Secure Access/ Umbrella firewall Detections

contentctl.yml

@@ -47,6 +47,12 @@ apps:
   version: 3.6.3
   description: description of app
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-security-cloud_363.tgz
+- uid: 7569
+  title: Cisco Secure Access Add-on for Splunk
+  appid: TA-cisco-cloud-security-addon
+  version: 1.0.50
+  description: description of app
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/cisco-secure-access-add-on-for-splunk_1050.tar.gz
 - uid: 6652
   title: Add-on for Linux Sysmon
   appid: Splunk_TA_linux_sysmon

data_sources/cisco_secure_access_firewall.yml

@@ -0,0 +1,48 @@
+name: Cisco Secure Access Firewall
+id: 5dc07487-f834-4850-b6a7-4cc09e56549b
+version: 1
+date: '2026-02-25'
+author: Bhavin Patel, Splunk
+description: Captures firewall connection events from Cisco Secure Access including user identity, source and destination metadata, protocol details, and session statistics. Enables analysis of network traffic patterns, access policy enforcement, brute force attempts, and anomalous connection behavior across cloud-managed network access infrastructure.
+source: cisco_secure_access:firewall
+sourcetype: cisco:cloud_security:firewall
+supported_TA:
+- name: Cisco Secure Access Add-on for Splunk
+  url: https://splunkbase.splunk.com/app/7569
+  version: 1.0.48
+fields:
+- _time
+- action
+- app
+- bytes_in
+- bytes_out
+- datacenter
+- dest
+- dest_ip
+- dest_port
+- direction
+- duration
+- dvc
+- identity
+- identity_type
+- packets_in
+- packets_out
+- protocol
+- protocol_version
+- rule_id
+- session_id
+- src
+- src_ip
+- src_port
+- transport
+- tunnel_id
+- user
+- vendor_product
+output_fields:
+- dest_ip
+- dest_port
+- src_ip
+- user
+- action
+example_log: '"2026-03-05 17:29:39","[1360486514]","Joe Kehoe (joe.kehoe@d1.pseudoco.org)","AD
+  Users","C2S","6","0","","","10.10.3.220","3389","prod_aws_us-west-2_1_0","1482901","ALLOW","","[]","1772731753","1772731779","93","82","20847","46067","2ef4dc5a90e31b4e2f7d21ec8f863accda6ad5db2d6feeff301ca05d298fcbdb-7-1772731753-45877","","aws-us-west-2","","178937","true","1145001","[]","2","[]","[]","8176184","","","f0b0ce3d69aeedfe"'

detections/network/detect_large_icmp_traffic.yml

@@ -1,7 +1,7 @@
 name: Detect Large ICMP Traffic
 id: 9cd6d066-94d5-4ccd-a8b9-28c03ca91be8
 version: 5
-date: '2026-03-23'
+date: '2026-03-25'
 author: Rico Valdez, Dean Luxton, Bhavin Patel, Splunk
 status: production
 type: TTP
@@ -11,6 +11,7 @@ description: |
     If validated as malicious, this could signal ICMP tunneling, unauthorized data transfer, or compromised endpoints requiring immediate investigation.
 data_source:
     - Palo Alto Network Traffic
+    - Cisco Secure Access Firewall
 search: |-
     | tstats `security_content_summariesonly`
               count earliest(_time) as firstTime
@@ -25,20 +26,17 @@ search: |-
         OR
         All_Traffic.transport=icmp
     )
-    NOT All_Traffic.dest_ip IN (
-            "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
-            "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
-            "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
-            "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
-            "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
+    NOT ( All_Traffic.dest_ip IN `non_public_ip_blocks`
+    OR All_Traffic.dest IN `non_public_ip_blocks`
     )
-
-    by All_Traffic.src_ip All_Traffic.dest_ip All_Traffic.protocol
+    by All_Traffic.src_ip All_Traffic.src All_Traffic.dest_ip All_Traffic.dest All_Traffic.protocol
        All_Traffic.bytes All_Traffic.app All_Traffic.bytes_in
        All_Traffic.bytes_out All_Traffic.dest_port All_Traffic.dvc
        All_Traffic.protocol_version All_Traffic.src_port
        All_Traffic.user All_Traffic.vendor_product
     | `drop_dm_object_name("All_Traffic")`
+    | rename dest as dest_ip
+    | rename src as src_ip
     | iplocation dest_ip
     | `security_content_ctime(firstTime)`
     | `security_content_ctime(lastTime)`
@@ -86,3 +84,8 @@ tests:
         - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1095/palologs/large_icmp.log
           sourcetype: pan:traffic
           source: not_applicable
+    - name: Cisco Secure Access Firewall True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/firewall/large_icmp.log
+          source: cisco_cloud_security_addon
+          sourcetype: cisco:cloud_security:firewall

detections/network/detect_outbound_ldap_traffic.yml

@@ -1,7 +1,7 @@
 name: Detect Outbound LDAP Traffic
 id: 5e06e262-d7cd-4216-b2f8-27b437e18458
 version: 11
-date: '2026-03-23'
+date: '2026-03-25'
 author: Bhavin Patel, Johan Bjerke, Splunk
 status: production
 type: Hunting
@@ -20,12 +20,8 @@ search: |-
         389,
         636
     )
-    NOT All_Traffic.dest_ip IN (
-            "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
-            "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
-            "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
-            "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
-            "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
+    NOT ( All_Traffic.dest_ip IN `non_public_ip_blocks`
+    OR All_Traffic.dest IN `non_public_ip_blocks`
     )
     by All_Traffic.action All_Traffic.app All_Traffic.bytes
        All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.dest
@@ -34,7 +30,7 @@ search: |-
        All_Traffic.src_ip All_Traffic.src_port All_Traffic.transport
        All_Traffic.user All_Traffic.vendor_product All_Traffic.rule
     | `drop_dm_object_name("All_Traffic")`
-    | where src_ip != dest_ip
+    | where src_ip != dest_ip OR src != dest
     | `security_content_ctime(firstTime)`
     | `security_content_ctime(lastTime)`
     | `detect_outbound_ldap_traffic_filter`
@@ -70,3 +66,8 @@ tests:
         - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log
           source: not_applicable
           sourcetype: cisco:sfw:estreamer
+    - name: Cisco Secure Access Firewall True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/firewall/ldap.log
+          source: cisco_cloud_security_addon
+          sourcetype: cisco:cloud_security:firewall

detections/network/detect_outbound_smb_traffic.yml

@@ -16,25 +16,19 @@ search: |
     values(All_Traffic.app) as app
     values(sourcetype) as sourcetype count
     from datamodel=Network_Traffic where
-      All_Traffic.action IN ("allowed", "allow") AND
-      (All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb")
-    AND All_Traffic.src_ip IN (
-      "10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"
-    )
-    AND NOT All_Traffic.dest_ip IN (
-    "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
-    "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
-    "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
-    "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
-    "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
-    )
+      All_Traffic.action IN ("allowed", "allow")
+    AND (All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb")
+    AND (All_Traffic.src_ip IN `non_public_ip_blocks` OR All_Traffic.src IN `non_public_ip_blocks`)
+    AND NOT (All_Traffic.dest_ip IN `non_public_ip_blocks` OR All_Traffic.dest IN `non_public_ip_blocks`)
     by All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out
     All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol
     All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port
     All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.rule
     | `drop_dm_object_name("All_Traffic")`
     | `security_content_ctime(start_time)`
     | `security_content_ctime(end_time)`
+    | rename dest as dest_ip
+    | rename src as src_ip
     | iplocation dest_ip
     | `detect_outbound_smb_traffic_filter`
 how_to_implement: This search requires you to be ingesting your network traffic and populating the Network_Traffic data model.
@@ -78,3 +72,8 @@ tests:
         - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log
           source: not_applicable
           sourcetype: cisco:sfw:estreamer
+    - name: Cisco Secure Access Firewall True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/firewall/smb.log
+          source: cisco_cloud_security_addon
+          sourcetype: cisco:cloud_security:firewall

detections/network/windows_remote_desktop_network_bruteforce_attempt.yml

@@ -1,7 +1,7 @@
 name: Windows Remote Desktop Network Bruteforce Attempt
 id: 908bf0d5-0983-4afd-b6a4-e9eb5d361a7d
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-29'
 author: Jose Hernandez, Bhavin Patel, Splunk
 status: production
 type: Anomaly
@@ -69,3 +69,8 @@ tests:
         - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/sysmon.log
           source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
           sourcetype: XmlWinEventLog
+    - name: Cisco Secure Access Firewall True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/firewall/rdp_brute_force.log
+          source: cisco_cloud_security_addon
+          sourcetype: cisco:cloud_security:firewall

macros/non_public_ip_blocks.yml

@@ -0,0 +1,8 @@
+definition: ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
+    "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
+    "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
+    "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
+    "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1")
+description: customer specific splunk configurations to normalized Windows Event Log System 7036 to recover actual services execution.
+  Replace the macro definition with configurations for your Splunk Environment.
+name: non_public_ip_blocks

stories/cisco_secure_access_analytics.yml

@@ -0,0 +1,24 @@
+name: Cisco Secure Access Analytics
+id: 5ba62cae-0757-497c-9226-771e3bf37eb8
+version: 1
+date: '2026-02-25'
+author: Bhavin Patel, Splunk
+status: production
+description: |
+  This analytic story provides a suite of detections built to analyze network and access logs from Cisco Secure Access.
+  The included analytics focus on uncovering suspicious and potentially malicious behavior such as unauthorized access attempts, anomalous authentication patterns, policy violations, and indicators of compromised credentials.
+  These detections help security teams identify threats that may bypass traditional perimeter defenses, offering deeper insight into user access behavior, device posture anomalies, and adversary abuse of legitimate access pathways.
+narrative: |
+  Cisco Secure Access is a cloud-delivered security service edge (SSE) solution that provides secure connectivity and access control for users, devices, and applications regardless of location.
+  It combines zero trust network access (ZTNA), secure web gateway (SWG), cloud access security broker (CASB), and firewall-as-a-service capabilities into a unified platform.
+  This analytic story leverages the rich telemetry generated by Cisco Secure Access to detect behaviors commonly associated with advanced threats and adversary techniques across multiple ATT&CK tactics, including Initial Access, Credential Access, Lateral Movement, and Exfiltration.
+references:
+- https://www.cisco.com/site/us/en/products/security/secure-access/index.html
+tags:
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection