diff --git a/contentctl.yml b/contentctl.yml index 7b46211ee6..5aa9402db4 100644 --- a/contentctl.yml +++ b/contentctl.yml @@ -47,6 +47,12 @@ apps: version: 3.6.3 description: description of app hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_363.tgz +- uid: 7569 + title: Cisco Secure Access Add-on for Splunk + appid: TA-cisco-cloud-security-addon + version: 1.0.50 + description: description of app + hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-secure-access-add-on-for-splunk_1050.tar.gz - uid: 6652 title: Add-on for Linux Sysmon appid: Splunk_TA_linux_sysmon diff --git a/data_sources/cisco_secure_access_firewall.yml b/data_sources/cisco_secure_access_firewall.yml new file mode 100644 index 0000000000..4c93bd3945 --- /dev/null +++ b/data_sources/cisco_secure_access_firewall.yml @@ -0,0 +1,48 @@ +name: Cisco Secure Access Firewall +id: 5dc07487-f834-4850-b6a7-4cc09e56549b +version: 1 +date: '2026-02-25' +author: Bhavin Patel, Splunk +description: Captures firewall connection events from Cisco Secure Access including user identity, source and destination metadata, protocol details, and session statistics. Enables analysis of network traffic patterns, access policy enforcement, brute force attempts, and anomalous connection behavior across cloud-managed network access infrastructure. +source: cisco_secure_access:firewall +sourcetype: cisco:cloud_security:firewall +supported_TA: +- name: Cisco Secure Access Add-on for Splunk + url: https://splunkbase.splunk.com/app/7569 + version: 1.0.48 +fields: +- _time +- action +- app +- bytes_in +- bytes_out +- datacenter +- dest +- dest_ip +- dest_port +- direction +- duration +- dvc +- identity +- identity_type +- packets_in +- packets_out +- protocol +- protocol_version +- rule_id +- session_id +- src +- src_ip +- src_port +- transport +- tunnel_id +- user +- vendor_product +output_fields: +- dest_ip +- dest_port +- src_ip +- user +- action +example_log: '"2026-03-05 17:29:39","[1360486514]","Joe Kehoe (joe.kehoe@d1.pseudoco.org)","AD + Users","C2S","6","0","","","10.10.3.220","3389","prod_aws_us-west-2_1_0","1482901","ALLOW","","[]","1772731753","1772731779","93","82","20847","46067","2ef4dc5a90e31b4e2f7d21ec8f863accda6ad5db2d6feeff301ca05d298fcbdb-7-1772731753-45877","","aws-us-west-2","","178937","true","1145001","[]","2","[]","[]","8176184","","","f0b0ce3d69aeedfe"' diff --git a/detections/network/detect_large_icmp_traffic.yml b/detections/network/detect_large_icmp_traffic.yml index 8510fac50b..05d68402c4 100644 --- a/detections/network/detect_large_icmp_traffic.yml +++ b/detections/network/detect_large_icmp_traffic.yml @@ -1,7 +1,7 @@ name: Detect Large ICMP Traffic id: 9cd6d066-94d5-4ccd-a8b9-28c03ca91be8 version: 5 -date: '2026-03-23' +date: '2026-03-25' author: Rico Valdez, Dean Luxton, Bhavin Patel, Splunk status: production type: TTP @@ -11,6 +11,7 @@ description: | If validated as malicious, this could signal ICMP tunneling, unauthorized data transfer, or compromised endpoints requiring immediate investigation. data_source: - Palo Alto Network Traffic + - Cisco Secure Access Firewall search: |- | tstats `security_content_summariesonly` count earliest(_time) as firstTime @@ -25,20 +26,17 @@ search: |- OR All_Traffic.transport=icmp ) - NOT All_Traffic.dest_ip IN ( - "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", - "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", - "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", - "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24", - "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1" + NOT ( All_Traffic.dest_ip IN `non_public_ip_blocks` + OR All_Traffic.dest IN `non_public_ip_blocks` ) - - by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.protocol + by All_Traffic.src_ip All_Traffic.src All_Traffic.dest_ip All_Traffic.dest All_Traffic.protocol All_Traffic.bytes All_Traffic.app All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol_version All_Traffic.src_port All_Traffic.user All_Traffic.vendor_product | `drop_dm_object_name("All_Traffic")` + | rename dest as dest_ip + | rename src as src_ip | iplocation dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` @@ -86,3 +84,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1095/palologs/large_icmp.log sourcetype: pan:traffic source: not_applicable + - name: Cisco Secure Access Firewall True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/firewall/large_icmp.log + source: cisco_cloud_security_addon + sourcetype: cisco:cloud_security:firewall diff --git a/detections/network/detect_outbound_ldap_traffic.yml b/detections/network/detect_outbound_ldap_traffic.yml index 13e88b2961..1094384a71 100644 --- a/detections/network/detect_outbound_ldap_traffic.yml +++ b/detections/network/detect_outbound_ldap_traffic.yml @@ -1,7 +1,7 @@ name: Detect Outbound LDAP Traffic id: 5e06e262-d7cd-4216-b2f8-27b437e18458 version: 11 -date: '2026-03-23' +date: '2026-03-25' author: Bhavin Patel, Johan Bjerke, Splunk status: production type: Hunting @@ -20,12 +20,8 @@ search: |- 389, 636 ) - NOT All_Traffic.dest_ip IN ( - "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", - "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", - "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", - "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24", - "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1" + NOT ( All_Traffic.dest_ip IN `non_public_ip_blocks` + OR All_Traffic.dest IN `non_public_ip_blocks` ) by All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.dest @@ -34,7 +30,7 @@ search: |- All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.rule | `drop_dm_object_name("All_Traffic")` - | where src_ip != dest_ip + | where src_ip != dest_ip OR src != dest | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_outbound_ldap_traffic_filter` @@ -70,3 +66,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log source: not_applicable sourcetype: cisco:sfw:estreamer + - name: Cisco Secure Access Firewall True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/firewall/ldap.log + source: cisco_cloud_security_addon + sourcetype: cisco:cloud_security:firewall diff --git a/detections/network/detect_outbound_smb_traffic.yml b/detections/network/detect_outbound_smb_traffic.yml index 82903c3932..e379835ac1 100644 --- a/detections/network/detect_outbound_smb_traffic.yml +++ b/detections/network/detect_outbound_smb_traffic.yml @@ -16,18 +16,10 @@ search: | values(All_Traffic.app) as app values(sourcetype) as sourcetype count from datamodel=Network_Traffic where - All_Traffic.action IN ("allowed", "allow") AND - (All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb") - AND All_Traffic.src_ip IN ( - "10.0.0.0/8","172.16.0.0/12","192.168.0.0/16" - ) - AND NOT All_Traffic.dest_ip IN ( - "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", - "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", - "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", - "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24", - "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1" - ) + All_Traffic.action IN ("allowed", "allow") + AND (All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb") + AND (All_Traffic.src_ip IN `non_public_ip_blocks` OR All_Traffic.src IN `non_public_ip_blocks`) + AND NOT (All_Traffic.dest_ip IN `non_public_ip_blocks` OR All_Traffic.dest IN `non_public_ip_blocks`) by All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port @@ -35,6 +27,8 @@ search: | | `drop_dm_object_name("All_Traffic")` | `security_content_ctime(start_time)` | `security_content_ctime(end_time)` + | rename dest as dest_ip + | rename src as src_ip | iplocation dest_ip | `detect_outbound_smb_traffic_filter` how_to_implement: This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. @@ -78,3 +72,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log source: not_applicable sourcetype: cisco:sfw:estreamer + - name: Cisco Secure Access Firewall True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/firewall/smb.log + source: cisco_cloud_security_addon + sourcetype: cisco:cloud_security:firewall diff --git a/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml b/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml index 87f7729874..f65fcdc9b1 100644 --- a/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml +++ b/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml @@ -1,7 +1,7 @@ name: Windows Remote Desktop Network Bruteforce Attempt id: 908bf0d5-0983-4afd-b6a4-e9eb5d361a7d -version: 7 -date: '2026-03-10' +version: 8 +date: '2026-03-29' author: Jose Hernandez, Bhavin Patel, Splunk status: production type: Anomaly @@ -69,3 +69,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog + - name: Cisco Secure Access Firewall True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/firewall/rdp_brute_force.log + source: cisco_cloud_security_addon + sourcetype: cisco:cloud_security:firewall diff --git a/macros/non_public_ip_blocks.yml b/macros/non_public_ip_blocks.yml new file mode 100644 index 0000000000..e07b9a515e --- /dev/null +++ b/macros/non_public_ip_blocks.yml @@ -0,0 +1,8 @@ +definition: ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", + "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", + "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", + "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24", + "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1") +description: customer specific splunk configurations to normalized Windows Event Log System 7036 to recover actual services execution. + Replace the macro definition with configurations for your Splunk Environment. +name: non_public_ip_blocks \ No newline at end of file diff --git a/stories/cisco_secure_access_analytics.yml b/stories/cisco_secure_access_analytics.yml new file mode 100644 index 0000000000..f09b44460f --- /dev/null +++ b/stories/cisco_secure_access_analytics.yml @@ -0,0 +1,24 @@ +name: Cisco Secure Access Analytics +id: 5ba62cae-0757-497c-9226-771e3bf37eb8 +version: 1 +date: '2026-02-25' +author: Bhavin Patel, Splunk +status: production +description: | + This analytic story provides a suite of detections built to analyze network and access logs from Cisco Secure Access. + The included analytics focus on uncovering suspicious and potentially malicious behavior such as unauthorized access attempts, anomalous authentication patterns, policy violations, and indicators of compromised credentials. + These detections help security teams identify threats that may bypass traditional perimeter defenses, offering deeper insight into user access behavior, device posture anomalies, and adversary abuse of legitimate access pathways. +narrative: | + Cisco Secure Access is a cloud-delivered security service edge (SSE) solution that provides secure connectivity and access control for users, devices, and applications regardless of location. + It combines zero trust network access (ZTNA), secure web gateway (SWG), cloud access security broker (CASB), and firewall-as-a-service capabilities into a unified platform. + This analytic story leverages the rich telemetry generated by Cisco Secure Access to detect behaviors commonly associated with advanced threats and adversary techniques across multiple ATT&CK tactics, including Initial Access, Credential Access, Lateral Movement, and Exfiltration. +references: +- https://www.cisco.com/site/us/en/products/security/secure-access/index.html +tags: + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection