Deployable detection rules
2,088 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 2,088Cisco Duo Policy Bypass 2FA
The following analytic detects instances where a Duo policy is created or updated to allow access without two-factor authentication (2FA). It identifies this behavior by searching Duo administrator activity logs for policy changes that set the authentication status to "Allow access without 2FA." By monitoring for these specific actions, the analytic highlights potential attempts to weaken authentication controls, which could be indicative of malicious activity or insider threats. This behavior is critical for a SOC to identify, as bypassing 2FA significantly reduces the security posture of an organization, making it easier for attackers to gain unauthorized access to sensitive systems and data. Detecting and responding to such policy changes promptly helps prevent potential account compromise and mitigates the risk of broader security breaches.
Show query
`cisco_duo_administrator` action=policy_update OR action=policy_create
| spath input=description
| search auth_status="Allow access without 2FA"
| rename object as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY action actionlabel description
user admin_email
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_duo_policy_bypass_2fa_filter`Cisco Duo Policy Deny Access
The following analytic identifies instances where a Duo administrator creates or updates a policy to explicitly deny user access within the Duo environment. It detects this behavior by searching Duo administrator activity logs for policy creation or update actions where the authentication status is set to "Deny access." By correlating these events with user and admin details, the analytic highlights potential misuse or malicious changes to access policies. This behavior is critical for a SOC to monitor, as unauthorized or suspicious denial of access policies can indicate insider threats, account compromise, or attempts to disrupt legitimate user access. The impact of such an attack may include denial of service to critical accounts, disruption of business operations, or the masking of further malicious activity by preventing targeted users from accessing resources. Early detection enables rapid investigation and remediation to maintain organizational security and availability.
Show query
`cisco_duo_administrator` action=policy_update OR action=policy_create
| spath input=description
| search auth_status="Deny access"
| rename object as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY action actionlabel description
user admin_email
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_duo_policy_deny_access_filter`Cisco Duo Policy Skip 2FA for Other Countries
The following analytic detects when a Duo policy is created or updated to allow access without two-factor authentication (2FA)
for users in countries other than the default. It identifies this behavior by searching Duo administrator activity logs for policy
creation or update actions where the policy description indicates that access is permitted without 2FA for certain user locations.
This is achieved by parsing the relevant fields in the logs and filtering for the specific condition of 'Allow access without 2FA.'
This behavior is significant for a Security Operations Center (SOC) because bypassing 2FA for any user group or location weakens
the organization's security posture and increases the risk of unauthorized access. Attackers or malicious insiders may exploit
such policy changes to circumvent strong authentication controls, potentially leading to account compromise, data breaches, or
lateral movement within the environment. Early detection of these policy modifications enables the SOC to investigate and respond
before attackers can leverage the weakened controls, thereby reducing the risk and impact of a successful attack.
Show query
`cisco_duo_administrator` action=policy_update OR action=policy_create
| spath input=description
| search user_locations_default_action="Allow access without 2FA"
| rename object as user
| stats count min(_time) as firstTime max(_time) as lastTime
BY action actionlabel description
user admin_email
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_duo_policy_skip_2fa_for_other_countries_filter`Cisco Duo Set User Status to Bypass 2FA
The following analytic detects instances where a Duo user's status is changed to "Bypass" for 2FA, specifically when the
previous status was "Active." This behavior is identified by analyzing Duo activity logs for user update actions, extracting
the status transitions, and filtering for cases where a user is set to bypass multi-factor authentication. This is a critical
event for a Security Operations Center (SOC) to monitor, as bypassing 2FA significantly weakens account security and may
indicate malicious insider activity or account compromise. Attackers or unauthorized administrators may exploit this change to
disable strong authentication controls, increasing the risk of unauthorized access to sensitive systems and data. Early detection
of such changes enables rapid investigation and response, helping to prevent potential breaches and limit the impact of
credential-based attacks.
Show query
`cisco_duo_activity` action.name=user_update
| spath input=target.details path=status output=status
| spath input=old_target.details path=status output=old_status
| search status=Bypass old_status=Active
| rename target.name as user access_device.ip.address as src_ip
| stats count min(_time) as firstTime max(_time) as lastTime
BY access_device.browser access_device.browser_version src_ip
access_device.location.city access_device.location.country access_device.location.state
access_device.os access_device.os_version action.name
actor.details actor.name actor.type
old_target.details target.details status
old_status user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_duo_set_user_status_to_bypass_2fa_filter`Cisco IOS Suspicious Privileged Account Creation
This analytic detects the creation of privileged user accounts on Cisco IOS devices, which could indicate an attacker establishing backdoor access. The detection focuses on identifying when user accounts are created with privilege level 15 (the highest administrative privilege level in Cisco IOS) or when existing accounts have their privileges elevated. This type of activity is particularly concerning when performed by unauthorized users or during unusual hours, as it may represent a key step in establishing persistence following the exploitation of vulnerabilities like CVE-2018-0171 in Cisco Smart Install. Threat actors like Static Tundra have been observed creating privileged accounts as part of their attack chain after gaining initial access to network devices.
Show query
| tstats `security_content_summariesonly` count values(All_Changes.command) as command min(_time) as firstTime max(_time) as lastTime FROM datamodel=Change.All_Changes
WHERE (
(All_Changes.command="*username * privilege 15*")
OR
(All_Changes.command="*username * password*"
AND
All_Changes.command="*USER TABLE MODIFIED*")
OR
(All_Changes.command="*USER_PRIVILEGE_UPDATE*priv-15*")
)
BY All_Changes.dvc All_Changes.user
| `drop_dm_object_name("All_Changes")`
| rename dvc as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_ios_suspicious_privileged_account_creation_filter`Cisco IOS XE Guestshell Activation and Destroy
This analytic detects Cisco IOS-XE guestshell enable activity followed by activation and destroy lifecycle logs.
The detection focuses on HA_EM command logging for "guestshell enable" and "guestshell destroy", VMAN activation and destroy messages, and IM/IOX guestshell activation logs observed on some IOS-XE images.
Show query
`cisco_ios`
facility IN ("HA_EM", "VMAN", "IM", "AAA")
mnemonic IN ("LOG", "ACTIVATION_STATE", "IOX_INST_INFO", "INSTALL_STATE", "AAA_ACCOUNTING_MESSAGE")
message_text IN (
"*guestshell enable*",
"*guestshell destroy*",
"*Successfully activated virtual service 'guestshell*",
"*IOX SERVICE guestshell*",
"*Destroying virtual service 'guestshell*",
"*Successfully destroyed virtual service 'guestshell*"
)
| eval dest=coalesce(host, dvc, dest, "unknown")
| eval event_type=case(
like(message_text, "%guestshell enable%"), "guestshell_enable_command",
like(message_text, "%guestshell destroy%"), "guestshell_destroy_command",
like(message_text, "%Successfully activated virtual service 'guestshell%"), "vman_guestshell_activated",
like(message_text, "%IOX SERVICE guestshell%"), "im_iox_guestshell_activated",
like(message_text, "%Destroying virtual service 'guestshell%"), "vman_guestshell_destroying",
like(message_text, "%Successfully destroyed virtual service 'guestshell%"), "vman_guestshell_destroyed",
true(), "other"
)
| bin _time span=30m
| stats count min(_time) as firstTime
max(_time) as lastTime
values(event_type) as event_types
values(message_text) as message
by _time dest
| where
(
mvfind(event_types, "vman_guestshell_activated") >= 0
OR
mvfind(event_types, "im_iox_guestshell_activated") >= 0
OR
mvfind(event_types, "guestshell_enable_command") >= 0
)
AND
(
mvfind(event_types, "vman_guestshell_destroying") >= 0
OR
mvfind(event_types, "vman_guestshell_destroyed") >= 0
OR
mvfind(event_types, "guestshell_destroy_command") >= 0
)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_ios_xe_guestshell_activation_and_destroy_filter`Cisco IOS XE Implant Access
The following analytic identifies the potential exploitation of the Cisco IOS XE vulnerability, CVE-2023-20198, in the Web User Interface.
It monitors POST requests to the "/webui/logoutconfirm.html?logon_hash=*" endpoint using the Web datamodel.
This activity can be significant as it indicates potential access request to the implant
If confirmed malicious, attackers could maintain privileged access, compromising the device's integrity and security.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Web WHERE
Web.url="*/webui/logoutconfirm.html?logon_hash=*"
Web.http_method=POST
Web.status=200
BY Web.http_user_agent Web.status Web.http_method
Web.url Web.url_length Web.src Web.dest
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_ios_xe_implant_access_filter`Cisco IOS XE Log Clearing Sequence With Optional Loopback Removal
This analytic detects Cisco IOS-XE command sequences where show logging, clear logging, and exit occur within a short period.
It also detects the pattern where a loopback interface is removed before clearing logs and exiting.
Show query
`cisco_ios`
facility IN ("AAA", "HA_EM", "PARSER")
mnemonic IN ("AAA_ACCOUNTING_MESSAGE", "LOG", "CFGLOG_LOGGEDCMD")
message_text IN ("*show logging*", "*clear logging*", "*exit*", "*no interface Loopback*")
| eval cmd=lower(coalesce(command, message_text))
| eval event_type=case(
like(cmd, "%show logging%"), "show_logging",
like(cmd, "%clear logging%"), "clear_logging",
like(cmd, "%exit%"), "exit",
like(cmd, "%no interface loopback%"), "remove_loopback"
)
| where isnotnull(event_type)
| eval dest=coalesce(host, dvc, dest, "unknown")
| bin _time span=2m
| stats count min(_time) as firstTime
max(_time) as lastTime
values(event_type) as event_types
values(message_text) as message_text
values(cmd) as cmd
by _time dest
| where mvfind(event_types, "clear_logging") >= 0
AND
mvfind(event_types, "exit") >= 0
AND
(
mvfind(event_types, "show_logging") >= 0
OR
mvfind(event_types, "remove_loopback") >= 0
)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_ios_xe_log_clearing_sequence_with_optional_loopback_removal_filter`Cisco IOS XE Reconnaissance Command Activity
This analytic detects bursts of Cisco IOS or NX-OS discovery commands associated with Salt Typhoon tradecraft.
Adversaries who gain initial access to network infrastructure devices typically perform systematic reconnaissance to understand the device configuration, network topology, security policies, connected systems, and potential attack paths.
This reconnaissance phase involves executing multiple "show" commands to enumerate device details, running configurations, active connections, routing information, and VPN sessions.
Show query
`cisco_ios`
facility IN ("AAA", "HA_EM")
mnemonic IN ("AAA_ACCOUNTING_MESSAGE", "LOG")
message_text IN (
"*show running-config*",
"*show tacacs*",
"*show cdp neighbors*",
"*show file systems*",
"*dir bootflash:*",
"*show clock*",
"*show platform software status control-processor brief*",
"*terminal length 0*",
"*terminal width 0*"
)
| rex field=message_text "^\w+:(?<aaa_src>[^:@]+)(?:@[^:]*)?:(?<aaa_user>[^:]*):(?<aaa_command>.*?)(?:\s+\((?<aaa_result>SUCCESS|FAILURE)\))?$"
| rex field=message_text "^(?:[^:]+:\s+)?(?:catchall:\s+)?(?<eem_command>.+?)\s*$"
| eval command=lower(trim(coalesce(aaa_command, eem_command, "")))
| eval command_type=case(
like(command, "show running-config%"), "show_conf",
like(command, "show tacacs%"), "show_tacacs",
like(command, "show cdp neighbors detail%"), "show_cdp",
like(command, "show cdp neighbors%"), "show_cdp",
like(command, "show file systems%"), "show_file",
like(command, "dir bootflash:%"), "dir_bootflash",
like(command, "show clock%"), "show_clock",
like(command, "show platform software status control-processor brief%"), "show_platform",
like(command, "terminal length 0%"), "terminal",
like(command, "terminal width 0%"), "terminal",
true(), null())
| where isnotnull(command_type)
| eval user=coalesce(aaa_user, user, "unknown")
| eval src_ip=coalesce(aaa_src, src_ip, "unknown")
| eval dest=coalesce(host, dvc, dest, "unknown")
| bin _time span=5m
| stats count min(_time) as firstTime
max(_time) as lastTime
dc(command_type) as unique_recon_commands
values(command_type) as command_types
values(command) as commands
by _time dest user src_ip
| where unique_recon_commands >= 4
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_ios_xe_reconnaissance_command_activity_filter`Cisco IOS XE Remote Access Probe Burst
This analytic detects bursts of ping, SSH, and Telnet commands issued from Cisco IOS or NX-OS devices. The Salt Typhoon notes describe repeated SSH, Telnet-to-port-22, and ping activity across multiple IP addresses in a short time window.
Show query
`cisco_ios`
facility IN ("AAA", "HA_EM")
mnemonic IN ("AAA_ACCOUNTING_MESSAGE", "LOG")
message_text IN ("*ssh *", "*telnet *", "*ping *")
| rex field=message_text "^\w+:(?<aaa_src>[^:@]+)(?:@[^:]*)?:(?<aaa_user>[^:]*):(?<aaa_command>.*?)(?:\s+\((?<aaa_result>SUCCESS|FAILURE)\))?$"
| rex field=message_text "^(?:[^:]+:\s+)?(?:catchall:\s+)?(?<eem_command>.+?)\s*$"
| eval command=lower(trim(coalesce(aaa_command, eem_command, "")))
| where match(command, "^(ssh|telnet|ping)\s+")
| rex field=command "(?i)^(?:ssh(?:\s+-l\s+\S+)?|telnet|ping)\s+(?<target_ip>\d{1,3}(?:\.\d{1,3}){3})"
| eval command_type=case(match(command, "^ssh\s+"), "ssh", match(command, "^telnet\s+"), "telnet", match(command, "^ping\s+"), "ping")
| eval user=coalesce(aaa_user, user, "unknown")
| eval src_ip=coalesce(aaa_src, src_ip, "unknown")
| eval dest=coalesce(host, dvc, dest, "unknown")
| bin _time span=10m
| stats count as command_count
min(_time) as firstTime
max(_time) as lastTime
dc(target_ip) as distinct_targets
values(target_ip) as target_ips
values(command_type) as command_types
values(command) as commands
by _time dest user src_ip
| where command_count >= 8 OR distinct_targets >= 5
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_ios_xe_remote_access_probe_burst_filter`Cisco IOS XE Request Platform Package Describe Shell Pattern
This analytic detects Cisco IOS-XE "request platform software package describe" commands containing suspicious shell-style filename patterns. Indicative of Slat Typhoon tradecraft.
Show query
`cisco_ios`
facility IN ("AAA", "HA_EM")
mnemonic IN ("AAA_ACCOUNTING_MESSAGE", "LOG")
message_text="*request platform software package describe*"
message_text IN ("*--filename=/(bash)n*", "*--filename=$(bash)n*")
| eval dest=coalesce(host, dvc, dest, "unknown")
| stats count min(_time) as firstTime
max(_time) as lastTime
values(message_text) as message
by dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_ios_xe_request_platform_package_describe_shell_pattern_filter`Cisco IOS XE Tunnel Interface Configuration
This analytic detects creation of a Cisco IOS-XE tunnel interface with tunnel source, tunnel destination, and an IP address in the 10.10.12.0 network. The Salt Typhoon notes identify this tunnel configuration pattern as suspicious.
Show query
`cisco_ios`
facility IN ("HA_EM", "PARSER")
mnemonic IN ("LOG", "CFGLOG_LOGGEDCMD")
message_text IN ("*interface Tunnel*", "*tunnel source*", "*tunnel destination*", "*ip address 10.10.12.*")
| rex field=message_text "^(?:[^:]+:\s+)?(?:catchall:\s+)?(?<eem_command>.+?)\s*$"
| rex field=message_text "<enteredCommand><cli>(?<parser_command>.*?)</cli>"
| rex field=message_text "<user>(?<parser_user>[^<]+)</user>"
| rex field=message_text "<srcIP>(?<parser_src_ip>[^<]+)</srcIP>"
| eval command=lower(trim(coalesce(parser_command, eem_command, "")))
| eval event_type=case(
match(command, "^interface\s+tunnel"), "interface_tunnel",
match(command, "^tunnel\s+source"), "tunnel_source",
match(command, "^tunnel\s+destination"), "tunnel_destination",
match(command, "^ip\s+address\s+10\.10\.12\."), "tunnel_ip_address",
true(), null())
| where isnotnull(event_type)
| eval user=coalesce(parser_user, user, "unknown")
| eval src_ip=coalesce(parser_src_ip, src_ip, "unknown")
| eval dest=coalesce(host, dvc, dest, "unknown")
| bin _time span=15m
| stats count min(_time) as firstTime
max(_time) as lastTime
values(event_type) as event_types
values(user) as user
values(src_ip) as src_ip
values(command) as commands
by _time dest
| where mvfind(event_types, "interface_tunnel") >= 0
AND
mvfind(event_types, "tunnel_source") >= 0
AND
mvfind(event_types, "tunnel_destination") >= 0
AND
mvfind(event_types, "tunnel_ip_address") >= 0
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_ios_xe_tunnel_interface_configuration_filter`Cisco IOS XE VTY Access Class Tampering
This analytic detects rapid modification of Cisco IOS-XE VTY access-class settings. The Salt Typhoon notes describe configure HTTP activity followed by line vty changes and removal/re-application of an access-class within 60 seconds.
Show query
`cisco_ios`
facility IN ("HA_EM", "PARSER")
mnemonic IN ("LOG", "CFGLOG_LOGGEDCMD")
message_text IN (
"*access-class*",
"*configure http*",
"*line vty*"
)
| rex field=message_text "^(?:[^:]+:\s+)?(?:catchall:\s+)?(?<eem_command>.+?)\s*$"
| rex field=message_text "<enteredCommand><cli>(?<parser_command>.*?)</cli>"
| rex field=message_text "<user>(?<parser_user>[^<]+)</user>"
| rex field=message_text "<srcIP>(?<parser_src_ip>[^<]+)</srcIP>"
| eval command=lower(trim(coalesce(parser_command, eem_command, "")))
| eval event_type=case(
like(command, "configure http%") OR like(command, "ip http secure-server%"), "http_config",
like(command, "line vty%"), "line_vty",
like(command, "no access-class%"), "remove_access_class",
like(command, "access-class%"), "add_access_class",
true(), null())
| where isnotnull(event_type)
| eval user=coalesce(parser_user, user, "unknown")
| eval src_ip=coalesce(parser_src_ip, src_ip, "unknown")
| eval dest=coalesce(host, dvc, dest, "unknown")
| bin _time span=1m
| stats count min(_time) as firstTime
max(_time) as lastTime
values(event_type) as event_types
values(user) as user
values(src_ip) as src_ip
values(command) as commands
by _time dest
| where mvfind(event_types, "line_vty") >= 0
AND
mvfind(event_types, "remove_access_class") >= 0
AND
mvfind(event_types, "add_access_class") >= 0
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_ios_xe_vty_access_class_tampering_filter`Cisco IOS XE WebUI Login From IOSd Local Port
This analytic detects Cisco IOS-XE WebUI authentication failure and success logs that include local port 21111.
This is a strong an indicator of WebUI exploitation because normal users should not authenticate through the underlying IOS-XE Linux shell path.
Show query
`cisco_ios`
facility="SEC_LOGIN"
mnemonic IN ("QUIET_MODE_ON", "LOGIN_SUCCESS", "LOGIN_FAILED")
message_text="*[localport: 21111]*"
| rex field=_raw "\[user:\s*(?<user>[^\]]+)\]"
| rex field=_raw "\[Source:\s*(?<src_ip>[^\]]+)\]"
| rex field=_raw "\[localport:\s*(?<local_port>[^\]]+)\]"
| rex field=_raw "\[Reason:\s*(?<reason>[^\]]+)\]"
| rex field=_raw "\[ACL:\s*(?<acl>[^\]]+)\]"
| eval dest=coalesce(host, dvc, dest, "unknown")
| stats count min(_time) as firstTime
max(_time) as lastTime
values(local_port) as local_port
values(acl) as acl
by dest user src_ip reason
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_ios_xe_webui_login_from_iosd_local_port_filter`Cisco IOS XE WebUI Programmatic Configuration
This analytic detects Cisco IOS-XE configuration changes performed by the WebUI WSMA process.
Show query
`cisco_ios`
facility="SYS"
mnemonic="CONFIG_P"
message_text="*Configured programmatically by process SEP_webui_wsma_http*"
| rex field=_raw "process\s(?<process>\S+)\sfrom.*as\s(?<user>\S+)\son\s(?<vty>\S+)"
| eval dest=coalesce(host, dvc, dest, "unknown")
| stats count min(_time) as firstTime
max(_time) as lastTime
values(process) as process
values(vty) as vty
by dest user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_ios_xe_webui_programmatic_configuration_filter`Cisco Isovalent - Access To Cloud Metadata Service
The following analytic detects workloads accessing the cloud instance metadata service at 169.254.169.254. This IP is used by AWS, GCP and Azure metadata endpoints and is frequently abused in SSRF or lateral movement scenarios to obtain credentials and sensitive environment details. Monitor unexpected access to this service from application pods or namespaces where such behavior is atypical.
Show query
`cisco_isovalent_process_connect` | rename process_connect.parent.binary as binary | `excluded_cloud_binaries`
| stats count
min(_time) as firstTime
max(_time) as lastTime
values(dest_port) as dest_port
values(src_ip) as src_ip
by cluster_name pod_name pod_image_name pod_namespace node_name dest_ip
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_isovalent___access_to_cloud_metadata_service_filter`
Cisco Isovalent - Cron Job Creation
The following analytic detects the creation of a cron job within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for cron job creation events. This behavior is significant for a SOC as it could allow an attacker to execute malicious tasks repeatedly and automatically, posing a threat to the Kubernetes infrastructure. If confirmed malicious, this activity could lead to persistent attacks, service disruptions, or unauthorized access to sensitive information.
Show query
`cisco_isovalent_process_exec` process_name IN ("crond","cron","crontab")
| search pod_name!=""
| stats count
min(_time) as firstTime
max(_time) as lastTime
values(process) as process
by cluster_name pod_name parent_process_name process_name process_exec process_id node_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_isovalent___cron_job_creation_filter`
Cisco Isovalent - Curl Execution With Insecure Flags
The following analytic detects the execution of curl commands with insecure flags within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for curl commands that use the -k or --insecure flags. This behavior is significant for a SOC as it could allow an attacker to bypass SSL/TLS verification, potentially exposing the Kubernetes infrastructure to man-in-the-middle attacks. If confirmed malicious, this activity could lead to data interception, service disruptions, or unauthorized access to sensitive information.
Show query
`cisco_isovalent_process_exec` process_name="curl"
| regex process="(?i)(?<!\w)-(?:[a-z]*k[a-z]*|-(insecure|proxy-insecure|doh-insecure))"
| stats count min(_time) as firstTime max(_time) as lastTime values(process) as process
by cluster_name pod_name parent_process_name process_name process_exec process_id node_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_isovalent___curl_execution_with_insecure_flags_filter`
Cisco Isovalent - Kprobe Spike
This analytic detects excessive kernel probe (kprobe) events in a Kubernetes cluster over a short period of time.
Kprobes are a Linux kernel debugging and instrumentation mechanism that allows dynamic monitoring and tracing of kernel functions and system calls.
In containerized or cloud-native environments, kprobes are occasionally used for legitimate low-level diagnostics; however, monitoring a spike in kprobe activity is important because malware or attackers may abuse this mechanism to gain insights into the kernel, attempt privilege escalation, or tamper with host processes.
More than 10 kprobe events within 5 minutes may indicate suspicious activity, such as an attacker probing the kernel through repeated system calls (e.g., nsenter, mount, sethostname).
Such abnormal volume and frequency of kprobe usage within application pods or on nodes can signal container escape attempts or low-level tampering with the host, thereby representing a potential security threat.
Show query
`cisco_isovalent` process_kprobe.action!=""
| bin _time span=5m | rename process_kprobe.parent.pod.name as pod_name
| stats count as kprobe_count
values(process_kprobe.function_name) as functions
values(process_kprobe.process.binary) as binaries
values(process_kprobe.args{}.string_arg) as args
by pod_name _time
| where kprobe_count > 10 | `cisco_isovalent___kprobe_spike_filter`
Cisco Isovalent - Late Process Execution
Detects process executions that occur well after a container has initialized, which can indicate
suspicious activity (e.g., interactive shells, injected binaries, or post-compromise tooling).
The analytic compares the process start time to the container start time and flags processes
launched more than 5 minutes (300 seconds) after initialization.
