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `batch_file_write_to_system32_filter`Bcdedit Command Back To Normal Mode Boot
The following analytic detects the execution of a suspicious `bcdedit` command that reconfigures a host from safe mode back to normal boot. This detection leverages Endpoint Detection and Response (EDR) data, focusing on command-line executions involving `bcdedit.exe` with specific parameters. This activity is significant as it may indicate the presence of ransomware, such as BlackMatter, which manipulates boot configurations to facilitate encryption processes. If confirmed malicious, this behavior could allow attackers to maintain control over the boot process, potentially leading to further system compromise and data encryption.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name = bcdedit.exe Processes.process="*/deletevalue*" Processes.process="*{current}*" Processes.process="*safeboot*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `bcdedit_command_back_to_normal_mode_boot_filter`CHCP Command Execution
The following analytic detects the execution of the chcp.com utility, which is used to change the active code page of the console. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process creation events. This activity is significant because it can indicate the presence of malware, such as IcedID, which uses this technique to determine the locale region, language, or country of the compromised host. If confirmed malicious, this could lead to further system compromise and data exfiltration.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name=chcp.com
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `chcp_command_execution_filter`CMD Carry Out String Command Parameter
The following analytic detects the use of `cmd.exe /c` to execute commands, a technique often employed by adversaries and malware to run batch commands or invoke other shells like PowerShell. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions and process metadata. Monitoring this activity is crucial as it can indicate script-based attacks or unauthorized command execution. If confirmed malicious, this behavior could lead to unauthorized code execution, privilege escalation, or persistence within the environment.
Show query
| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_cmd`
AND
Processes.process IN ("*/c*", "*/k*")
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cmd_carry_out_string_command_parameter_filter`CMD Echo Pipe - Escalation
The following analytic identifies the use of named-pipe impersonation for privilege escalation, commonly associated with Cobalt Strike and similar frameworks. It detects command-line executions where `cmd.exe` uses `echo` to write to a named pipe, such as `cmd.exe /c echo 4sgryt3436 > \\.\Pipe\5erg53`. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant as it indicates potential privilege escalation attempts. If confirmed malicious, attackers could gain elevated privileges, enabling further compromise and persistence within the environment.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_cmd`
OR
Processes.process=*%comspec%* (Processes.process=*echo*
AND
Processes.process=*pipe*)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cmd_echo_pipe___escalation_filter`CMLUA Or CMSTPLUA UAC Bypass
The following analytic detects the use of COM objects like CMLUA or CMSTPLUA to bypass User Account Control (UAC). It leverages Sysmon EventCode 7 to identify the loading of specific DLLs (CMLUA.dll, CMSTPLUA.dll, CMLUAUTIL.dll) by processes not typically associated with these libraries. This activity is significant as it indicates an attempt to gain elevated privileges, a common tactic used by ransomware adversaries. If confirmed malicious, this could allow attackers to execute code with administrative rights, leading to potential system compromise and further malicious activities.
Show query
`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) NOT(Image IN("*\\windows\\*", "*\\program files*")) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded dest loaded_file loaded_file_path original_file_name process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists service_dll_signature_verified signature signature_id user_id vendor_product | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cmlua_or_cmstplua_uac_bypass_filter`CSC Net On The Fly Compilation
The following analytic detects the use of the .NET compiler csc.exe for on-the-fly compilation of potentially malicious .NET code. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on specific command-line patterns associated with csc.exe. This activity is significant because adversaries and malware often use this technique to evade detection by compiling malicious code at runtime. If confirmed malicious, this could allow attackers to execute arbitrary code, potentially leading to system compromise, data exfiltration, or further lateral movement within the network.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (
Processes.process_name=csc.exe
OR
Processes.original_file_name=csc.exe
)
Processes.process = "*/noconfig*" Processes.process = "*/fullpaths*" Processes.process = "*@*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `csc_net_on_the_fly_compilation_filter`CertUtil With Decode Argument
The following analytic detects the use of CertUtil.exe with the 'decode' argument, which may indicate an attempt to decode a previously encoded file, potentially containing malicious payloads. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving CertUtil.exe. This activity is significant because attackers often use CertUtil to decode malicious files downloaded from the internet, which are then executed to compromise the system. If confirmed malicious, this activity could lead to unauthorized code execution, further system compromise, and potential data exfiltration.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_certutil` Processes.process=*decode*
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `certutil_with_decode_argument_filter`Certutil exe certificate extraction
The following analytic identifies the use of certutil.exe with arguments indicating the manipulation or extraction of certificates.
It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments.
This activity is significant because extracting certificates can allow attackers to sign new authentication tokens, particularly in federated environments like Windows ADFS.
