Skip to content

Commit 8076bd0

Browse files
committed
updating as per contentctl ng requirements
1 parent 0780ff8 commit 8076bd0

6 files changed

Lines changed: 70 additions & 57 deletions

data_sources/cisco_secure_access_dns.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,8 @@
11
name: Cisco Secure Access DNS
22
id: 5673dba3-cae9-449e-8991-03832d79f729
33
version: 1
4-
date: '2026-05-06'
4+
creation_date: '2026-05-06'
5+
modification_date: '2026-05-06'
56
author: Bhavin Patel, Splunk
67
description: |
78
Captures DNS security events from Cisco Secure Access (including Umbrella-style DNS policy and roaming client telemetry) with client identity, query and response metadata, resolved domain, and URL/content categorization.

data_sources/cisco_secure_access_proxy.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,8 @@
11
name: Cisco Secure Access Proxy
22
id: 2dc95ec2-8964-4ddb-8714-8d7dfe264922
33
version: 1
4-
date: '2026-05-08'
4+
creation_date: '2026-05-08'
5+
modification_date: '2026-05-08'
56
author: Bhavin Patel, Splunk
67
description: |
78
Captures HTTP/HTTPS proxy access events from Cisco Secure Access, including requesting source, user identity, URL, HTTP method, response status, and user-agent metadata.
Lines changed: 23 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,8 @@
11
name: Cisco SA - Access to Anonymizer Services
22
id: a7c8613a-92e2-4232-b64d-bd39d33dee8b
33
version: 1
4-
date: '2026-05-06'
4+
creation_date: '2026-05-06'
5+
modification_date: '2026-05-06'
56
author: Mahamudul Chowdhury, Bhavin Patel, Splunk
67
status: production
78
type: Anomaly
@@ -12,7 +13,7 @@ description: |
1213
Activity is mapped to MITRE ATT&CK T1562.001 (Impair Defenses) when categories indicate anonymizer or proxy-evasion infrastructure.
1314
data_source:
1415
- Cisco Secure Access DNS
15-
search: |
16+
search: |-
1617
`cisco_secure_access_dns`
1718
action = "allowed" category= "*anonymizer*"
1819
| fillnull
@@ -36,29 +37,30 @@ drilldown_searches:
3637
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
3738
earliest_offset: 7d
3839
latest_offset: "0"
39-
rba:
40-
message: User $user$ from $src_ip$ accessed proxy-evasion or anonymizer infrastructure (domains=$domain$, categories=$category$).
41-
risk_objects:
42-
- field: src_ip
43-
type: system
40+
intermediate_findings:
41+
entities:
42+
- field: user
43+
type: user
4444
score: 20
45-
threat_objects:
46-
- field: domain
47-
type: domain
48-
tags:
49-
analytic_story:
50-
- Cisco Secure Access Analytics
51-
asset_type: Endpoint
52-
mitre_attack_id:
53-
- T1090.003
54-
product:
55-
- Splunk Enterprise
56-
- Splunk Enterprise Security
57-
- Splunk Cloud
58-
security_domain: network
45+
message: User $user$ from $src_ip$ accessed proxy-evasion or anonymizer infrastructure (domains=$domain$, categories=$category$).
46+
threat_objects:
47+
- field: domain
48+
type: domain
49+
analytic_story:
50+
- Cisco Secure Access Analytics
51+
asset_type: Endpoint
52+
mitre_attack_id:
53+
- T1090.003
54+
product:
55+
- Splunk Enterprise
56+
- Splunk Enterprise Security
57+
- Splunk Cloud
58+
category: network
59+
security_domain: network
5960
tests:
6061
- name: True Positive Test - DNS telemetry
6162
attack_data:
6263
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/dns/anonymizer_dns.log
6364
source: not_applicable
6465
sourcetype: cisco:cloud_security:dns
66+
test_type: unit
Lines changed: 29 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,8 @@
11
name: Cisco SA - Automated Web Reconnaissance via HTTP Access Errors
22
id: 4cd44520-d404-4ca8-b736-c9d6b86ecf31
3-
version: 1
4-
date: '2026-05-08'
3+
version: 2
4+
creation_date: '2026-05-08'
5+
modification_date: '2026-05-13'
56
author: Mahamudul Chowdhury, Bhavin Patel, Splunk
67
status: production
78
type: Anomaly
@@ -12,7 +13,7 @@ description: |
1213
Activity is mapped to MITRE ATT&CK T1595 (Active Scanning).
1314
data_source:
1415
- Cisco Secure Access Proxy
15-
search: |
16+
search: |-
1617
`cisco_secure_access_proxy`
1718
| eval src_ip=coalesce(src_ip, src)
1819
| eval host=coalesce(hostname, host)
@@ -37,37 +38,39 @@ known_false_positives: |
3738
references:
3839
- https://attack.mitre.org/techniques/T1595/
3940
drilldown_searches:
40-
- name: View the detection results for source $src_ip$ and domain $domain$
41-
search: '%original_detection_search% | search src_ip = "$src_ip$" domain = "$domain$"'
41+
- name: View the detection results for - "$src_ip$"
42+
search: '%original_detection_search% | search src_ip = "$src_ip$"'
4243
earliest_offset: $info_min_time$
4344
latest_offset: $info_max_time$
44-
- name: View risk events for the last 7 days for $src_ip$
45+
- name: View risk events for the last 7 days for - "$src_ip$"
4546
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
4647
earliest_offset: 7d
4748
latest_offset: "0"
48-
rba:
49-
message: Source $src_ip$ triggered probable automated web reconnaissance on $domain$ with $errors$ HTTP access errors across $unique_urls$ unique URLs.
50-
risk_objects:
51-
- field: src_ip
52-
type: system
53-
score: 70
54-
threat_objects:
55-
- field: domain
56-
type: domain
57-
tags:
58-
analytic_story:
59-
- Cisco Secure Access Analytics
60-
asset_type: Endpoint
61-
mitre_attack_id:
62-
- T1595
63-
product:
64-
- Splunk Enterprise
65-
- Splunk Enterprise Security
66-
- Splunk Cloud
67-
security_domain: network
49+
intermediate_findings:
50+
entities:
51+
- field: user
52+
type: user
53+
score: 20
54+
message: Source $src_ip$ triggered probable automated web reconnaissance on $domain$ with $errors$ HTTP access errors across $unique_urls$ unique URLs.
55+
threat_objects:
56+
- field: domain
57+
type: domain
58+
analytic_story:
59+
- Cisco Secure Access Analytics
60+
asset_type: Endpoint
61+
mitre_attack_id:
62+
- T1595
63+
product:
64+
- Splunk Enterprise
65+
- Splunk Enterprise Security
66+
- Splunk Cloud
67+
category: network
68+
security_domain: threat
6869
tests:
6970
- name: Cisco Secure Access Proxy True Positive Test
7071
attack_data:
7172
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/proxy/automated_web_recon_http_errors.log
7273
source: cisco_cloud_security_addon
7374
sourcetype: cisco:cloud_security:proxy
75+
description: This test scenario covers true positive activity, simulating a high error count reconnaissance from a single src_ip against a domain. Review the filter macro to tune this detection for your environment.
76+
test_type: unit

macros/cisco_secure_access_dns.yml

Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
1-
definition: sourcetype="cisco:cloud_security:dns"
2-
description: |
3-
Customer-specific Splunk configurations (for example index, source, or sourcetype) for Cisco Secure Access DNS telemetry from the Splunk Add-on for Cisco Security Cloud.
4-
Replace the macro definition with settings that match your deployment. The default targets index `sse` and the `cisco:cloud_security:dns` sourcetype.
51
name: cisco_secure_access_dns
2+
id: 3955995e-60b7-4e42-8177-70367d363902
3+
version: 1
4+
creation_date: '2026-06-03'
5+
modification_date: '2026-06-03'
6+
author: Mahamudul Chowdhury, Bhavin Patel, Splunk
7+
description: Customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment.
8+
definition: sourcetype="cisco:cloud_security:dns"
Lines changed: 7 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,8 @@
1-
definition: sourcetype="cisco:cloud_security:proxy"
2-
description: |
3-
Customer-specific Splunk configurations (for example index, source, or sourcetype) for Cisco Secure Access proxy telemetry from the Splunk Add-on for Cisco Security Cloud.
4-
Replace the macro definition with settings that match your deployment. The default targets index `sse` and the `cisco:cloud_security:proxy` sourcetype.
51
name: cisco_secure_access_proxy
2+
id: e2e2d95c-2c4b-439d-ab6d-ff89dd811e7c
3+
version: 1
4+
creation_date: '2026-06-03'
5+
modification_date: '2026-06-03'
6+
author: Mahamudul Chowdhury, Bhavin Patel, Splunk
7+
description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment.
8+
definition: sourcetype="cisco:cloud_security:proxy"

0 commit comments

Comments
 (0)