Show query
`cisco_isovalent_process_exec` process_name="sh" | rename process_exec.process.start_time as ProcessStartTime | rename process_exec.process.pod.container.start_time as ContainerStartTime | eval ProcessStartTime=strptime(ProcessStartTime, "%Y-%m-%dT%H:%M:%S.%3Q") | eval ContainerStartTime=strptime(ContainerStartTime, "%Y-%m-%dT%H:%M:%S.%9Q") | eval ContainerTime5min=relative_time(ContainerStartTime, "+5m") | where ProcessStartTime > ContainerTime5min | table node_name cluster_name, pod_name, container_id, process_name, process_exec, process, ProcessStartTime, ContainerTime5min | `security_content_ctime(ProcessStartTime)` | `security_content_ctime(ContainerTime5min)` | `cisco_isovalent___late_process_execution_filter`
Cisco Isovalent - Non Allowlisted Image Use
The following analytic detects use of container images that fall outside an approved
allowlist, leveraging Cisco Isovalent/Tetragon runtime telemetry (image name and
workload identity). Adversaries commonly introduce untrusted or newly published
images to deploy tooling, establish persistence, or abuse supply‑chain trust. This
behavior may indicate image pulls from unauthorized registries, execution of
unvetted software, or a drift from established deployment baselines. Extra scrutiny
is warranted for namespaces and workloads that normally source images from restricted
registries, and for pods that suddenly begin running images outside expected
prefixes.
Maintain an environment‑specific allowlist via the macro `cisco_isovalent_allowed_images`
(for example, allow trusted registries/prefixes such as ImageName="gcr.io/org/*",
"registry.local/*", or "myco/*") and keep it updated as new baseline images are
introduced. This analytic alerts on images NOT matching the allowlist.
Show query
`cisco_isovalent_process_exec` pod_name!=""
| search NOT `cisco_isovalent_allowed_images`
| stats count
min(_time) as firstTime
max(_time) as lastTime
by pod_image_name pod_namespace pod_name process_name cluster_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_isovalent___non_allowlisted_image_use_filter`
Cisco Isovalent - Nsenter Usage in Kubernetes Pod
This analytic detects the execution of the nsenter utility from within a container, a technique often used for exploitation and container escape. Nsenter allows an attacker to enter the namespaces of another process—such as the host's init process (PID 1)—and execute a shell or other binaries with elevated privileges. For example, an attacker may use docker exec to gain a shell in a container, enumerate the PID of a target container or the host, and then use nsenter to access all namespaces (mount, UTS, IPC, net, pid) of the host or another container. Example to escape to the host: `nsenter --target 1 --mount --uts --ipc --net --pid -- bash`. The WorkloadAncestorsBinary field is used to track the ancestry of the process, this is useful to understand the context of the nsenter usage.
The options -m -u -n -i -p correspond to the various Linux namespaces. Adversaries exploit nsenter when pods are misconfigured with excessive privileges (e.g., privileged, hostPID, or broad hostPath mounts), enabling them to interact with the underlying node filesystem and processes. This can be an indicator of a container escape attempt or privilege escalation. Security teams should pay close attention to any nsenter invocation from within containers, especially outside of normal maintenance activity or in workloads with elevated privileges.
Show query
`cisco_isovalent_process_exec` process_name="nsenter"
| eval WorkloadAncestorsBinary=mvjoin(parent_process_name, " <- ")
| stats count
min(_time) as firstTime
max(_time) as lastTime
values(process) as process
values(WorkloadAncestorsBinary) as WorkloadAncestorsBinary
by cluster_name container_id pod_name pod_namespace pod_image_name parent_process_name process_name process_exec process_id node_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_isovalent___nsenter_usage_in_kubernetes_pod_filter`
Cisco Isovalent - Pods Running Offensive Tools
The following analytic detects execution of known offensive tooling from within Kubernetes pods, including network scanners and post-exploitation frameworks (e.g., nmap, masscan, zmap, impacket-*, hashcat, john, SharpHound, kube-hunter, peirates). We have created a macro named `linux_offsec_tool_processes` that contains the list of known offensive tooling found on linux systems. Adversaries commonly introduce these tools into compromised workloads to conduct discovery, lateral movement, credential access, or cluster reconnaissance. This behavior may indicate a compromised container or supply-chain abuse. Extra scrutiny is warranted for namespaces that do not typically run diagnostic scanners and for pods that suddenly begin invoking these binaries outside of normal maintenance activity.
Show query
`cisco_isovalent_process_exec` `linux_offsec_tool_processes`
| stats count
min(_time) as firstTime
max(_time) as lastTime
values(process) as process
by cluster_name container_id pod_name pod_namespace pod_image_name parent_process_name process_name process_exec process_id node_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_isovalent___pods_running_offensive_tools_filter`
Cisco Isovalent - Potential Escape to Host
This analytic detects potential container escape or reconnaissance attempts by monitoring for the rapid execution of multiple suspicious Linux commands (nsenter, mount, ps aux, and ls) within a short time window. The search aggregates process execution logs into 5-minute buckets and identifies when two or more distinct commands occur in quick succession. This behavior is noteworthy because attackers often chain these commands together to pivot from a container into the host, enumerate processes, or browse filesystems. For a SOC, catching these clustered command executions is important because it highlights possible adversary activity attempting to break isolation and escalate privileges inside a Kubernetes environment.
Show query
`cisco_isovalent_process_exec`
(
process_name IN ("nsenter","mount","ps","ls")
OR
process IN ("*nsenter*", "*mount*", "*ps aux*", "*ps -ef*")
)
| bin _time span=5m
| stats
count AS total_events
dc(process_name) AS distinct_cmds
min(_time) AS firstTime
max(_time) AS lastTime
values(process) AS process
values(process_name) AS process_name
BY cluster_name node_name pod_name _time
| eval duration_s = round(lastTime - firstTime, 0)
| where distinct_cmds >= 2 AND duration_s <= 120
| table _time cluster_name node_name pod_name total_events distinct_cmds duration_s firstTime lastTime process process_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_isovalent___potential_escape_to_host_filter`
Cisco Isovalent - Shell Execution
The following analytic detects the execution of a shell inside a container namespace within the Cisco Isovalent environment. It identifies this activity by monitoring process execution logs for the execution of a shell (sh or bash) inside a container namespace. This behavior is significant for a SOC as it could allow an attacker to gain shell access to the container, potentially leading to further compromise of the Kubernetes cluster. If confirmed malicious, this activity could lead to data theft, service disruption, privilege escalation, lateral movement, and further attacks, severely compromising the cluster's security and integrity.
Show query
`cisco_isovalent_process_exec` process_name IN ("sh", "ksh", "zsh", "bash", "dash", "rbash", "fish", "csh", "tcsh", "ion", "eshell")
| stats count by cluster_name parent_process_name process_name process_exec process_id node_name | `cisco_isovalent___shell_execution_filter`
Cisco NVM - Curl Execution With Insecure Flags
This analytic detects the use of `curl.exe` with insecure flags such as `-k`, `--insecure`, `--proxy-insecure`, or `--doh-insecure`
which disable TLS certificate validation.
It leverages Cisco Network Visibility Module (NVM) flow data and process arguments
to identify outbound connections initiated by curl where TLS checks were explicitly disabled.
This behavior may indicate an attempt to bypass certificate validation to connect to potentially untrusted or malicious endpoints,
a common tactic in red team operations, malware staging, or data exfiltration over HTTPS.
Show query
`cisco_network_visibility_module_flowdata`
process_name = "curl.exe"
NOT dest IN (
"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
"127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
"192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
)
| regex process_arguments="(?i)(?<!\w)-(?:[a-z]*k[a-z]*|-(insecure|proxy-insecure|doh-insecure))"
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___curl_execution_with_insecure_flags_filter`
Cisco NVM - Installation of Typosquatted Python Package
This analytic detects suspicious python package installations where the package name resembles popular Python libraries but may be typosquatted or slightly altered.
Typosquatting is a common technique used by attackers to trick users into installing malicious packages that mimic legitimate ones.
This detection leverages Cisco NVM flow telemetry and checks for pip or poetry package managers with the "install" or "add" flags, making outbound connections to package repository such as `pypi.org` with known or suspected typo package names.
Show query
`cisco_network_visibility_module_flowdata`
dest_hostname IN ("*.pythonhosted.org", "*pypi.org", "*python-poetry.org")
(
(process_arguments = "*pip*" process_arguments = "*install*")
OR
(process_arguments = "*poetry*" process_arguments = "*add*")
)
| rex field=process_arguments "(?i)(?:pip|poetry)[^|]*?\s+(?:install|add)\s+(?P<package_name>[^\s\"']+)$"
| lookup typo_squatted_python_packages
typosquatted_package_name as package_name
OUTPUTNEW comment package_official_url
| where isnotnull(comment)
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport package_name comment package_official_url
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime lastTime src dest_hostname dest dest_port transport package_name comment package_official_url
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
| `cisco_nvm___installation_of_typosquatted_python_package_filter`
Cisco NVM - MSHTML or MSHTA Network Execution Without URL in CLI
This analytic detects suspicious use of 'mshta.exe' or 'rundll32.exe' invoking 'mshtml.dll'
or the 'RunHTMLApplication' export without including a direct HTTP/HTTPS URL in the command line.
This pattern could be associated with obfuscated script execution used by threat actors during
initial access or payload staging. The absence of a visible URL may indicate attempts to evade static
detections by embedding the URL via string concatenation, encoding (e.g., hex), or indirect script loaders
like 'GetObject()'.
Show query
`cisco_network_visibility_module_flowdata`
(
(
process_name = "mshta.exe"
process_arguments IN ("*javascript*", "*vbscript*")
)
OR
( process_name = "rundll32.exe" AND
process_arguments = "*mshtml*" AND
process_arguments = "*RunHTMLApplication*"
)
)
NOT process_arguments IN ("*http://*", "*https://*")
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___mshtml_or_mshta_network_execution_without_url_in_cli_filter`
Cisco NVM - Non-Network Binary Making Network Connection
This analytic detects network connections initiated by binaries that are not typically associated with network communication,
such as 'notepad.exe', 'calc.exe' or 'write.exe'.
It leverages Cisco Network Visibility Module logs to correlate network flow activity with process context, including command-line arguments, process path, and parent process information.
These applications are normally used for locally and do not require outbound network access. When they do initiate such connections, it may indicate process hollowing, code injection, or proxy execution, where adversaries abuse a trusted process to mask malicious activity.
Show query
`cisco_network_visibility_module_flowdata`
process_name IN (
"notepad.exe", "write.exe", "mspaint.exe", "calc.exe",
"win32calc.exe", "addinutil.exe", "cmstp.exe", "dialer.exe",
"eqnedt32.exe", "IMEWDBLD.exe"
)
NOT dest IN (
"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
"127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
"192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
)
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___non_network_binary_making_network_connection_filter`
Cisco NVM - Outbound Connection to Suspicious Port
The following analytic detects any outbound network connection from an endpoint process to a known suspicious or non-standard port.
It leverages Cisco Network Visibility Module flow data logs to identify potentially suspicious behavior by looking at processes
communicating over ports like 4444, 2222, or 51820 are commonly used by tools like Metasploit, SliverC2 or other pentest, red team or malware.
These connections are worth investigating further, especially when initiated by unexpected or non-network-native binaries.
Show query
`cisco_network_visibility_module_flowdata`
NOT dest IN (
"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
"127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
"192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
)
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| lookup suspicious_ports_list dest_port OUTPUTNEW comment as dest_port_metadata confidence as dest_confidence category as dest_port_category
| where isnotnull(dest_port_metadata)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___outbound_connection_to_suspicious_port_filter`
Cisco NVM - Rclone Execution With Network Activity
This detection identifies execution of the file synchronization utility "rclone".
It leverages Cisco Network Visibility Module logs, specifically flow data in order to capture process executions
initiating network connections.
While rclone is a legitimate command-line tool for syncing data to cloud storage providers, it has been widely abused by threat actors for data exfiltration.
This analytic inspects process name and arguments for rclone and flags usage of suspicious flags.
If matched, this could indicate malicious usage for stealthy data exfiltration or cloud abuse.
Show query
`cisco_network_visibility_module_flowdata`
(
process_name = "rclone.exe"
OR
(
process_arguments = "* copy *"
process_arguments = "*\\\\*"
process_arguments IN ("*remote:*", "*mega:*", "*ftp:*", "*ftp1:*")
)
OR
(
process_arguments IN ("*remote:*", "*mega:*", "*ftp:*", "*ftp1:*")
process_arguments = "*--transfers"
process_arguments = "*--ignore-existing*"
process_arguments = "*--auto-confirm*"
)
)
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___rclone_execution_with_network_activity_filter`
Cisco NVM - Rundll32 Abuse of MSHTML.DLL for Payload Download
This analytic detects suspicious use of `rundll32.exe` in combination with `mshtml.dll` and the export `RunHTMLApplication`.
This behavior is often observed in malware to execute JavaScript or VBScript in memory, enabling payload staging or
bypassing script execution policies and bypassing the usage of the "mshta.exe" binary.
The detection leverages Cisco Network Visibility Module telemetry which offers network flow activity
along with process information such as command-line arguments
If confirmed malicious, this activity may indicate initial access or payload download.
Show query
`cisco_network_visibility_module_flowdata`
process_name = "rundll32.exe"
process_arguments = "*mshtml*"
process_arguments IN ("*135*", "*RunHTMLApplication*")
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___rundll32_abuse_of_mshtml_dll_for_payload_download_filter`
Cisco NVM - Susp Script From Archive Triggering Network Activity
This analytic detects script execution (`wscript.exe` or `cscript.exe`) triggered from compressed files opened directly using
`explorer.exe`, `winrar.exe`, or `7zFM.exe`.
When a user double clicks on a ".js" file from within one of these compressed files. Its extracted temporally in the temp directory in folder with certain markers.
It leverages Cisco Network Visibility Module (NVM) flow data, in order to look for a specific parent/child relationship and an initiated network connection.
This behavior is exploited by threat actors such as Scarlet Goldfinch to deliver and run malicious scripts as an initial access technique.
Show query
`cisco_network_visibility_module_flowdata`
parent_process_name IN ("explorer.exe", "winrar.exe", "7zFM.exe")
process_name IN ("wscript.exe", "cscript.exe")
process_arguments = "*\\AppData\\Local\\Temp\\*"
process_arguments IN ("*\\rar*", "*\\7z*", "*.zip*")
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_name parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_name parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___susp_script_from_archive_triggering_network_activity_filter`
Cisco NVM - Suspicious Download From File Sharing Website
This analytic detects suspicious downloads from common file sharing and content delivery platforms using known living-off-the-land binaries (LOLBins)
such as 'curl.exe', 'certutil.exe', 'msiexec.exe', 'powershell.exe', 'wmic.exe', and others.
It leverages Cisco Network Visibility Module logs to correlate network flow activity with process context, including command-line arguments, process path,
and parent process information. These tools are often abused by adversaries and malware to retrieve payloads from public hosting platforms
such as GitHub, Discord CDN, Transfer.sh, or Pastebin.
This detection helps identify potential initial access, payload staging, or command and control activity using legitimate services.
Show query
`cisco_network_visibility_module_flowdata`
(
(process_name = "svchost.exe" process_arguments = "*-s BITS*")
OR
process_name IN (
"curl.exe", "wmic.exe", "wscript.exe", "cscript.exe", "certutil.exe",
"msiexec.exe", "hh.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe",
"installutil.exe", "certoc.exe", "bitsadmin.exe"
)
)
dest_hostname IN (
"*.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*",
"*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*",
"*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*",
"*paste.ee*", "*pastebin.*", "*pastetext.net*", "*privatlab.*",
"*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*",
"*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*",
"*ufile.io*", "*w3spaces.com*", "*workers.dev*"
)
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___suspicious_download_from_file_sharing_website_filter`
Cisco NVM - Suspicious File Download via Headless Browser
This analytic identifies the use of Chromium-based browsers (like Microsoft Edge) running in headless mode with the `--dump-dom` argument.
This behavior has been observed in attack campaigns such as DUCKTAIL, where browsers are automated to stealthily download content from the internet using direct URLs or suspicious hosting platforms.
The detection focuses on identifying connections to known file-sharing domains or direct IPs extracted from command-line arguments and cross-checks those against the destination of the flow.
Since it leverages Cisco Network Visibility Module telemetry, the rule triggers only if a network connection is made.
Show query
`cisco_network_visibility_module_flowdata`
``` Usually the initiator of the connection is the child process, meaning the parent will contain the suspicious command.```
(
parent_process_name IN ("brave.exe", "chrome.exe", "msedge.exe", "opera.exe", "vivaldi.exe")
OR
process_name IN ("brave.exe", "chrome.exe", "msedge.exe", "opera.exe", "vivaldi.exe")
)
(
(parent_process_arguments="*--headless*" parent_process_arguments="*--dump-dom*")
OR
(process_arguments="*--headless*" process_arguments="*--dump-dom*")
)
NOT dest IN (
"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
"127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
"192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
)
``` In order to avoid matching with any public IP, we extract the IP value from the CommandLine and filter on it```
| rex field=parent_process_arguments "(?i)\\b(?:https?|ftp)://(?<extracted_ip_parent>(?:\\d{1,3}\\.){3}\\d{1,3})"
| rex field=process_arguments "(?i)\\b(?:https?|ftp)://(?<extracted_ip_child>(?:\\d{1,3}\\.){3}\\d{1,3})"
| eval direct_ip_match=if(dest == extracted_ip_child, 1, if(dest == extracted_ip_parent, 1, 0))
| where (
dest_hostname IN (
"*.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*",
"*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*",
"*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*",
"*paste.ee*", "*pastebin.*", "*pastetext.net*", "*privatlab.*",
"*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*",
"*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*",
"*ufile.io*", "*w3spaces.com*", "*workers.dev*"
)
OR direct_ip_match = 1
)
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_name parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_path parent_process_name parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___suspicious_file_download_via_headless_browser_filter`
Cisco NVM - Suspicious Network Connection From Process With No Args
This analytic detects system binaries that are commonly abused in process injection techniques but are observed without any command-line arguments.
It leverages Cisco Network Visibility Module (NVM) flow data and process arguments
to identify outbound connections initiated by curl where TLS checks were explicitly disabled.
Binaries such as `rundll32.exe`, `regsvr32.exe`, `dllhost.exe`, `svchost.exe`, and others are legitimate Windows processes that are often injected into by malware or post-exploitation frameworks (e.g., Cobalt Strike) to hide execution.
When these processes are seen initiating a network connection with an empty or missing command line, it can indicate
potential injection and communication with a command and control server.
Show query
`cisco_network_visibility_module_flowdata`
process_name IN (
"backgroundtaskhost.exe", "svchost.exe", "dllhost.exe", "werfault.exe",
"searchprotocolhost.exe", "wuauclt.exe", "spoolsv.exe", "rundll32.exe",
"regasm.exe", "regsvr32.exe", "regsvcs.exe"
)
NOT process_arguments="*"
NOT dest IN (
"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
"127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
"192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
)
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___suspicious_network_connection_from_process_with_no_args_filter`
Cisco NVM - Suspicious Network Connection Initiated via MsXsl
This analytic identifies the use of `msxsl.exe` initiating a network connection to a non-private IP address.
Although `msxsl.exe` is a legitimate Microsoft utility used to apply XSLT transformations, adversaries can abuse it
to execute arbitrary code or load external resources in an evasive manner.
This detection leverages Cisco NVM telemetry to identify potentially malicious use of `msxsl.exe` making network connections
that may indicate command and control (C2) or data exfiltration activity.
Show query
`cisco_network_visibility_module_flowdata`
process_name = "msxsl.exe"
NOT dest IN (
"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
"127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
"192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
"192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
"198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
)
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___suspicious_network_connection_initiated_via_msxsl_filter`
Cisco NVM - Suspicious Network Connection to IP Lookup Service API
This analytic identifies non-browser processes reaching out to public IP lookup or geolocation services,
such as `ipinfo.io`, `icanhazip.com`, `ip-api.com`, and others.
These domains are commonly used by legitimate tools, but their usage outside of browsers may indicate
network reconnaissance, virtual machine detection, or staging by malware.
This activity is observed in post-exploitation frameworks, stealer malware, and advanced threat actor campaigns.
The detection relies on Cisco Network Visibility Module (NVM) telemetry and excludes known browser
processes to reduce noise.
Show query
`cisco_network_visibility_module_flowdata`
dest_hostname IN (
"*api.2ip.ua*", "*api.bigdatacloud.net*", "*api.ipify.org*", "*whatismyipaddress.com*",
"*canireachthe.net*", "*checkip.amazonaws.com*", "*checkip.dyndns.org*", "*curlmyip.com*",
"*db-ip.com*", "*edns.ip-api.com*", "*eth0.me*", "*freegeoip.app*", "*geoipy.com*", "*getip.pro*",
"*icanhazip.com*", "*ident.me*", "*ifconfig.io*", "*ifconfig.me*", "*ip-api.com*", "*ip.360.cn*",
"*ip.anysrc.net*", "*ip.taobao.com*", "*ip.tyk.nu*", "*ipaddressworld.com*", "*ipapi.co*",
"*ipconfig.io*", "*ipecho.net*", "*ipinfo.io*", "*ipip.net*", "*iplocation.net*",
"*ipof.in*", "*ipv6-test.com*", "*ipwho.is*", "*trackip.net*", "*inet-ip.info*",
"*jsonip.com*", "*myexternalip.com*", "*seeip.org*", "*wgetip.com*",
"*whatismyip.akamai.com*", "*whois.pconline.com.cn*", "*wtfismyip.com*", "*ip.cn"
)
NOT process_name IN (
"brave.exe", "chrome.exe", "firefox.exe", "iexplore.exe", "maxthon.exe",
"MicrosoftEdge.exe", "msedge.exe", "msedgewebview2.exe", "opera.exe", "safari.exe",
"seamonkey.exe", "vivaldi.exe", "whale.exe"
)
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___suspicious_network_connection_to_ip_lookup_service_api_filter`
Cisco NVM - Webserver Download From File Sharing Website
This analytic detects unexpected outbound network connections initiated by known webserver processes such as `httpd.exe`, `nginx.exe`, or `tomcat.exe` to common file sharing or public content hosting services like GitHub, Discord CDN, Transfer.sh, or Pastebin.
Webservers are rarely expected to perform outbound downloads, especially to dynamic or anonymous file hosting domains. This behavior is often associated with server compromise,
where an attacker uses a reverse shell, webshell, or injected task to fetch malware or tools post-exploitation.
The detection leverages Cisco Network Visibility Module flow data, enriched with process context, to identify this highly suspicious behavior.
Show query
`cisco_network_visibility_module_flowdata`
process_name IN (
"http*.exe", "nginx*.exe", "php*.exe", "php-cgi*.exe", "tomcat*.exe"
)
dest_hostname IN (
"*.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*",
"*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*",
"*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*",
"*paste.ee*", "*pastebin.*", "*pastetext.net*", "*privatlab.*",
"*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*",
"*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*",
"*ufile.io*", "*w3spaces.com*", "*workers.dev*"
)
| stats count min(_time) as firstTime max(_time) as lastTime
values(parent_process_arguments) as parent_process_arguments
values(process_arguments) as process_arguments
values(parent_process_hash) as parent_process_hash
values(process_hash) as process_hash
values(module_name_list) as module_name_list
values(module_hash_list) as module_hash_list
values(dest_port) as dest_port
values(aliul) as additional_logged_in_users_list
values(dest_hostname) as dest_hostname
by src dest parent_process_path parent_process_integrity_level process_path process_name process_integrity_level process_id transport
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table
parent_process_integrity_level parent_process_path parent_process_arguments parent_process_hash
process_integrity_level process_path process_name process_arguments process_hash process_id
additional_logged_in_users_list module_name_list module_hash_list
src dest_hostname dest dest_port transport firstTime lastTime
| `cisco_nvm___webserver_download_from_file_sharing_website_filter`
Cisco Network Interface Modifications
This analytic detects the creation or modification of network interfaces on Cisco devices, which could indicate an attacker establishing persistence or preparing for lateral movement. After gaining initial access to network devices, threat actors like Static Tundra often create new interfaces (particularly loopback interfaces) to establish covert communication channels or maintain persistence. This detection specifically looks for the configuration of new interfaces, interface state changes, and the assignment of IP addresses to interfaces. These activities are particularly concerning when they involve unusual interface names or descriptions containing suspicious terms.
Show query
| tstats `security_content_summariesonly` count values(All_Changes.command) as command min(_time) as firstTime max(_time) as lastTime FROM datamodel=Change.All_Changes
WHERE (
(All_Changes.command="*interface*")
OR
(All_Changes.command="*LINEPROTO-5-UPDOWN*")
OR
(All_Changes.command="*ip address*")
)
BY All_Changes.dvc All_Changes.user
| `drop_dm_object_name("All_Changes")`
| rename dvc as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_network_interface_modifications_filter`Cisco Privileged Account Creation with HTTP Command Execution
This analytic correlates risk events between privileged account creation on Cisco IOS devices and HTTP requests to privileged execution paths such as `/level/15/exec/-/*`.
APT actors have been observed creating privileged accounts and then running commands on routers via HTTP GET or POST requests that target privileged execution paths.
These requests allow attackers to execute commands with the highest privilege level (15) on Cisco devices without requiring interactive SSH access.
This correlation identifies when both "Cisco IOS Suspicious Privileged Account Creation" and "Privileged Command Execution via HTTP" Snort detections fire for the same network device.
This behavior indicates an attacker leveraging the newly created account to execute commands remotely via HTTP.
Show query
| tstats `security_content_summariesonly`
min(_time) as firstTime
max(_time) as lastTime
sum(All_Risk.calculated_risk_score) as risk_score
count(All_Risk.calculated_risk_score) as risk_event_count
values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id
dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count
values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id
dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count
values(All_Risk.tag) as tag
values(source) as source
dc(source) as source_count
values(contributing_events_search)
values(All_Risk.threat_object)
from datamodel=Risk.All_Risk where
source IN (
"*Cisco IOS Suspicious Privileged Account Creation*",
"*Cisco Secure Firewall - Privileged Command Execution via HTTP*"
)
by All_Risk.normalized_risk_object
| `drop_dm_object_name(All_Risk)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| where source_count >= 2
| `cisco_privileged_account_creation_with_http_command_execution_filter`
Cisco Privileged Account Creation with Suspicious SSH Activity
This analytic detects a correlation between privileged account creation on Cisco IOS devices and subsequent inbound SSH connections to non-standard ports or sshd_operns by correlating risk events
This correlation identifies when both "Cisco IOS Suspicious Privileged Account Creation" and SSH-related Snort detections ("SSH Connection to sshd_operns" or "SSH Connection to Non-Standard Port") fire for the same network device.
This behavior is highly indicative of persistence establishment following initial compromise.
Show query
| tstats `security_content_summariesonly`
min(_time) as firstTime
max(_time) as lastTime
sum(All_Risk.calculated_risk_score) as risk_score
count(All_Risk.calculated_risk_score) as risk_event_count
values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id
dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count
values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id
dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count
values(All_Risk.tag) as tag
values(source) as source
dc(source) as source_count
values(contributing_events_search)
values(All_Risk.threat_object)
from datamodel=Risk.All_Risk where
source IN (
"*Cisco IOS Suspicious Privileged Account Creation*",
"*Cisco Secure Firewall - SSH Connection to sshd_operns*",
"*Cisco Secure Firewall - SSH Connection to Non-Standard Port*"
)
by All_Risk.normalized_risk_object
| `drop_dm_object_name(All_Risk)`
| eval has_account_creation=if(
match(source, "Cisco IOS Suspicious Privileged Account Creation"),
1, 0
)
| eval has_ssh_detection=if(
match(source, "SSH Connection to sshd_operns")
OR
match(source, "SSH Connection to Non-Standard Port"),
1, 0
)
| where has_account_creation=1
AND
has_ssh_detection=1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_privileged_account_creation_with_suspicious_ssh_activity_filter`
Cisco SA - Access to Anonymizer Services
This analytic detects attempts to access proxy-evasion or anonymizer services using Cisco Secure Access DNS and secure web proxy telemetry.
Users who reach anonymizer or proxy-evasion infrastructure are often trying to bypass corporate controls such as secure web gateway inspection, DLP monitoring, CASB visibility, and threat-detection systems. These services frequently establish encrypted tunnels that hide subsequent traffic from inspection.
Early identification helps security teams spot circumvention attempts before potential data exfiltration or follow-on malicious activity. Correlating DNS resolution and proxy session data strengthens confidence that access was intentional.
Show query
`cisco_secure_access_dns` action = "allowed" category= "*anonymizer*" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime values(domain) as domain values(query) as query values(reply_code) as reply_code values(record_type) as record_type by src_ip src_external_ip user identity_type action category sourcetype | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_sa___access_to_anonymizer_services_filter`
Cisco SA - Automated Web Reconnaissance via HTTP Access Errors
This analytic detects probable automated web reconnaissance using Cisco Secure Access proxy telemetry.
A high volume of HTTP client errors (401/403/404/etc) across many unique URLs in a short window is consistent with directory/file enumeration behavior generated by tools such as Gobuster, DirBuster, ffuf, or Burp Intruder.
Detecting this pattern helps identify pre-exploitation scanning activity, insider reconnaissance, compromised endpoints performing discovery, and attempts to find hidden administrative paths, APIs, backups, and exposed application files.
Show query
`cisco_secure_access_proxy` | eval src_ip=coalesce(src_ip, src) | eval host=coalesce(hostname, host) | eval user=coalesce(user, identities) | eval status=tonumber(status) | eval domain=replace(url, "^https?://([^/]+).*$", "\\1") | eval user_agent=coalesce(http_user_agent, user_agent) | where status IN (400, 401, 403, 404, 405, 407, 414, 429, 431) | bucket _time span=10m | stats count as errors dc(url) as unique_urls values(status) as statuses values(user_agent) as user_agent values(host) as host values(user) as user by src_ip domain _time | where errors > 100 AND unique_urls > 50 | eval firstTime=_time, lastTime=_time | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_sa___automated_web_reconnaissance_via_http_access_errors_filter`
Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity
This analytic detects a exploitation activity attempts of targeting Cisco Catalyst SD-WAN Manager.
It leverages the "serviceproxy_access.log" and identifies source-host combinations that perform all key stages of the exploitation as reported in public POCs in a short period: authentication/config collection (`.dca`), upload actions (`uploadAck`), and payload-style access (`.gz/*`).
The behavior can indicate attempted exploitation activity associated with Cisco Catalyst SD-WAN Manager vulnerabilities CVE-2026-20122 (Arbitrary File Overwrite) and CVE-2026-20128 (Information Disclosure).
Show query
`cisco_sd_wan_service_proxy_access`
| rex field=_raw "^\[.*?\]\s+\"(?<http_method>\S+)\s+(?<uri>\S+)\s+(?<http_protocol>[^\"]+)\"\s+(?<http_response_code>\S+)\s+(?<response_flags>\S+)\s+(?<bytes_in>\S+)\s+(?<bytes_out>\S+)\s+(?<duration>\S+)\s+(?<upstream_service_time>\S+)\s+\"(?<src>[^\"]+)\"\s+\"(?<http_user_agent>[^\"]+)\"\s+\"(?<x_request_id>[^\"]+)\"\s+\"(?<dest>[^\"]+)\"\s+\"(?<upstream_host>[^\"]+)\""
| rex field=uri "(?<uri_path>[^\?]+)(?<uri_query>\?.*)?"
| eval
http_response_code = tonumber(http_response_code),
bytes_in = tonumber(bytes_in),
bytes_out = tonumber(bytes_out),
duration = tonumber(duration),
upstream_service_time = if(upstream_service_time="-", null(), tonumber(upstream_service_time)),
status = http_response_code,
bytes = bytes_in + bytes_out,
http_user_agent_length = len(http_user_agent)
| search (
( http_method="POST"
uri IN (
"*/dataservice/smartLicensing/uploadAck*"
)
)
OR (
http_method="GET"
uri="*/reports/data/opt/data/containers/config/data-collection-agent/.dca*"
)
OR (uri="*.gz/*")
)
| eval uri_sequence_steps = case(
match(uri, ".*/\.dca"), "auth",
match(uri, ".*/uploadAck"), "upload",
match(uri, ".*\.gz/.*"), "payload",
true(), "other"
)
| bin _time span=1m
| stats
dc(uri_sequence_steps) as unique_uri_sequence_steps
values(uri) as uri
values(http_method) as http_method
values(http_user_agent) as http_user_agent
min(_time) as firstTime
max(_time) as lastTime
by src dest _time
| where unique_uri_sequence_steps >= 3
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| sort 0 - firstTime
| `cisco_sd_wan___arbitrary_file_overwrite_exploitation_activity_filter`Cisco SD-WAN - Low Frequency Rogue Peer
This analytic identifies low-frequency Cisco SD-WAN control peering activity from control-connection-state-change events where "new-state:up".
It extracts "peer-type" and "peer-system-ip", groups events by these two fields, and counts how often each combination appears within the selected time window.
Combinations whose count is less than or equal to the defined threshold (currently <=3 occurrences in the search window) are flagged as rare.
Analysts should prioritize peer identities that are rarely observed in the environment, particularly those involving unexpected peer-type roles or unfamiliar peer-system-ip values.
Rare control-plane peers may indicate misconfiguration, unauthorized SD-WAN components, infrastructure drift, or potentially malicious control-plane connection attempts.
Findings might indicate the potential exploitation of CVE-2026-20127.
Note that the threshold setting is set to "3", but its highly recommended that this should be adapted to the environment before deploying this search.
Show query
`cisco_sd_wan_syslog`
TERM("*control-connection-state-change*")
TERM("*new-state:up*")
TERM("*peer-system-ip:*")
TERM("*public-ip:*")
| rex field=_raw "^(?<event_timestamp>(?:[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}(?:\.\d{3})?|[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(?:\.\d{1,6})?(?:Z|[+-][0-9]{2}:[0-9]{2})))\s*:?"
| rex field=_raw "^(?:[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}(?:\.\d{3})?\s*:?\s+)(?<prefix_host>[^\s:]+)\s+\S+(?:\[\d+\])?:\s+%"
| eval dest=coalesce(prefix_host, legacy_host, device_name, host)
| rex field=_raw "new-state:(?<new_state>\S+)"
| rex field=_raw "peer-type:(?<peer_type>\S+)"
| rex field=_raw "peer-system-ip:(?<peer_system_ip>\S+)"
| rex field=_raw "public-ip:(?<public_ip>\S+)"
| rex field=_raw "public-port:(?<public_port>\d+)"
| where isnotnull(peer_type) AND isnotnull(peer_system_ip)
| stats count
values(dest) as dest
values(public_ip) as public_ips
values(public_port) as public_ports
by peer_type peer_system_ip
| where count <= 3
| sort 0 count asc
| table dest peer_type peer_system_ip public_ips
public_ports count
| `cisco_sd_wan___low_frequency_rogue_peer_filter`
Cisco SD-WAN - Peering Activity
This analytic detects Cisco SD-WAN `control-connection-state-change` events where a control connection transitions.
It extracts and highlights key triage fields including `peer-type`, `peer-system-ip`, `public-ip`, and `public-port`.
Analysts should manually validate whether the `peer-system-ip` matches the expected SD-WAN addressing schema and
device inventory, whether the event timing aligns with known operational activity (maintenance, failover, or
planned changes), and whether the `public-ip` is an expected source for control peering in the environment.
Treat `peer-type:vmanage` events with higher scrutiny, especially when peer or source IP values are previously
unseen.
Show query
`cisco_sd_wan_syslog`
TERM("*control-connection-state-change*")
TERM("*peer-system-ip:*")
TERM("*public-ip:*")
TERM("*new-state:up*")
| rex field=_raw "^(?<event_timestamp>(?:[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}(?:\.\d{3})?|[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(?:\.\d{1,6})?(?:Z|[+-][0-9]{2}:[0-9]{2})))\s*:?"
| rex field=_raw "^(?:[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}(?:\.\d{3})?\s*:?\s+)(?<prefix_host>[^\s:]+)\s+\S+(?:\[\d+\])?:\s+%"
| eval dest=coalesce(prefix_host, legacy_host, device_name, host)
| rex field=_raw "new-state:(?<new_state>\S+)"
| rex field=_raw "peer-type:(?<peer_type>\S+)"
| rex field=_raw "peer-system-ip:(?<peer_system_ip>\S+)"
| rex field=_raw "public-ip:(?<public_ip>\S+)"
| rex field=_raw "public-port:(?<public_port>\d+)"
| where isnotnull(peer_type) AND isnotnull(peer_system_ip)
| stats count max(event_timestamp) as event_time
values(public_ip) as public_ips
values(public_port) as public_ports
by peer_type peer_system_ip dest new_state
| table event_time dest peer_type peer_system_ip
public_ips public_ports count
| `cisco_sd_wan___peering_activity_filter`Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity
This hunting search is designed to surface source IP activity using uncommon HTTP user-agents across multiple URI paths in Cisco SD-WAN Manager serviceproxy access logs.
It looks for source and user-agent combinations that access more than one distinct URI, then keeps only low-volume behavior (`requests<=50`) to reduce noise from normal high-volume traffic.
Use this hunt to pivot on `http_user_agent` and `src` and identify possible automation, scripted reconnaissance, or exploitation attempts.
Show query
`cisco_sd_wan_service_proxy_access`
| rex field=_raw "^\[.*?\]\s+\"(?<http_method>\S+)\s+(?<uri>\S+)\s+(?<http_protocol>[^\"]+)\"\s+(?<http_response_code>\S+)\s+(?<response_flags>\S+)\s+(?<bytes_in>\S+)\s+(?<bytes_out>\S+)\s+(?<duration>\S+)\s+(?<upstream_service_time>\S+)\s+\"(?<src>[^\"]+)\"\s+\"(?<http_user_agent>[^\"]+)\"\s+\"(?<x_request_id>[^\"]+)\"\s+\"(?<dest>[^\"]+)\"\s+\"(?<upstream_host>[^\"]+)\""
| rex field=uri "(?<uri_path>[^\?]+)(?<uri_query>\?.*)?"
| bin _time span=5m
| stats count as requests
min(_time) as firstTime
max(_time) as lastTime
values(uri) as uri
dc(uri) as uri_count
by src http_user_agent
| where requests<=50 AND uri_count>1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| sort 0 +requests
| `cisco_sd_wan___uncommon_user_agent_multi_uri_activity_filter`Cisco SNMP Community String Configuration Changes
This analytic detects changes to SNMP community strings on Cisco devices, which could indicate an attacker establishing persistence or attempting to extract credentials. After gaining initial access to network devices, threat actors like Static Tundra often modify SNMP configurations to enable unauthorized monitoring and data collection. This detection specifically looks for the configuration of SNMP community strings with read-write (rw) or read-only (ro) permissions, as well as the configuration of SNMP hosts that may be used to exfiltrate data. These activities are particularly concerning as they may represent attempts to establish persistent access or extract sensitive information from compromised devices.
Show query
| tstats `security_content_summariesonly` count values(All_Changes.command) as command min(_time) as firstTime max(_time) as lastTime FROM datamodel=Change.All_Changes
WHERE (
(All_Changes.command="*snmp-server community*rw*")
OR
(All_Changes.command="*snmp-server community*ro*")
OR
(All_Changes.command="*snmp-server host*")
)
BY All_Changes.dvc All_Changes.user
| `drop_dm_object_name("All_Changes")`
| rename dvc as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_snmp_community_string_configuration_changes_filter`Cisco Secure Firewall - Binary File Type Download
The following analytic detects file downloads involving executable, archive, or scripting-related file types that are commonly used in malware delivery.
These file types include formats like PE executables, shell scripts, autorun files, installers, and known testing samples such as EICAR.
This detection leverages Cisco Secure Firewall Threat Defense logs and enriches the results using a filetype lookup to provide context.
If confirmed malicious, these downloads could indicate the initial infection vector, malware staging, or scripting abuse.
Show query
`cisco_secure_firewall` EventType=FileEvent FileDirection="Download"
FileType IN ("ISHIELD_MSI", "BINHEX", "BINARY_DATA", "ELF", "MACHO", "JARPACK", "TORRENT", "AUTORUN", "EICAR", "LNK", "SCR", "UNIX_SCRIPT")
| lookup cisco_secure_firewall_filetype_lookup Name as FileType OUTPUT Description
| stats count min(_time) as firstTime max(_time) as lastTime
values(uri) as uri
values(ClientApplication) as ClientApplication
values(file_hash) as file_hash
values(SHA_Disposition) as SHA_Disposition
by FileDirection FileType src dest app file_name ThreatName dest_port Description
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime lastTime src dest dest_port FileDirection FileType Description uri file_name file_hash app ClientApplication SHA_Disposition ThreatName
| `cisco_secure_firewall___binary_file_type_download_filter`
Showing 201-250 of 2,088