If confirmed malicious, this could enable attackers to forge authentication tokens, potentially leading to unauthorized access and privilege escalation within the network.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Endpoint.Processes
WHERE
(
Processes.process_name=certutil.exe
OR
Processes.original_file_name=certutil.exe
)
Processes.process = "*-exportPFX*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `certutil_exe_certificate_extraction_filter`Change To Safe Mode With Network Config
The following analytic detects the execution of a suspicious `bcdedit` command that configures a host to boot in safe mode with network support. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving `bcdedit.exe` with specific parameters. This activity is significant because it is a known technique used by BlackMatter ransomware to force a compromised host into safe mode for continued encryption. If confirmed malicious, this could allow attackers to bypass certain security controls, persist in the environment, and continue their malicious activities.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name = bcdedit.exe Processes.process="*/set*" Processes.process="*{current}*" Processes.process="*safeboot*" Processes.process="*network*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `change_to_safe_mode_with_network_config_filter`Check Elevated CMD using whoami
The following analytic identifies the execution of the "whoami" command with the "/group" flag, where the results are passed to the "find" command in order to look for a the string "12288". This string represents the SID of the group "Mandatory Label\High Mandatory Level" effectively checking if the current process is running as a "High" integrity process or with Administrator privileges. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and command-line telemetry. This activity is significant because it is commonly used by attackers, such as FIN7, to perform reconnaissance on a compromised host. If confirmed malicious, this behavior could indicate an attacker is assessing their privilege level, potentially leading to further privilege escalation or persistence within the environment.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process = "*whoami*" Processes.process = "*/group*" Processes.process = "* find *" Processes.process = "*12288*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `check_elevated_cmd_using_whoami_filter`Child Processes of Spoolsv exe
The following analytic identifies child processes spawned by spoolsv.exe, the Print Spooler service in Windows, which typically runs with SYSTEM privileges. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process and parent process relationships. Monitoring this activity is crucial as it can indicate exploitation attempts, such as those associated with CVE-2018-8440, which can lead to privilege escalation. If confirmed malicious, attackers could gain SYSTEM-level access, allowing them to execute arbitrary code, escalate privileges, and potentially compromise the entire system.
Show query
| tstats `security_content_summariesonly` count values(Processes.process_name) as process_name values(Processes.process) as process min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.parent_process_name=spoolsv.exe
AND
Processes.process_name!=regsvr32.exe
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `child_processes_of_spoolsv_exe_filter`Circle CI Disable Security Job
The following analytic detects the disabling of security jobs in CircleCI pipelines. It leverages CircleCI log data, renaming and extracting fields such as job names, workflow IDs, user information, commit messages, URLs, and branches. The detection identifies mandatory jobs for each workflow and checks if they were executed. This activity is significant because disabling security jobs can allow malicious code to bypass security checks, leading to potential data breaches, system downtime, and reputational damage. If confirmed malicious, this could result in unauthorized code execution and compromised pipeline integrity.
Show query
`circleci`
| rename vcs.committer_name as user vcs.subject as commit_message vcs.url as url workflows.* as *
| stats values(job_name) as job_names
BY workflow_id workflow_name user
commit_message url branch
| lookup mandatory_job_for_workflow workflow_name OUTPUTNEW job_name AS mandatory_job
| search mandatory_job=*
| eval mandatory_job_executed=if(like(job_names, "%".mandatory_job."%"), 1, 0)
| where mandatory_job_executed=0
| eval phase="build"
| rex field=url "(?<repository>[^\/]*\/[^\/]*)$"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `circle_ci_disable_security_job_filter`Circle CI Disable Security Step
The following analytic detects the disablement of security steps in a CircleCI pipeline. It leverages CircleCI logs, using field renaming, joining, and statistical analysis to identify instances where mandatory security steps are not executed. This activity is significant because disabling security steps can introduce vulnerabilities, unauthorized changes, or malicious code into the pipeline. If confirmed malicious, this could lead to potential attacks, data breaches, or compromised infrastructure. Investigate by reviewing job names, commit details, and user information associated with the disablement, and examine any relevant artifacts and concurrent processes.
Show query
`circleci`
| rename workflows.job_id AS job_id
| join job_id [
| search `circleci`
| stats values(name) as step_names count
BY job_id job_name ]
| stats count
BY step_names job_id job_name
vcs.committer_name vcs.subject vcs.url
owners{}
| rename vcs.* as * , owners{} as user
| lookup mandatory_step_for_job job_name OUTPUTNEW step_name AS mandatory_step
| search mandatory_step=*
| eval mandatory_step_executed=if(like(step_names, "%".mandatory_step."%"), 1, 0)
| where mandatory_step_executed=0
| rex field=url "(?<repository>[^\/]*\/[^\/]*)$"
| eval phase="build"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `circle_ci_disable_security_step_filter`
Splunk ESCU
SPL
Cisco AI Defense Security Alerts by Application Name
The search surfaces alerts from the Cisco AI Defense product for potential attacks against the AI models running in your environment. This analytic identifies security events within Cisco AI Defense by examining event messages, actions, and policy names. It focuses on connections and applications associated with specific guardrail entities and ruleset types. By aggregating and analyzing these elements, the search helps detect potential policy violations and security threats, enabling proactive defense measures and ensuring network integrity.
Show query
`cisco_ai_defense`
| rename genai_application.application_name as application_name
| rename connection.connection_name as connection_name
```Aggregating data by model name, connection name, application name, application ID, and user ID```
| stats count
values(user_id) as user_id
values(event_message_type) as event_message_type
values(event_action) as event_action
values(policy.policy_name) as policy_name
values(event_policy_guardrail_assocs{}.policy_guardrail_assoc.guardrail_avail_entity.guardrail_entity_name) as guardrail_entity_name
values(event_policy_guardrail_assocs{}.policy_guardrail_assoc.guardrail_avail_ruleset.guardrail_ruleset_type) as guardrail_ruleset_type
by model.model_name connection_name application_name application_id
```Evaluating severity based on policy name and guardrail ruleset type```
| eval severity=case(
policy_name IN ("AI Runtime Latency Testing - Prompt Injection"), "critical",
policy_name IN ("AI Runtime Latency Testing - Code Detection"), "high",
guardrail_ruleset_type IN ("Toxicity"), "medium",
true(), "low"
)
```Calculating risk score based on severity level```
| eval risk_score=case(
severity="critical", 100,
severity="high", 75,
severity="medium", 50,
severity="low", 25
)
| table model.model_name, user_id, event_action, application_id, application_name, severity, risk_score, policy_name, connection_name, guardrail_ruleset_type, guardrail_entity_name
| `cisco_ai_defense_security_alerts_by_application_name_filter`Cisco ASA - AAA Policy Tampering
This analytic detects modifications to authentication and authorization (AAA) security policies on Cisco ASA devices via CLI or ASDM.
AAA policies control critical security mechanisms including authentication attempts, lockout thresholds, password policies, and access control settings that protect administrative access to network infrastructure.
Adversaries or malicious insiders may weaken authentication policies to facilitate brute force attacks, disable account lockouts to enable unlimited password attempts, reduce password complexity requirements, or modify authorization settings to elevate privileges and maintain persistent access.
The detection monitors for command execution events containing AAA-related commands such as `aaa authentication`, `aaa authorization`, or `aaa local authentication`, focusing on changes to authentication attempts, lockout policies, and access control configurations.
Investigate any unauthorized modifications to AAA policies, especially changes that weaken security posture (increasing max-fail attempts, disabling lockouts, reducing password requirements), and verify these changes against approved change management processes and security policies.
Show query
`cisco_asa`
message_id IN (111008, 111010)
command IN (
"aaa authentication*",
"aaa authorization*",
"aaa local authentication*",
"aaa-server*",
"no aaa*"
)
| fillnull
| stats count
earliest(_time) as firstTime
latest(_time) as lastTime
values(user) as user
values(action) as action
values(message_id) as message_id
values(command) as command
values(src_ip) as src_ip
values(process_name) as process_name
by host
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_asa___aaa_policy_tampering_filter`
Cisco ASA - Core Syslog Message Volume Drop
Adversaries may intentionally suppress or reduce the volume of core Cisco ASA syslog messages to evade detection or cover their tracks. This hunting search is recommended to proactively identify suspicious downward shifts or absences in key syslog message IDs, which may indicate tampering or malicious activity. Visualizing this data in Splunk dashboards enables security teams to quickly spot anomalies and investigate potential compromise.
Show query
`cisco_asa`
message_id IN (302013, 302014, 609002, 710005)
| eval msg_desc=case(
message_id="302013","Built inbound TCP connection",
message_id="302014","Teardown TCP connection",
message_id="609002","Teardown local-host management",
message_id="710005","TCP request discarded"
)
| bin _time span=15m
| stats count values(msg_desc) as message_description
values(dest) as dest
by _time message_id
| xyseries _time message_id count
| `cisco_asa___core_syslog_message_volume_drop_filter`
Cisco ASA - Device File Copy Activity
This analytic detects file copy activity on Cisco ASA devices via CLI or ASDM.
Adversaries may copy device files including configurations, logs, packet captures, or system files for reconnaissance, credential extraction, or data exfiltration. While legitimate file operations occur during backups and maintenance, unauthorized copies may indicate malicious activity.
The detection monitors for command execution events (message ID 111008 or 111010) containing copy commands targeting running-config, startup-config, packet capture files, or other system files from disk0:, flash:, system:, or capture: locations.
Investigate unexpected file copies, especially from non-administrative accounts, during unusual hours, or when combined with other suspicious activities.
Show query
`cisco_asa`
message_id IN (111008, 111010)
command = "copy *"
command IN (
"*running-config*",
"*startup-config*",
"*/pcap capture:*",
"* disk0:*",
"* flash:*",
"* system:*"
)
| fillnull
| stats earliest(_time) as firstTime
latest(_time) as lastTime
values(user) as user
values(action) as action
values(message_id) as message_id
values(command) as command
values(src_ip) as src_ip
values(process_name) as process_name
by host
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_asa___device_file_copy_activity_filter`
Cisco ASA - Device File Copy to Remote Location
This analytic detects file copy operations to remote locations on Cisco ASA devices via CLI or ASDM.
Adversaries may exfiltrate device files including configurations, logs, packet captures, or system data to remote servers using protocols like TFTP, FTP, HTTP, HTTPS, SMB, or SCP. While legitimate backups to centralized servers are common, copies to unexpected destinations may indicate data exfiltration to attacker-controlled infrastructure.
The detection monitors for command execution events (message ID 111008 or 111010) containing copy commands with remote protocol indicators (tftp:, ftp:, http:, https:, smb:, scp:).
Investigate copies to unexpected destinations, from non-administrative accounts, or outside approved maintenance windows.
We recommend adapting the detection filters to exclude known legitimate backup activities.
Show query
`cisco_asa`
message_id IN (111008, 111010)
command = "copy *"
command IN (
"*running-config*",
"*startup-config*",
"*/pcap capture:*",
"* disk0:*",
"* flash:*",
"* system:*"
)
command IN (
"*ftp:*",
"*http:*",
"*https:*",
"*smb:*",
"*scp:*"
)
| eval remote_protocol = mvappend(
if(match(command, "tftp:"), "TFTP", null()),
if(match(command, "ftp:"), "FTP", null()),
if(match(command, "http:"), "HTTP", null()),
if(match(command, "https:"), "HTTPS", null()),
if(match(command, "smb:"), "SMB", null()),
if(match(command, "scp:"), "SCP", null())
)
| fillnull
| stats earliest(_time) as firstTime
latest(_time) as lastTime
values(user) as user
values(action) as action
values(message_id) as message_id
values(command) as command
values(remote_protocol) as remote_protocol
values(src_ip) as src_ip
values(dest) as dest
values(process_name) as process_name
by host
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_asa___device_file_copy_to_remote_location_filter`
Cisco ASA - Logging Disabled via CLI
This analytic detects the disabling of logging functionality on a Cisco ASA device
through CLI commands. Adversaries or malicious insiders may attempt to disable logging
to evade detection and hide malicious activity. The detection looks for specific ASA
syslog message IDs (111010, 111008) associated with command execution,
combined with suspicious commands such as `no logging`, `logging disable`,
`clear logging`, or `no logging host`. Disabling logging on a firewall or security device
is a strong indicator of defense evasion.
Show query
`cisco_asa`
message_id IN (111008, 111010)
command IN (
"*no logging*",
"*logging disable*",
"*clear logging*",
"*no logging host*",
"*no logging trap*"
)
| stats earliest(_time) as firstTime
latest(_time) as lastTime
values(user) as user
values(action) as action
values(message_id) as message_id
values(command) as command
values(src_ip) as src_ip
values(process_name) as process_name
by host
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_asa___logging_disabled_via_cli_filter`
Cisco ASA - Logging Filters Configuration Tampering
This analytic detects tampering with logging filter configurations on Cisco ASA devices via CLI or ASDM.
Adversaries may reduce logging levels or disable specific log categories to evade detection, hide their activities, or prevent security monitoring systems from capturing evidence of their actions. By lowering logging verbosity, attackers can operate with reduced visibility to security teams.
The detection monitors for logging configuration commands (message ID 111008 or 111010) that modify logging destinations (asdm, console, history, mail, monitor, trap) without setting them to higher severity levels (5-notifications, 6-informational, 7-debugging), which may indicate an attempt to reduce logging verbosity.
Investigate unauthorized logging configuration changes that reduce verbosity, especially changes performed by non-administrative accounts, during unusual hours, or without corresponding change management approval.
Show query
`cisco_asa`
message_id IN (111008, 111010)
command = "logging *"
command IN (
"*asdm*",
"*console*",
"*history*",
"*mail*",
"*monitor*",
"*trap*"
)
NOT command IN (
"*notifications*",
"*informational*",
"*debugging*",
"* 5*",
"* 6*",
"* 7*"
)
| fillnull
| stats count
earliest(_time) as firstTime
latest(_time) as lastTime
values(user) as user
values(action) as action
values(message_id) as message_id
values(command) as command
values(src_ip) as src_ip
values(process_name) as process_name
by host
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_asa___logging_filters_configuration_tampering_filter`
Cisco ASA - Logging Message Suppression
This analytic detects suppression of specific logging messages on Cisco ASA devices using the "no logging message" command.
Adversaries may suppress specific log message IDs to selectively disable logging of security-critical events such as authentication failures, configuration changes, or suspicious network activity. This targeted approach allows attackers to evade detection while maintaining normal logging operations that might otherwise alert administrators to complete logging disablement.
The detection monitors for command execution events (message ID 111008 or 111010) containing the "no logging message" command, which is used to suppress specific message IDs from being logged regardless of the configured severity level.
Investigate unauthorized message suppression, especially suppression of security-critical message IDs (authentication, authorization, configuration changes), suppression performed by non-administrative accounts, during unusual hours, or without documented justification.
Show query
`cisco_asa`
message_id IN (111008, 111010)
command = "no logging message *"
| fillnull
| stats count
earliest(_time) as firstTime
latest(_time) as lastTime
values(user) as user
values(action) as action
values(message_id) as message_id
values(command) as command
values(src_ip) as src_ip
values(process_name) as process_name
by host
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_asa___logging_message_suppression_filter`
Cisco ASA - New Local User Account Created
This analytic detects creation of new user accounts on Cisco ASA devices via CLI or ASDM.
Adversaries may create unauthorized user accounts to establish persistence, maintain backdoor access, or elevate privileges on network infrastructure devices. These rogue accounts can provide attackers with continued access even after initial compromise vectors are remediated.
The detection monitors for ASA message ID 502101, which is generated whenever a new user account is created on the device, capturing details including the username, privilege level, and the administrator who created the account.
