From 3c9904cac40379984963b45485a319edfa92a296 Mon Sep 17 00:00:00 2001
From: Bhavin Patel <bpatel@splunk.com>
Date: Tue, 28 Apr 2026 10:35:06 +0530
Subject: [PATCH 1/3] adding 1st detection and files

---
 ...co_secure_access_security_events_ravpn.yml | 147 ++++++++++++++++++
 ...gh_authentication_failures_from_source.yml |  67 ++++++++
 macros/cisco_secure_access_ravpn.yml          |   3 +
 3 files changed, 217 insertions(+)
 create mode 100644 data_sources/cisco_secure_access_security_events_ravpn.yml
 create mode 100644 detections/application/cisco_secure_access_ravpn___high_authentication_failures_from_source.yml
 create mode 100644 macros/cisco_secure_access_ravpn.yml

diff --git a/data_sources/cisco_secure_access_security_events_ravpn.yml b/data_sources/cisco_secure_access_security_events_ravpn.yml
new file mode 100644
index 0000000000..9ad4669509
--- /dev/null
+++ b/data_sources/cisco_secure_access_security_events_ravpn.yml
@@ -0,0 +1,147 @@
+name: Cisco Secure Access RAVPN Security Events
+id: f9ce1c6a-bf61-4a2b-91a6-3c59d837b1a8
+version: 1
+date: '2026-04-27'
+author: Bhavin Patel, Splunk
+description: Remote Access VPN (RAVPN) push security events from Cisco Secure Access,
+  including session metadata, tunnel statistics, endpoint posture, ASA syslog context,
+  and OCSF-aligned identifiers for correlation.
+source: not_applicable
+sourcetype: cisco:secure_access:security_events_ravpn
+supported_TA:
+- name: Cisco Secure Access Add-on for Splunk
+  url: https://splunkbase.splunk.com/app/7569
+  version: 1.0.48
+fields:
+- _time
+- action
+- activity_id
+- app
+- category_uid
+- cisco_asa.full_log_print_specifiers
+- cisco_asa.syslog_class
+- cisco_asa.syslog_descriptor
+- cisco_asa.syslog_id
+- cisco_asa.syslog_id_with_version
+- cisco_asa.syslog_severity
+- cisco_dtls_ipsec_tunnel.bytes_received
+- cisco_dtls_ipsec_tunnel.bytes_transmitted
+- cisco_dtls_ipsec_tunnel.cipher_suite
+- cisco_dtls_ipsec_tunnel.compression
+- cisco_dtls_ipsec_tunnel.connection_timeout
+- cisco_dtls_ipsec_tunnel.connection_timeout_left
+- cisco_dtls_ipsec_tunnel.destination_port
+- cisco_dtls_ipsec_tunnel.dh_group
+- cisco_dtls_ipsec_tunnel.encapsulation
+- cisco_dtls_ipsec_tunnel.encryption
+- cisco_dtls_ipsec_tunnel.filter_name
+- cisco_dtls_ipsec_tunnel.hashing
+- cisco_dtls_ipsec_tunnel.id
+- cisco_dtls_ipsec_tunnel.idle_timeout
+- cisco_dtls_ipsec_tunnel.idle_timeout_left
+- cisco_dtls_ipsec_tunnel.ipv6_filter_name
+- cisco_dtls_ipsec_tunnel.local_selector
+- cisco_dtls_ipsec_tunnel.packets_received
+- cisco_dtls_ipsec_tunnel.packets_received_dropped
+- cisco_dtls_ipsec_tunnel.packets_transmitted
+- cisco_dtls_ipsec_tunnel.packets_transmitted_dropped
+- cisco_dtls_ipsec_tunnel.pfs_group
+- cisco_dtls_ipsec_tunnel.prf
+- cisco_dtls_ipsec_tunnel.rekey_data
+- cisco_dtls_ipsec_tunnel.rekey_data_left
+- cisco_dtls_ipsec_tunnel.rekey_interval
+- cisco_dtls_ipsec_tunnel.rekey_interval_left
+- cisco_dtls_ipsec_tunnel.remote_selector
+- cisco_dtls_ipsec_tunnel.source_port
+- cisco_endpoint_posture.dap_connection_type
+- cisco_endpoint_posture.dap_record_name
+- cisco_event_id
+- cisco_event_type
+- cisco_organization_id
+- cisco_origin.id
+- cisco_origin.type
+- cisco_ravpn_metadata.anyconnect_version
+- cisco_ravpn_metadata.event_type
+- cisco_ravpn_session.assigned_ip
+- cisco_ravpn_session.assigned_ipv6
+- cisco_ravpn_session.audit_session_id
+- cisco_ravpn_session.connected_at
+- cisco_ravpn_session.disconnection_reason
+- cisco_ravpn_session.duration
+- cisco_ravpn_session.id
+- cisco_ravpn_session.inactivity
+- cisco_ravpn_session.public_ip
+- cisco_ravpn_session.public_ipv6
+- cisco_ravpn_session.redirect_acl
+- cisco_ravpn_session.redirect_url
+- cisco_ravpn_session.security_group_tag
+- cisco_ravpn_session.session_type
+- cisco_ravpn_session.vpn_profile
+- cisco_ravpn_session.warning_reason
+- cisco_ssl_ike_tunnel.bytes_received
+- cisco_ssl_ike_tunnel.bytes_transmitted
+- cisco_ssl_ike_tunnel.cipher_suite
+- cisco_ssl_ike_tunnel.compression
+- cisco_ssl_ike_tunnel.connection_timeout
+- cisco_ssl_ike_tunnel.connection_timeout_left
+- cisco_ssl_ike_tunnel.destination_port
+- cisco_ssl_ike_tunnel.dh_group
+- cisco_ssl_ike_tunnel.encapsulation
+- cisco_ssl_ike_tunnel.encryption
+- cisco_ssl_ike_tunnel.filter_name
+- cisco_ssl_ike_tunnel.hashing
+- cisco_ssl_ike_tunnel.id
+- cisco_ssl_ike_tunnel.idle_timeout
+- cisco_ssl_ike_tunnel.idle_timeout_left
+- cisco_ssl_ike_tunnel.ipv6_filter_name
+- cisco_ssl_ike_tunnel.local_selector
+- cisco_ssl_ike_tunnel.packets_received
+- cisco_ssl_ike_tunnel.packets_received_dropped
