You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: data_sources/cisco_secure_access_dns.yml
+2-1Lines changed: 2 additions & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,8 @@
1
1
name: Cisco Secure Access DNS
2
2
id: 5673dba3-cae9-449e-8991-03832d79f729
3
3
version: 1
4
-
date: '2026-05-06'
4
+
creation_date: '2026-05-06'
5
+
modification_date: '2026-05-06'
5
6
author: Bhavin Patel, Splunk
6
7
description: |
7
8
Captures DNS security events from Cisco Secure Access (including Umbrella-style DNS policy and roaming client telemetry) with client identity, query and response metadata, resolved domain, and URL/content categorization.
Activity is mapped to MITRE ATT&CK T1562.001 (Impair Defenses) when categories indicate anonymizer or proxy-evasion infrastructure.
13
14
data_source:
14
15
- Cisco Secure Access DNS
15
-
search: |
16
+
search: |-
16
17
`cisco_secure_access_dns`
17
18
action = "allowed" category= "*anonymizer*"
18
19
| fillnull
@@ -36,29 +37,30 @@ drilldown_searches:
36
37
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
37
38
earliest_offset: 7d
38
39
latest_offset: "0"
39
-
rba:
40
-
message: User $user$ from $src_ip$ accessed proxy-evasion or anonymizer infrastructure (domains=$domain$, categories=$category$).
41
-
risk_objects:
42
-
- field: src_ip
43
-
type: system
40
+
intermediate_findings:
41
+
entities:
42
+
- field: user
43
+
type: user
44
44
score: 20
45
-
threat_objects:
46
-
- field: domain
47
-
type: domain
48
-
tags:
49
-
analytic_story:
50
-
- Cisco Secure Access Analytics
51
-
asset_type: Endpoint
52
-
mitre_attack_id:
53
-
- T1090.003
54
-
product:
55
-
- Splunk Enterprise
56
-
- Splunk Enterprise Security
57
-
- Splunk Cloud
58
-
security_domain: network
45
+
message: User $user$ from $src_ip$ accessed proxy-evasion or anonymizer infrastructure (domains=$domain$, categories=$category$).
- name: View risk events for the last 7 days for $src_ip$
45
+
- name: View risk events for the last 7 days for - "$src_ip$"
45
46
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
46
47
earliest_offset: 7d
47
48
latest_offset: "0"
48
-
rba:
49
-
message: Source $src_ip$ triggered probable automated web reconnaissance on $domain$ with $errors$ HTTP access errors across $unique_urls$ unique URLs.
50
-
risk_objects:
51
-
- field: src_ip
52
-
type: system
53
-
score: 70
54
-
threat_objects:
55
-
- field: domain
56
-
type: domain
57
-
tags:
58
-
analytic_story:
59
-
- Cisco Secure Access Analytics
60
-
asset_type: Endpoint
61
-
mitre_attack_id:
62
-
- T1595
63
-
product:
64
-
- Splunk Enterprise
65
-
- Splunk Enterprise Security
66
-
- Splunk Cloud
67
-
security_domain: network
49
+
intermediate_findings:
50
+
entities:
51
+
- field: user
52
+
type: user
53
+
score: 20
54
+
message: Source $src_ip$ triggered probable automated web reconnaissance on $domain$ with $errors$ HTTP access errors across $unique_urls$ unique URLs.
55
+
threat_objects:
56
+
- field: domain
57
+
type: domain
58
+
analytic_story:
59
+
- Cisco Secure Access Analytics
60
+
asset_type: Endpoint
61
+
mitre_attack_id:
62
+
- T1595
63
+
product:
64
+
- Splunk Enterprise
65
+
- Splunk Enterprise Security
66
+
- Splunk Cloud
67
+
category: network
68
+
security_domain: threat
68
69
tests:
69
70
- name: Cisco Secure Access Proxy True Positive Test
description: This test scenario covers true positive activity, simulating a high error count reconnaissance from a single src_ip against a domain. Review the filter macro to tune this detection for your environment.
Customer-specific Splunk configurations (for example index, source, or sourcetype) for Cisco Secure Access DNS telemetry from the Splunk Add-on for Cisco Security Cloud.
4
-
Replace the macro definition with settings that match your deployment. The default targets index `sse` and the `cisco:cloud_security:dns` sourcetype.
5
1
name: cisco_secure_access_dns
2
+
id: 3955995e-60b7-4e42-8177-70367d363902
3
+
version: 1
4
+
creation_date: '2026-06-03'
5
+
modification_date: '2026-06-03'
6
+
author: Mahamudul Chowdhury, Bhavin Patel, Splunk
7
+
description: Customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment.
Customer-specific Splunk configurations (for example index, source, or sourcetype) for Cisco Secure Access proxy telemetry from the Splunk Add-on for Cisco Security Cloud.
4
-
Replace the macro definition with settings that match your deployment. The default targets index `sse` and the `cisco:cloud_security:proxy` sourcetype.
5
1
name: cisco_secure_access_proxy
2
+
id: e2e2d95c-2c4b-439d-ab6d-ff89dd811e7c
3
+
version: 1
4
+
creation_date: '2026-06-03'
5
+
modification_date: '2026-06-03'
6
+
author: Mahamudul Chowdhury, Bhavin Patel, Splunk
7
+
description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment.
0 commit comments