Investigate unexpected account creations, especially those with elevated privileges (level 15), accounts created outside business hours, accounts with suspicious or generic names, or accounts created by non-administrative users.
Show query
`cisco_asa`
message_id IN (502101)
| fillnull
| stats count earliest(_time) as firstTime
latest(_time) as lastTime
values(action) as action
values(message_id) as message_id
values(result) as result
values(privilege_level) as privilege_level
by host user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_asa___new_local_user_account_created_filter`
Cisco ASA - Packet Capture Activity
This analytic detects execution of packet capture commands on Cisco ASA devices via CLI or ASDM.
Adversaries may abuse the built-in packet capture functionality to perform network sniffing, intercept credentials transmitted over the network, capture sensitive data in transit, or gather intelligence about network traffic patterns and internal communications. Packet captures can reveal usernames, passwords, session tokens, and confidential business data.
The detection monitors for command execution events (message ID 111008 or 111010) containing "capture" commands, which are used to initiate packet capture sessions on specific interfaces or for specific traffic patterns on the ASA device.
Investigate unauthorized packet capture activities, especially captures targeting sensitive interfaces (internal network segments, DMZ), captures configured to capture large volumes of traffic, captures with suspicious filter criteria, captures initiated by non-administrative accounts, or captures during unusual hours.
Show query
`cisco_asa`
message_id IN (111008, 111010)
command IN ("capture *")
| fillnull
| stats count
earliest(_time) as firstTime
latest(_time) as lastTime
values(user) as user
values(action) as action
values(message_id) as message_id
values(command) as command
values(src_ip) as src_ip
values(process_name) as process_name
by host
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_asa___packet_capture_activity_filter`
Cisco ASA - Reconnaissance Command Activity
This analytic detects potential reconnaissance activities on Cisco ASA devices by identifying execution of multiple information-gathering "show" commands within a short timeframe.
Adversaries who gain initial access to network infrastructure devices typically perform systematic reconnaissance to understand the device configuration, network topology, security policies, connected systems, and potential attack paths. This reconnaissance phase involves executing multiple "show" commands to enumerate device details, running configurations, active connections, routing information, and VPN sessions.
The detection monitors for command execution events (message ID 111009) containing reconnaissance-oriented "show" commands (such as show running-config, show version, show interface, show crypto, show conn, etc.) and triggers when 7 or more distinct reconnaissance commands are executed within a 5-minute window by the same user.
Investigate reconnaissance bursts from non-administrative accounts, unusual source IP addresses, activity during off-hours, methodical command sequences suggesting automated enumeration, or reconnaissance activity correlated with other suspicious behaviors.
We recommend adapting the detection filters to exclude known legitimate administrative activities.
Show query
`cisco_asa`
message_id IN (111009)
command IN (
"show access-list*",
"show capture*",
"show conn*",
"show cpu*",
"show crypto*",
"show eigrp*",
"show failover*",
"show flow*",
"show interface*",
"show inventory*",
"show ip*",
"show license*",
"show memory*",
"show nat*",
"show ospf*",
"show process*",
"show running-config*",
"show startup-config*",
"show version*",
"show vpn-sessiondb*",
"show xlate*"
)
| fillnull
```
Normalize command variations to base command types to count distinct reconnaissance categories.
For example, "show running-config", "show running-config | include username", and "show running-config interface" all count as one command type.
This prevents adversaries from evading detection by adding arguments or using multiple variations of the same command.
```
| eval command_type=case(
match(command, "^show access-list"), "show access-list",
match(command, "^show conn"), "show conn",
match(command, "^show cpu"), "show cpu",
match(command, "^show crypto"), "show crypto",
match(command, "^show eigrp"), "show eigrp",
match(command, "^show failover"), "show failover",
match(command, "^show flow"), "show flow",
match(command, "^show interface"), "show interface",
match(command, "^show inventory"), "show inventory",
match(command, "^show ip"), "show ip",
match(command, "^show license"), "show license",
match(command, "^show memory"), "show memory",
match(command, "^show nat"), "show nat",
match(command, "^show ospf"), "show ospf",
match(command, "^show process"), "show process",
match(command, "^show running-config"), "show running-config",
match(command, "^show startup-config"), "show startup-config",
match(command, "^show version"), "show version",
match(command, "^show vpn-sessiondb"), "show vpn-sessiondb",
match(command, "^show xlate"), "show xlate",
true(), command)
| bin _time span=5m
| stats count
earliest(_time) as firstTime
latest(_time) as lastTime
dc(command_type) as unique_recon_commands
values(command_type) as command_types
values(command) as commands
values(src_ip) as src_ip
values(message_id) as message_id
values(action) as action
by _time host user
| where unique_recon_commands >= 7
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_asa___reconnaissance_command_activity_filter`
Cisco ASA - User Account Deleted From Local Database
This analytic detects deletion of user accounts from Cisco ASA devices via CLI or ASDM.
Adversaries may delete local accounts to cover their tracks, remove evidence of their activities, disrupt incident response efforts, or deny legitimate administrator access during an attack. Account deletion can also indicate an attempt to hide the creation of temporary accounts used during compromise.
The detection monitors for ASA message ID 502102, which is generated whenever a local user account is deleted from the device, capturing details including the deleted username, privilege level, and the administrator who performed the deletion.
Investigate unexpected account deletions, especially those involving privileged accounts (level 15), deletions performed outside business hours, deletions by non-administrative users, or deletions that coincide with other suspicious activities.
Show query
`cisco_asa`
message_id IN (502102)
| fillnull
| stats count earliest(_time) as firstTime
latest(_time) as lastTime
values(action) as action
values(message_id) as message_id
values(result) as result
values(privilege_level) as privilege_level
by host user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_asa___user_account_deleted_from_local_database_filter`
Cisco ASA - User Account Lockout Threshold Exceeded
This analytic detects user account lockouts on Cisco ASA devices resulting from excessive failed authentication attempts.
Account lockouts may indicate brute force attacks, password spraying campaigns, credential stuffing attempts using compromised credentials from external breaches, or misconfigured automation attempting authentication with incorrect credentials. These activities represent attempts to gain unauthorized access to network infrastructure.
The detection monitors for ASA message ID 113006, which is generated when a user account is locked out after exceeding the configured maximum number of failed authentication attempts, capturing the locked account name and the failure threshold that was exceeded.
Investigate account lockouts for privileged or administrative accounts, multiple simultaneous lockouts affecting different accounts (suggesting password spraying), lockouts originating from unusual source IP addresses, lockouts during off-hours, or patterns suggesting automated attack tools.
Show query
`cisco_asa`
message_id IN (113006)
| rex "locked out on exceeding '(?<attempts_count>\d+)' successive failed authentication attempts"
| rex "User '(?<user>[^']+)' locked out"
| eval failure_description="locked out on exceeding " . attempts_count . " successive failed authentication attempts"
| fillnull
| stats earliest(_time) as firstTime
latest(_time) as lastTime
values(message_id) as message_id
values(failure_description) as failure_description
by host user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_asa___user_account_lockout_threshold_exceeded_filter`
Cisco ASA - User Privilege Level Change
This analytic detects privilege level changes for user accounts on Cisco ASA devices via CLI or ASDM.
Adversaries may escalate account privileges to gain elevated access to network infrastructure, enable additional command execution capabilities, or establish higher-level persistent access. Privilege levels on Cisco ASA range from 0 (lowest) to 15 (full administrative access), with level 15 providing complete device control.
The detection monitors for ASA message ID 502103, which is generated whenever a user account's privilege level is modified, capturing both the old and new privilege levels along with the username and administrator who made the change.
Investigate unexpected privilege changes, especially escalations to level 15, substantial privilege increases (e.g., from level 1 to 15), changes performed outside business hours, changes by non-administrative users, or changes without corresponding change management tickets.
Show query
`cisco_asa`
message_id IN (502103)
| fillnull
| stats earliest(_time) as firstTime
latest(_time) as lastTime
values(action) as action
values(message_id) as message_id
values(old_privilege_level) as old_privilege_level
values(new_privilege_level) as new_privilege_level
by host user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_asa___user_privilege_level_change_filter`
Cisco Configuration Archive Logging Analysis
This analytic provides comprehensive monitoring of configuration changes on Cisco devices by analyzing archive logs. Configuration archive logging captures all changes made to a device's configuration, providing a detailed audit trail that can be used to identify suspicious or malicious activities. This detection is particularly valuable for identifying patterns of malicious configuration changes that might indicate an attacker's presence, such as the creation of backdoor accounts, SNMP community string modifications, and TFTP server configurations for data exfiltration. By analyzing these logs, security teams can gain a holistic view of configuration changes across sessions and users, helping to detect sophisticated attack campaigns like those conducted by threat actors such as Static Tundra.
Show query
| tstats `security_content_summariesonly` count values(All_Changes.command) as commands min(_time) as firstTime max(_time) as lastTime FROM datamodel=Change.All_Changes
WHERE (
(All_Changes.command="*username*privilege 15*")
OR
(All_Changes.command="*username*password*")
OR
(All_Changes.command="*USER TABLE MODIFIED*")
OR
(All_Changes.command="*tftp-server*")
OR
(All_Changes.command="*snmp-server community*")
)
BY All_Changes.dvc All_Changes.user
| `drop_dm_object_name("All_Changes")`
| rename dvc as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_configuration_archive_logging_analysis_filter`Cisco Duo Admin Login Unusual Browser
The following analytic identifies instances where a Duo admin logs in using a browser other than Chrome, which is considered unusual based on typical access patterns. Please adjust as needed to your environment. The detection leverages Duo activity logs ingested via the Cisco Security Cloud App and filters for admin login actions where the browser is not Chrome. By renaming and aggregating relevant fields such as user, browser, IP address, and location, the analytic highlights potentially suspicious access attempts that deviate from the norm. This behavior is significant for a SOC because the use of an unexpected browser may indicate credential compromise, session hijacking, or the use of unauthorized devices by attackers attempting to evade detection. Detecting such anomalies enables early investigation and response, helping to prevent privilege escalation, policy manipulation, or further compromise of sensitive administrative accounts. The impact of this attack could include unauthorized changes to security policies, user access, or the disabling of critical security controls, posing a substantial risk to the organizations security posture.
Show query
`cisco_duo_activity` "action.name"=admin_login NOT access_device.browser IN (Chrome)
| rename actor.name as user access_device.ip.address as src_ip
| stats count min(_time) as firstTime max(_time) as lastTime
BY access_device.browser access_device.browser_version src_ip
access_device.location.city access_device.location.country access_device.location.state
access_device.os access_device.os_version actor.details
actor.type outcome.result user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_duo_admin_login_unusual_browser_filter`Cisco Duo Admin Login Unusual Country
The following analytic detects instances where a Duo admin login originates from a country outside of the United States, which may indicate suspicious or unauthorized access attempts. Please adjust as needed to your environment. It works by analyzing Duo activity logs for admin login actions and filtering out events where the access device's country is not within the expected region. By correlating user, device, browser, and location details, the analytic highlights anomalies in geographic login patterns. This behavior is critical for a SOC to identify because admin accounts have elevated privileges, and access from unusual countries can be a strong indicator of credential compromise, account takeover, or targeted attacks. Early detection of such activity enables rapid investigation and response, reducing the risk of unauthorized changes, data breaches, or further lateral movement within the environment. The impact of this attack can be severe, potentially allowing attackers to bypass security controls, alter configurations, or exfiltrate sensitive information.
Show query
`cisco_duo_activity` "action.name"=admin_login NOT access_device.location.country IN ("United States")
| rename actor.name as user access_device.ip.address as src_ip
| stats count min(_time) as firstTime max(_time) as lastTime
BY access_device.browser access_device.browser_version src_ip
access_device.location.city access_device.location.country access_device.location.state
access_device.os access_device.os_version actor.details
actor.type outcome.result user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_duo_admin_login_unusual_country_filter`Cisco Duo Admin Login Unusual Os
The following analytic identifies Duo admin login attempts from operating systems that are unusual for your environment, excluding commonly used OS such as Mac OS X. Please adjust to your environment. It works by analyzing Duo activity logs for admin login actions and filtering out logins from expected operating systems. The analytic then aggregates events by browser, version, source IP, location, and OS details to highlight anomalies. Detecting admin logins from unexpected operating systems is critical for a SOC, as it may indicate credential compromise, unauthorized access, or attacker activity using unfamiliar devices. Such behavior can precede privilege escalation, policy changes, or other malicious actions within the Duo environment. Early detection enables rapid investigation and response, reducing the risk of account takeover and minimizing potential damage to organizational security controls.
Show query
`cisco_duo_activity` "action.name"=admin_login NOT access_device.os IN ("Mac OS X")
| rename actor.name as user access_device.ip.address as src_ip
| stats count min(_time) as firstTime max(_time) as lastTime
BY access_device.browser access_device.browser_version src_ip
access_device.location.city access_device.location.country access_device.location.state
access_device.os access_device.os_version actor.details
actor.type outcome.result user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_duo_admin_login_unusual_os_filter`Cisco Duo Bulk Policy Deletion
The following analytic detects instances where a Duo administrator performs a bulk deletion of more than three policies in a single action. It identifies this behavior by searching Duo activity logs for the policy_bulk_delete action, extracting the names of deleted policies, and counting them. If the count exceeds three, the event is flagged. This behavior is significant for a Security Operations Center (SOC) because mass deletion of security policies can indicate malicious activity, such as an attacker or rogue administrator attempting to weaken or disable security controls, potentially paving the way for further compromise. Detecting and investigating such actions promptly is critical, as the impact of this attack could include reduced security posture, increased risk of unauthorized access, and potential data breaches. Monitoring for bulk policy deletions helps ensure that any suspicious or unauthorized changes to security configurations are quickly identified and addressed to protect organizational assets and maintain compliance.
Show query
`cisco_duo_administrator` action=policy_bulk_delete | rename username as user | spath input=description | rex field=policies max_match=0 "(?<policy_name>[^:,]+):\s+" | eval policy_count=mvcount(policy_name) | where policy_count > 3 | stats count min(_time) as firstTime max(_time) as lastTime by action actionlabel description user admin_email policy_count | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_duo_bulk_policy_deletion_filter`
Cisco Duo Bypass Code Generation
The following analytic detects when a Duo user generates a bypass code, which allows them to circumvent multi-factor authentication (2FA) protections.
It works by monitoring Duo activity logs for the 'bypass_create' action, renaming the affected object as the user, and aggregating events to identify
instances where a bypass code is issued. This behavior is significant for a Security Operations Center (SOC) because generating a bypass code can enable
attackers, malicious insiders, or unauthorized administrators to gain access to sensitive systems without the required second authentication factor.
Such activity may indicate account compromise, privilege abuse, or attempts to weaken security controls. Early detection of bypass code generation is
critical, as it allows the SOC to investigate and respond before an attacker can exploit the reduced authentication requirements, helping to prevent
unauthorized access, data breaches, or further lateral movement within the environment. Monitoring for this action helps maintain strong authentication
standards and reduces the risk of credential-based attacks.
Show query
`cisco_duo_administrator` action=bypass_create
| rename object as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY action actionlabel description
user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_duo_bypass_code_generation_filter`Cisco Duo Policy Allow Devices Without Screen Lock
The following analytic detects when a Duo policy is created or updated to allow devices without a screen lock requirement. It identifies this behavior
by searching Duo administrator activity logs for policy creation or update events where the 'require_lock' setting is set to false. This action may indicate
a weakening of device security controls, potentially exposing the organization to unauthorized access if devices are lost or stolen. For a Security Operations
Center (SOC), identifying such policy changes is critical, as attackers or malicious insiders may attempt to lower authentication standards to facilitate
unauthorized access. The impact of this attack could include increased risk of credential compromise, data breaches, or lateral movement within the
environment due to reduced device security requirements.
Show query
`cisco_duo_administrator` action=policy_update OR action=policy_create
| spath input=description
| search require_lock=false
| rename object as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY action actionlabel description
user admin_email
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_duo_policy_allow_devices_without_screen_lock_filter`Cisco Duo Policy Allow Network Bypass 2FA
The following analytic detects when a Duo policy is created or updated to allow network-based bypass of two-factor authentication (2FA).
It identifies this behavior by searching Duo administrator logs for policy creation or update actions where the networks_allow field is present,
indicating that specific networks have been permitted to bypass 2FA requirements. This is achieved by parsing the event description and
filtering for relevant policy changes, then aggregating the results by user and administrator details. Detecting this behavior is critical
for a Security Operations Center (SOC) because allowing network-based 2FA bypass can significantly weaken authentication controls, potentially
enabling unauthorized access if a trusted network is compromised or misconfigured. Attackers or malicious insiders may exploit this policy
change to circumvent 2FA protections, increasing the risk of account takeover and lateral movement within the environment. Prompt detection
enables SOC analysts to investigate and respond to potentially risky policy modifications before they can be leveraged for malicious purposes.
Show query
`cisco_duo_administrator` action=policy_update OR action=policy_create
| spath input=description
| search networks_allow=*
| rename object as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY action actionlabel description
user admin_email networks_allow
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_duo_policy_allow_network_bypass_2fa_filter`Cisco Duo Policy Allow Old Flash
The following analytic identifies instances where a Duo administrator creates or updates a policy to allow the use of outdated Flash components, specifically by detecting policy changes with the flash_remediation=no remediation attribute. It leverages Duo activity logs ingested via the Cisco Security Cloud App, searching for policy_update or policy_create actions and parsing the policy description for indicators of weakened security controls. This behavior is significant for a SOC because permitting old Flash increases the attack surface, as Flash is widely known for its security vulnerabilities and is no longer supported. Attackers may exploit such policy changes to bypass security controls, introduce malware, or escalate privileges within the environment. Detecting and responding to these policy modifications helps prevent potential exploitation, reduces organizational risk, and ensures adherence to security best practices. Immediate investigation is recommended to determine if the change was authorized or indicative of malicious activity.
Show query
`cisco_duo_administrator` action=policy_update OR action=policy_create
| spath input=description
| search flash_remediation="no remediation"
| rename object as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY action actionlabel description
user admin_email
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_duo_policy_allow_old_flash_filter`Cisco Duo Policy Allow Old Java
The following analytic detects when a Duo policy is created or updated to allow the use of outdated Java versions, which can introduce significant
security risks. It works by searching Duo administrator activity logs for policy creation or update actions where the policy explicitly sets
'java_remediation' to 'no remediation', indicating that no restrictions are enforced against old Java. The analytic aggregates relevant details
such as the user, admin email, and action context for further investigation. Identifying this behavior is critical for a Security Operations Center
(SOC) because allowing outdated Java can expose an organization to known vulnerabilities, malware, and exploitation techniques. Attackers or malicious
insiders may attempt to weaken security controls by modifying policies to permit insecure software, increasing the risk of compromise. Prompt detection
enables SOC analysts to respond quickly, revert risky changes, and mitigate potential threats before they are exploited.
Show query
`cisco_duo_administrator` action=policy_update OR action=policy_create
| spath input=description
| search java_remediation="no remediation"
| rename object as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY action actionlabel description
user admin_email
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_duo_policy_allow_old_java_filter`Cisco Duo Policy Allow Tampered Devices
The following analytic detects when a Duo policy is created or updated to allow tampered or rooted devices, such as jailbroken smartphones,
to access protected resources. It identifies this behavior by searching Duo administrator activity logs for policy changes where the allow_rooted_devices
setting is enabled. This is accomplished by filtering for policy creation or update actions and parsing the policy description for the relevant configuration.
Allowing tampered devices poses a significant security risk, as these devices may bypass built-in security controls, run unauthorized software, or be more
susceptible to compromise. For a Security Operations Center (SOC), identifying such policy changes is critical because it may indicate either a
misconfiguration or a malicious attempt to weaken authentication requirements, potentially enabling attackers to access sensitive systems with
compromised devices. The impact of this attack can include unauthorized access, data breaches, and lateral movement within the environment,
making prompt detection and response essential to maintaining organizational security.
Show query
`cisco_duo_administrator` action=policy_update OR action=policy_create
| spath input=description
| search allow_rooted_devices=true
| rename object as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY action actionlabel description
user admin_email
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_duo_policy_allow_tampered_devices_filter`Showing 151-200 of 2,088