+- cisco_ssl_ike_tunnel.packets_transmitted
+- cisco_ssl_ike_tunnel.packets_transmitted_dropped
+- cisco_ssl_ike_tunnel.pfs_group
+- cisco_ssl_ike_tunnel.prf
+- cisco_ssl_ike_tunnel.rekey_data
+- cisco_ssl_ike_tunnel.rekey_data_left
+- cisco_ssl_ike_tunnel.rekey_interval
+- cisco_ssl_ike_tunnel.rekey_interval_left
+- cisco_ssl_ike_tunnel.remote_selector
+- cisco_ssl_ike_tunnel.source_port
+- class_uid
+- cloud.region
+- dest
+- device.os.version
+- eventtype
+- extracted_source
+- host
+- index
+- linecount
+- metadata.product.name
+- metadata.version
+- policy.data.failed_reasons{}
+- product
+- punct
+- severity_id
+- signature
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_endpoint.name
+- tag
+- tag::action
+- tag::eventtype
+- time
+- type
+- type_uid
+- user
+- vendor
+- vendor_product
+output_fields:
+- cisco_event_id
+- cisco_event_type
+- cisco_ravpn_session.public_ip
+- cisco_ravpn_session.assigned_ip
+example_log:|
+  {"activity_id":0,"category_uid":4,"cisco_asa":{"full_log_print_specifiers":"[\"\",\"\",\"\",\"\"]","syslog_class":"INFORMATION","syslog_descriptor":"AAA_RESULT_REJECT","syslog_id":"ASA-6-113005","syslog_id_with_version":"ASA-6-113005-0","syslog_severity":"6"},"cisco_dtls_ipsec_tunnel":{"bytes_received":0,"bytes_transmitted":0,"cipher_suite":"","compression":"","connection_timeout":"","connection_timeout_left":"","destination_port":0,"dh_group":"","encapsulation":"","encryption":"","filter_name":"","hashing":"","id":"","idle_timeout":"","idle_timeout_left":"","ipv6_filter_name":"","local_selector":"","packets_received":0,"packets_received_dropped":0,"packets_transmitted":0,"packets_transmitted_dropped":0,"pfs_group":"","prf":"","rekey_data":"","rekey_data_left":"","rekey_interval":"","rekey_interval_left":"","remote_selector":"","source_port":0},"cisco_endpoint_posture":{"dap_connection_type":"","dap_record_name":""},"cisco_event_id":"002d2a48429b9ee68f03743d676acf20e39c411afe61e238378820fa2cb2e724","cisco_event_type":"ravpn","cisco_organization_id":8176184,"cisco_origin":{"id":0,"type":"UNKNOWN"},"cisco_ravpn_metadata":{"anyconnect_version":"","event_type":"FAILED"},"cisco_ravpn_session":{"assigned_ip":"","assigned_ipv6":"","audit_session_id":"","connected_at":0,"disconnection_reason":"","duration":"","id":"","inactivity":"","public_ip":"178.130.47.199","public_ipv6":"","redirect_acl":"","redirect_url":"","security_group_tag":"","session_type":"","vpn_profile":"","warning_reason":""},"cisco_ssl_ike_tunnel":{"bytes_received":0,"bytes_transmitted":0,"cipher_suite":"","compression":"","connection_timeout":"","connection_timeout_left":"","destination_port":0,"dh_group":"","encapsulation":"","encryption":"","filter_name":"","hashing":"","id":"","idle_timeout":"","idle_timeout_left":"","ipv6_filter_name":"","local_selector":"","packets_received":0,"packets_received_dropped":0,"packets_transmitted":0,"packets_transmitted_dropped":0,"pfs_group":"","prf":"","rekey_data":"","rekey_data_left":"","rekey_interval":"","rekey_interval_left":"","remote_selector":"","source_port":0},"class_uid":4001,"cloud":{"region":"us-west-2"},"device":{"os":{"version":""}},"metadata":{"product":{"name":"ciscoSecureAccess"},"version":"1.6.0"},"policy":{"data":{"failed_reasons":["AUTHORIZATION-CHECK"]}},"severity_id":0,"src_endpoint":{"name":""},"time":1777301699000,"type_uid":400100}
diff --git a/detections/application/cisco_secure_access_ravpn___high_authentication_failures_from_source.yml b/detections/application/cisco_secure_access_ravpn___high_authentication_failures_from_source.yml
new file mode 100644
index 0000000000..dc19869b32
--- /dev/null
+++ b/detections/application/cisco_secure_access_ravpn___high_authentication_failures_from_source.yml
@@ -0,0 +1,67 @@
+name: Cisco Secure Access RAVPN - High Authentication Failures from Source
+id: 4a39dfc3-2ab0-4620-8da9-18e6a6bad7b6
+version: 1
+date: '2026-04-27'
+author: Bhavin Patel, Splunk
+status: production
+type: Anomaly
+description: |
+    The following analytic detects a high volume of Cisco Secure Access RAVPN authentication failure events from the same client source within a five-minute window. It identifies events where AnyConnect or ASA AAA signals indicate a failed VPN authentication attempt—such as RAVPN metadata event type FAILED or ASA syslog descriptor AAA_RESULT_REJECT—and aggregates failure events per client public IP. This pattern may indicate password guessing, credential stuffing, or brute-force activity against remote access VPN. If confirmed malicious, an attacker may be attempting to obtain valid VPN credentials for initial access or persistence.
+data_source:
+    - Cisco Secure Access RAVPN Security Events
+search: |-
+    `cisco_secure_access_ravpn` (cisco_ravpn_metadata.event_type="FAILED" OR cisco_asa.syslog_descriptor="AAA_RESULT_REJECT")
+    | eval client_ip=coalesce('cisco_ravpn_session.public_ip', src)
+    | where isnotnull(client_ip) AND client_ip!=""
+    | bin _time span=5m
+    | stats count min(_time) as firstTime max(_time) as lastTime
+        values(cisco_event_id) as cisco_event_ids
+        values(cisco_asa.syslog_id) as cisco_asa_syslog_ids
+        values(cloud.region) as cloud_region
+      BY client_ip _time
+    | where count >= 10
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `cisco_secure_access_ravpn___high_authentication_failures_from_source_filter`
+how_to_implement: |
+    Ingest Cisco Secure Access RAVPN push security events with sourcetype `cisco:secure_access:security_events_ravpn` using the Cisco Secure Access Add-on for Splunk (https://splunkbase.splunk.com/app/7569). This search uses the input macro `cisco_secure_access_ravpn`; replace it with your index, source, or sourcetype qualifiers as needed. A post-filter macro is included for tuning known false positives. Schedule the search every five minutes with a lookback of at least ten minutes so five-minute buckets are complete.
+known_false_positives: |
+    Shared NAT egress, captive portals, misconfigured AnyConnect clients, or legitimate users repeatedly entering wrong passwords can produce bursts of failures. Tune the count threshold, exclude trusted egress IPs via the filter macro, or scope to specific VPN profiles or organizations if your deployment is noisy.
+references:
+    - https://developer.cisco.com/docs/cloud-security/ravpn-push-security-events
+    - https://attack.mitre.org/techniques/T1110/
+    - https://splunkbase.splunk.com/app/7569
+drilldown_searches:
+    - name: View the detection results for - "$client_ip$"
+      search: '%original_detection_search% | search client_ip = "$client_ip$"'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+    - name: View risk events for the last 7 days for - "$client_ip$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$client_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: 7d
+      latest_offset: "0"
+rba:
+    message: High volume of RAVPN authentication failures ($count$ events) observed from source $client_ip$ within a five-minute window.
+    risk_objects:
+        - field: client_ip
+          type: system
+          score: 30
+    threat_objects: []
+tags:
+    analytic_story:
+        - Compromised User Account
+    asset_type: Network
+    mitre_attack_id:
+        - T1110
+        - T1110.001
+    product:
+        - Splunk Enterprise
+        - Splunk Cloud
+        - Splunk Enterprise Security
+    security_domain: access
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/ravpn/ravpn_high_auth_failures.log
+          source: not_applicable
+          sourcetype: cisco:secure_access:security_events_ravpn
diff --git a/macros/cisco_secure_access_ravpn.yml b/macros/cisco_secure_access_ravpn.yml
new file mode 100644
index 0000000000..7f36dd6223
--- /dev/null
+++ b/macros/cisco_secure_access_ravpn.yml
@@ -0,0 +1,3 @@
+definition: sourcetype="cisco:secure_access:security_events_ravpn"
+description: Customer-specific Splunk configurations (index, source, sourcetype, etc.) for Cisco Secure Access RAVPN security events. Replace the macro definition with configurations for your Splunk environment.
+name: cisco_secure_access_ravpn

From 3e040d77b6178451995aac3eb0148992d4dae9fa Mon Sep 17 00:00:00 2001
From: Bhavin Patel <bpatel@splunk.com>
Date: Tue, 28 Apr 2026 11:36:33 +0530
Subject: [PATCH 2/3] yaml failures

---
 ...ure_access_ravpn_push_security_events.yml} | 10 +++----
 ...h_authentication_failures_from_source.yml} | 29 +++++++++----------
 2 files changed, 18 insertions(+), 21 deletions(-)
 rename data_sources/{cisco_secure_access_security_events_ravpn.yml => cisco_secure_access_ravpn_push_security_events.yml} (97%)
 rename detections/application/{cisco_secure_access_ravpn___high_authentication_failures_from_source.yml => ravpn___high_authentication_failures_from_source.yml} (72%)

diff --git a/data_sources/cisco_secure_access_security_events_ravpn.yml b/data_sources/cisco_secure_access_ravpn_push_security_events.yml
similarity index 97%
rename from data_sources/cisco_secure_access_security_events_ravpn.yml
rename to data_sources/cisco_secure_access_ravpn_push_security_events.yml
index 9ad4669509..e804e289e9 100644
--- a/data_sources/cisco_secure_access_security_events_ravpn.yml
+++ b/data_sources/cisco_secure_access_ravpn_push_security_events.yml
@@ -1,4 +1,4 @@
-name: Cisco Secure Access RAVPN Security Events
+name: Cisco Secure Access RAVPN Push Security Events
 id: f9ce1c6a-bf61-4a2b-91a6-3c59d837b1a8
 version: 1
 date: '2026-04-27'
@@ -139,9 +139,7 @@ fields:
 - vendor
 - vendor_product
 output_fields:
-- cisco_event_id
-- cisco_event_type
-- cisco_ravpn_session.public_ip
-- cisco_ravpn_session.assigned_ip
-example_log:|
+- _time
+- src_ip
+example_log: |
   {"activity_id":0,"category_uid":4,"cisco_asa":{"full_log_print_specifiers":"[\"\",\"\",\"\",\"\"]","syslog_class":"INFORMATION","syslog_descriptor":"AAA_RESULT_REJECT","syslog_id":"ASA-6-113005","syslog_id_with_version":"ASA-6-113005-0","syslog_severity":"6"},"cisco_dtls_ipsec_tunnel":{"bytes_received":0,"bytes_transmitted":0,"cipher_suite":"","compression":"","connection_timeout":"","connection_timeout_left":"","destination_port":0,"dh_group":"","encapsulation":"","encryption":"","filter_name":"","hashing":"","id":"","idle_timeout":"","idle_timeout_left":"","ipv6_filter_name":"","local_selector":"","packets_received":0,"packets_received_dropped":0,"packets_transmitted":0,"packets_transmitted_dropped":0,"pfs_group":"","prf":"","rekey_data":"","rekey_data_left":"","rekey_interval":"","rekey_interval_left":"","remote_selector":"","source_port":0},"cisco_endpoint_posture":{"dap_connection_type":"","dap_record_name":""},"cisco_event_id":"002d2a48429b9ee68f03743d676acf20e39c411afe61e238378820fa2cb2e724","cisco_event_type":"ravpn","cisco_organization_id":8176184,"cisco_origin":{"id":0,"type":"UNKNOWN"},"cisco_ravpn_metadata":{"anyconnect_version":"","event_type":"FAILED"},"cisco_ravpn_session":{"assigned_ip":"","assigned_ipv6":"","audit_session_id":"","connected_at":0,"disconnection_reason":"","duration":"","id":"","inactivity":"","public_ip":"178.130.47.199","public_ipv6":"","redirect_acl":"","redirect_url":"","security_group_tag":"","session_type":"","vpn_profile":"","warning_reason":""},"cisco_ssl_ike_tunnel":{"bytes_received":0,"bytes_transmitted":0,"cipher_suite":"","compression":"","connection_timeout":"","connection_timeout_left":"","destination_port":0,"dh_group":"","encapsulation":"","encryption":"","filter_name":"","hashing":"","id":"","idle_timeout":"","idle_timeout_left":"","ipv6_filter_name":"","local_selector":"","packets_received":0,"packets_received_dropped":0,"packets_transmitted":0,"packets_transmitted_dropped":0,"pfs_group":"","prf":"","rekey_data":"","rekey_data_left":"","rekey_interval":"","rekey_interval_left":"","remote_selector":"","source_port":0},"class_uid":4001,"cloud":{"region":"us-west-2"},"device":{"os":{"version":""}},"metadata":{"product":{"name":"ciscoSecureAccess"},"version":"1.6.0"},"policy":{"data":{"failed_reasons":["AUTHORIZATION-CHECK"]}},"severity_id":0,"src_endpoint":{"name":""},"time":1777301699000,"type_uid":400100}
diff --git a/detections/application/cisco_secure_access_ravpn___high_authentication_failures_from_source.yml b/detections/application/ravpn___high_authentication_failures_from_source.yml
similarity index 72%
rename from detections/application/cisco_secure_access_ravpn___high_authentication_failures_from_source.yml
rename to detections/application/ravpn___high_authentication_failures_from_source.yml
index dc19869b32..4f8a67977e 100644
--- a/detections/application/cisco_secure_access_ravpn___high_authentication_failures_from_source.yml
+++ b/detections/application/ravpn___high_authentication_failures_from_source.yml
@@ -1,4 +1,4 @@
-name: Cisco Secure Access RAVPN - High Authentication Failures from Source
+name: RAVPN - High Authentication Failures from Source
 id: 4a39dfc3-2ab0-4620-8da9-18e6a6bad7b6
 version: 1
 date: '2026-04-27'
@@ -8,21 +8,21 @@ type: Anomaly
 description: |
     The following analytic detects a high volume of Cisco Secure Access RAVPN authentication failure events from the same client source within a five-minute window. It identifies events where AnyConnect or ASA AAA signals indicate a failed VPN authentication attempt—such as RAVPN metadata event type FAILED or ASA syslog descriptor AAA_RESULT_REJECT—and aggregates failure events per client public IP. This pattern may indicate password guessing, credential stuffing, or brute-force activity against remote access VPN. If confirmed malicious, an attacker may be attempting to obtain valid VPN credentials for initial access or persistence.
 data_source:
-    - Cisco Secure Access RAVPN Security Events
+    - Cisco Secure Access RAVPN Push Security Events
 search: |-
     `cisco_secure_access_ravpn` (cisco_ravpn_metadata.event_type="FAILED" OR cisco_asa.syslog_descriptor="AAA_RESULT_REJECT")
-    | eval client_ip=coalesce('cisco_ravpn_session.public_ip', src)
-    | where isnotnull(client_ip) AND client_ip!=""
+    | eval src_ip=coalesce('cisco_ravpn_session.public_ip', src)
+    | where isnotnull(src_ip) AND src_ip!=""
     | bin _time span=5m
     | stats count min(_time) as firstTime max(_time) as lastTime
         values(cisco_event_id) as cisco_event_ids
         values(cisco_asa.syslog_id) as cisco_asa_syslog_ids
         values(cloud.region) as cloud_region
-      BY client_ip _time
+      BY src_ip _time
     | where count >= 10
     | `security_content_ctime(firstTime)`
     | `security_content_ctime(lastTime)`
-    | `cisco_secure_access_ravpn___high_authentication_failures_from_source_filter`
+    | `ravpn___high_authentication_failures_from_source_filter`
 how_to_implement: |
     Ingest Cisco Secure Access RAVPN push security events with sourcetype `cisco:secure_access:security_events_ravpn` using the Cisco Secure Access Add-on for Splunk (https://splunkbase.splunk.com/app/7569). This search uses the input macro `cisco_secure_access_ravpn`; replace it with your index, source, or sourcetype qualifiers as needed. A post-filter macro is included for tuning known false positives. Schedule the search every five minutes with a lookback of at least ten minutes so five-minute buckets are complete.
 known_false_positives: |
@@ -32,27 +32,26 @@ references:
     - https://attack.mitre.org/techniques/T1110/
     - https://splunkbase.splunk.com/app/7569
 drilldown_searches:
-    - name: View the detection results for - "$client_ip$"
-      search: '%original_detection_search% | search client_ip = "$client_ip$"'
+    - name: View the detection results for - "$src_ip$"
+      search: '%original_detection_search% | search src_ip = "$src_ip$"'
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
-    - name: View risk events for the last 7 days for - "$client_ip$"
-      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$client_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+    - name: View risk events for the last 7 days for - "$src_ip$"
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
       earliest_offset: 7d
       latest_offset: "0"
 rba:
-    message: High volume of RAVPN authentication failures ($count$ events) observed from source $client_ip$ within a five-minute window.
+    message: High volume of RAVPN authentication failures [$count$] events observed from source [$src_ip$] within a five-minute window.
     risk_objects:
-        - field: client_ip
+        - field: src_ip
           type: system
-          score: 30
+          score: 20
     threat_objects: []
 tags:
     analytic_story:
         - Compromised User Account
-    asset_type: Network
+    asset_type: Identity
     mitre_attack_id:
-        - T1110
         - T1110.001
     product:
         - Splunk Enterprise

From ec9e640003074f8488a322691c5eaa4f912b6fa0 Mon Sep 17 00:00:00 2001
From: Bhavin Patel <bpatel@splunk.com>
Date: Thu, 11 Jun 2026 13:56:44 +0530
Subject: [PATCH 3/3] updating to ESCU 6

---
 ...cure_access_ravpn_push_security_events.yml | 14 +++----
 ...gh_authentication_failures_from_source.yml | 42 ++++++++++---------
 dist/.gitkeep                                 |  0
 macros/cisco_secure_access_ravpn.yml          |  9 +++-
 schemas/Baseline.schema.json                  | 18 +++++++-
 schemas/EventBasedDetection.schema.json       | 18 +++++++-
 schemas/Playbook.schema.json                  | 17 +++++---
 schemas/RemovedContent.schema.json            | 24 ++++++++---
 schemas/Story.schema.json                     |  4 ++
 9 files changed, 103 insertions(+), 43 deletions(-)
 delete mode 100644 dist/.gitkeep

diff --git a/data_sources/cisco_secure_access_ravpn_push_security_events.yml b/data_sources/cisco_secure_access_ravpn_push_security_events.yml
index e804e289e9..fec69f1e57 100644
--- a/data_sources/cisco_secure_access_ravpn_push_security_events.yml
+++ b/data_sources/cisco_secure_access_ravpn_push_security_events.yml
@@ -1,17 +1,17 @@
 name: Cisco Secure Access RAVPN Push Security Events
 id: f9ce1c6a-bf61-4a2b-91a6-3c59d837b1a8
 version: 1
-date: '2026-04-27'
+creation_date: '2026-04-27'
+modification_date: '2026-04-27'
 author: Bhavin Patel, Splunk
-description: Remote Access VPN (RAVPN) push security events from Cisco Secure Access,
-  including session metadata, tunnel statistics, endpoint posture, ASA syslog context,
-  and OCSF-aligned identifiers for correlation.
+description: |
+  Remote Access VPN (RAVPN) push security events from Cisco Secure Access, including session metadata, tunnel statistics, endpoint posture, ASA syslog context, and OCSF-aligned identifiers for correlation.
 source: not_applicable
 sourcetype: cisco:secure_access:security_events_ravpn
 supported_TA:
-- name: Cisco Secure Access Add-on for Splunk
-  url: https://splunkbase.splunk.com/app/7569
-  version: 1.0.48
+  - name: Cisco Secure Access Add-on for Splunk
+    url: https://splunkbase.splunk.com/app/7569
+    version: 1.0.48
 fields:
 - _time
 - action
diff --git a/detections/application/ravpn___high_authentication_failures_from_source.yml b/detections/application/ravpn___high_authentication_failures_from_source.yml
index 4f8a67977e..26c047b310 100644
--- a/detections/application/ravpn___high_authentication_failures_from_source.yml
+++ b/detections/application/ravpn___high_authentication_failures_from_source.yml
@@ -1,7 +1,8 @@
 name: RAVPN - High Authentication Failures from Source
 id: 4a39dfc3-2ab0-4620-8da9-18e6a6bad7b6
 version: 1
-date: '2026-04-27'
+creation_date: '2026-04-27'
+modification_date: '2026-04-27'
 author: Bhavin Patel, Splunk
 status: production
 type: Anomaly
@@ -32,35 +33,36 @@ references:
     - https://attack.mitre.org/techniques/T1110/
     - https://splunkbase.splunk.com/app/7569
 drilldown_searches:
-    - name: View the detection results for - "$src_ip$"
-      search: '%original_detection_search% | search src_ip = "$src_ip$"'
+    - name: View the detection results for $src_ip$
+      search: '%original_detection_search% | search src_ip = $src_ip$'
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
-    - name: View risk events for the last 7 days for - "$src_ip$"
-      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+    - name: View risk events for the last 7 days for $src_ip$
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_ip$) | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
       earliest_offset: 7d
       latest_offset: "0"
-rba:
-    message: High volume of RAVPN authentication failures [$count$] events observed from source [$src_ip$] within a five-minute window.
-    risk_objects:
+intermediate_findings:
+    entities:
         - field: src_ip
           type: system
           score: 20
-    threat_objects: []
-tags:
-    analytic_story:
-        - Compromised User Account
-    asset_type: Identity
-    mitre_attack_id:
-        - T1110.001
-    product:
-        - Splunk Enterprise
-        - Splunk Cloud
-        - Splunk Enterprise Security
-    security_domain: access
+          message: High volume of RAVPN authentication failures detected from source $src_ip$ within a five-minute window, which may indicate credential stuffing or brute-force activity.
+threat_objects: []
+analytic_story:
+    - Compromised User Account
+asset_type: Identity
+mitre_attack_id:
+    - T1110.001
+product:
+    - Splunk Enterprise
+    - Splunk Cloud
+    - Splunk Enterprise Security
+category: application
+security_domain: access
 tests:
     - name: True Positive Test
       attack_data:
         - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/ravpn/ravpn_high_auth_failures.log
           source: not_applicable
           sourcetype: cisco:secure_access:security_events_ravpn
+      test_type: unit
diff --git a/dist/.gitkeep b/dist/.gitkeep
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/macros/cisco_secure_access_ravpn.yml b/macros/cisco_secure_access_ravpn.yml
index 7f36dd6223..a27039a671 100644
--- a/macros/cisco_secure_access_ravpn.yml
+++ b/macros/cisco_secure_access_ravpn.yml
@@ -1,3 +1,8 @@
-definition: sourcetype="cisco:secure_access:security_events_ravpn"
-description: Customer-specific Splunk configurations (index, source, sourcetype, etc.) for Cisco Secure Access RAVPN security events. Replace the macro definition with configurations for your Splunk environment.
 name: cisco_secure_access_ravpn
+id: 0225c7e6-c52e-44fa-92c3-acd040015f69
+version: 1
+creation_date: '2026-06-03'
+modification_date: '2026-06-03'
+author: Mahamudul Chowdhury, Bhavin Patel, Splunk
+description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment.
+definition: sourcetype="cisco:secure_access:security_events_ravpn"
diff --git a/schemas/Baseline.schema.json b/schemas/Baseline.schema.json
index 015747f4cd..bad06964f4 100644
--- a/schemas/Baseline.schema.json
+++ b/schemas/Baseline.schema.json
@@ -184,7 +184,10 @@
             "Cisco SD-WAN NTCE 1000001",
             "Cisco SD-WAN Service Proxy Access Logs",
             "Cisco Secure Access Analytics",
+            "Cisco Secure Access DNS",
             "Cisco Secure Access Firewall",
+            "Cisco Secure Access Proxy",
+            "Cisco Secure Access RAVPN Push Security Events",
             "Cisco Secure Firewall Threat Defense Analytics",
             "Cisco Secure Firewall Threat Defense Connection Event",
             "Cisco Secure Firewall Threat Defense File Event",
@@ -707,6 +710,7 @@
             "cisco_asa",
             "cisco_duo_activity",
             "cisco_duo_administrator",
+            "cisco_ios",
             "cisco_isovalent",
             "cisco_isovalent_allowed_images",
             "cisco_isovalent_process_connect",
@@ -715,6 +719,9 @@
             "cisco_networks",
             "cisco_sd_wan_service_proxy_access",
             "cisco_sd_wan_syslog",
+            "cisco_secure_access_dns",
+            "cisco_secure_access_proxy",
+            "cisco_secure_access_ravpn",
             "cisco_secure_firewall",
             "cisco_secure_firewall_appid_remote_mgmt_and_desktop_tools",
             "cisco_secure_firewall_filetype_lookup",
@@ -1231,8 +1238,8 @@
             "94f6a1c9-aae7-46a4-9083-2bb1f5768ec4",
             "bac8a340-be64-4491-a0cc-0985cb227f5a",
             "234f9b7c-b53d-4f32-897b-b880a6c9ea7b",
-            "b8147c9a-84db-4ec1-8eee-4e0da75f0de5",
             "b877943f-0377-44f4-8477-f79db7f07c4d",
+            "b8147c9a-84db-4ec1-8eee-4e0da75f0de5",
             "54782d65-12f0-47a5-b4c1-b70ee23de6df",
             "e03ada14-0980-4107-aff1-7783b2b59bb1",
             "e7e3a525-7612-4d68-a5d3-c4649181b8af",
@@ -1467,7 +1474,9 @@
             "6326dbc4-444b-4c04-88f4-27e94d0327cb",
             "9ebe7901-7edf-45c0-b5c7-8366300919db",
             "8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4",
+            "5fabf878-7dd4-48d3-9995-408fac68e166",
             "069258f4-2162-46e9-9a25-c9c6c56150d2",
+            "4383bbd3-aa6c-49fd-a1a9-cf112c95982c",
             "815bef8b-bf91-4b67-be4c-abe4c2a94ccc",
             "42510244-5019-48fa-a0e5-66c3b76e6049",
             "9d04efee-eff5-4240-b8d2-07792b873608",
@@ -2064,6 +2073,7 @@
             "4c8db261-a58b-42a6-a866-0a294deedde4",
             "f0027655-25ef-47b0-acaf-3d83d106156c",
             "c75612b2-9de0-4d7c-879c-10d7b077072d",
+            "5696f417-30e5-4942-988d-0b9dcfe3a929",
             "d322cdd7-7d60-46e3-9111-648848da7c02",
             "a8568b10-9ab9-4140-a523-1c72e0176924",
             "33ca84bc-4259-4943-bd36-4655dc420932",
@@ -2210,6 +2220,7 @@
             "5bec4cc8-f41e-437b-b417-33ff60acf9af",
             "a0c1725f-abcd-40d6-baac-020f3cf94ecd",
             "d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec",
+            "3d9e332e-60c9-407a-af4c-a9ae43c4f1d0",
             "7c8c7bd8-0a5c-4514-a6a3-0814c5a98cf0",
             "a83ad6e8-6f24-4d7f-8f44-75f8ab742991",
             "7e7ac3ed-f795-4fa5-b711-09d6fbe9b873",
@@ -2293,6 +2304,7 @@
             "0315bdff-4178-47e9-81e4-f31a6d23f7e4",
             "736b4f53-f400-4c22-855d-1a6b5a551600",
             "114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0",
+            "3f452c87-25b5-47c0-81d8-01908df1b927",
             "183235ca-8e6c-422c-88c2-3aa28c4825d9",
             "b4ca838d-d013-4461-bf2c-f7132617b409",
             "0b79c06f-c788-44a2-8630-d69051f1123d",
@@ -2746,6 +2758,7 @@
             "453acf13-1dbd-47d7-b28a-172ce9228023",
             "da4f751a-020b-40d7-b9ff-d433b7799803",
             "14033063-ee04-4eaf-8f5d-ba07ca7a097c",
+            "14bd90b1-c3f3-4115-9861-cf0519a59654",
             "8bec51da-7a6d-4346-b941-51eca448c4b0",
             "1d958c61-09c6-4d9e-b26b-4130314e520e",
             "12e03af7-79f9-4f95-af48-d3f12f28a260",
@@ -2795,8 +2808,9 @@
             "96db2632-8417-4dbb-b8bb-a8b92ba391de",
             "a50d5a97-2531-499e-a1de-5544c74432c6",
             "6cd715aa-20ac-4be1-a8f1-dda7bae160bd",
-            "44a4bedf-ffe3-452e-bee4-6925ab125662",
+            "50859b3b-b088-4c7b-973d-03a0365a9bf9",
             "16f6374f-7600-459a-9b16-6a88fd96d310",
+            "44a4bedf-ffe3-452e-bee4-6925ab125662",
             "e9584f82-322c-474a-b831-940fd8b4455c",
             "e6f36545-dc1e-47f0-9f48-7f730f54a02e",
             "52778a8f-a10b-41a4-9eae-52ddb74072bf",
diff --git a/schemas/EventBasedDetection.schema.json b/schemas/EventBasedDetection.schema.json
index a5ea1e4619..42fcfd0ce4 100644
--- a/schemas/EventBasedDetection.schema.json
+++ b/schemas/EventBasedDetection.schema.json
@@ -193,7 +193,10 @@
             "Cisco SD-WAN NTCE 1000001",
             "Cisco SD-WAN Service Proxy Access Logs",
             "Cisco Secure Access Analytics",
+            "Cisco Secure Access DNS",
             "Cisco Secure Access Firewall",
+            "Cisco Secure Access Proxy",
+            "Cisco Secure Access RAVPN Push Security Events",
             "Cisco Secure Firewall Threat Defense Analytics",
             "Cisco Secure Firewall Threat Defense Connection Event",
             "Cisco Secure Firewall Threat Defense File Event",
@@ -748,6 +751,7 @@
             "cisco_asa",
             "cisco_duo_activity",
             "cisco_duo_administrator",
+            "cisco_ios",
             "cisco_isovalent",
             "cisco_isovalent_allowed_images",
             "cisco_isovalent_process_connect",
@@ -756,6 +760,9 @@
             "cisco_networks",
             "cisco_sd_wan_service_proxy_access",
             "cisco_sd_wan_syslog",
+            "cisco_secure_access_dns",
+            "cisco_secure_access_proxy",
+            "cisco_secure_access_ravpn",
             "cisco_secure_firewall",
             "cisco_secure_firewall_appid_remote_mgmt_and_desktop_tools",
             "cisco_secure_firewall_filetype_lookup",
@@ -1316,8 +1323,8 @@
             "94f6a1c9-aae7-46a4-9083-2bb1f5768ec4",
             "bac8a340-be64-4491-a0cc-0985cb227f5a",
             "234f9b7c-b53d-4f32-897b-b880a6c9ea7b",
-            "b8147c9a-84db-4ec1-8eee-4e0da75f0de5",
             "b877943f-0377-44f4-8477-f79db7f07c4d",
+            "b8147c9a-84db-4ec1-8eee-4e0da75f0de5",
             "54782d65-12f0-47a5-b4c1-b70ee23de6df",
             "e03ada14-0980-4107-aff1-7783b2b59bb1",
             "e7e3a525-7612-4d68-a5d3-c4649181b8af",
@@ -1552,7 +1559,9 @@
             "6326dbc4-444b-4c04-88f4-27e94d0327cb",
             "9ebe7901-7edf-45c0-b5c7-8366300919db",
             "8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4",
+            "5fabf878-7dd4-48d3-9995-408fac68e166",
             "069258f4-2162-46e9-9a25-c9c6c56150d2",
+            "4383bbd3-aa6c-49fd-a1a9-cf112c95982c",
             "815bef8b-bf91-4b67-be4c-abe4c2a94ccc",
             "42510244-5019-48fa-a0e5-66c3b76e6049",
             "9d04efee-eff5-4240-b8d2-07792b873608",
@@ -2149,6 +2158,7 @@
             "4c8db261-a58b-42a6-a866-0a294deedde4",
             "f0027655-25ef-47b0-acaf-3d83d106156c",
             "c75612b2-9de0-4d7c-879c-10d7b077072d",
+            "5696f417-30e5-4942-988d-0b9dcfe3a929",
             "d322cdd7-7d60-46e3-9111-648848da7c02",
             "a8568b10-9ab9-4140-a523-1c72e0176924",
             "33ca84bc-4259-4943-bd36-4655dc420932",
@@ -2295,6 +2305,7 @@
             "5bec4cc8-f41e-437b-b417-33ff60acf9af",
             "a0c1725f-abcd-40d6-baac-020f3cf94ecd",
             "d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec",
+            "3d9e332e-60c9-407a-af4c-a9ae43c4f1d0",
             "7c8c7bd8-0a5c-4514-a6a3-0814c5a98cf0",
             "a83ad6e8-6f24-4d7f-8f44-75f8ab742991",
             "7e7ac3ed-f795-4fa5-b711-09d6fbe9b873",
@@ -2378,6 +2389,7 @@
             "0315bdff-4178-47e9-81e4-f31a6d23f7e4",
             "736b4f53-f400-4c22-855d-1a6b5a551600",
             "114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0",
+            "3f452c87-25b5-47c0-81d8-01908df1b927",
             "183235ca-8e6c-422c-88c2-3aa28c4825d9",
             "b4ca838d-d013-4461-bf2c-f7132617b409",
             "0b79c06f-c788-44a2-8630-d69051f1123d",
@@ -2831,6 +2843,7 @@
             "453acf13-1dbd-47d7-b28a-172ce9228023",
             "da4f751a-020b-40d7-b9ff-d433b7799803",
             "14033063-ee04-4eaf-8f5d-ba07ca7a097c",
+            "14bd90b1-c3f3-4115-9861-cf0519a59654",
             "8bec51da-7a6d-4346-b941-51eca448c4b0",
             "1d958c61-09c6-4d9e-b26b-4130314e520e",
             "12e03af7-79f9-4f95-af48-d3f12f28a260",
@@ -2880,8 +2893,9 @@
             "96db2632-8417-4dbb-b8bb-a8b92ba391de",
             "a50d5a97-2531-499e-a1de-5544c74432c6",
             "6cd715aa-20ac-4be1-a8f1-dda7bae160bd",
-            "44a4bedf-ffe3-452e-bee4-6925ab125662",
+            "50859b3b-b088-4c7b-973d-03a0365a9bf9",
             "16f6374f-7600-459a-9b16-6a88fd96d310",
+            "44a4bedf-ffe3-452e-bee4-6925ab125662",
             "e9584f82-322c-474a-b831-940fd8b4455c",
             "e6f36545-dc1e-47f0-9f48-7f730f54a02e",
             "52778a8f-a10b-41a4-9eae-52ddb74072bf",
diff --git a/schemas/Playbook.schema.json b/schemas/Playbook.schema.json
index aa4da253b5..a266397606 100644
--- a/schemas/Playbook.schema.json
+++ b/schemas/Playbook.schema.json
@@ -360,7 +360,6 @@
             "Amazon EKS Kubernetes cluster scan detection",
             "Anomalous usage of 7zip",
             "Attacker Tools On Endpoint",
-            "Attempt To Add Certificate To Untrusted Store",
             "Auto Admin Logon Registry Entry",
             "Azure AD Admin Consent Bypassed by Service Principal",
             "Azure AD Application Administrator Role Assigned",
@@ -417,7 +416,6 @@
             "BITSAdmin Download File",
             "Batch File Write to System32",
             "Bcdedit Command Back To Normal Mode Boot",
-            "CHCP Command Execution",
             "CMD Carry Out String Command Parameter",
             "CMD Echo Pipe - Escalation",
             "CMLUA Or CMSTPLUA UAC Bypass",
@@ -459,7 +457,16 @@
             "Cisco Duo Policy Skip 2FA for Other Countries",
             "Cisco Duo Set User Status to Bypass 2FA",
             "Cisco IOS Suspicious Privileged Account Creation",
+            "Cisco IOS XE Guestshell Activation and Destroy",
             "Cisco IOS XE Implant Access",
+            "Cisco IOS XE Log Clearing Sequence With Optional Loopback Removal",
+            "Cisco IOS XE Reconnaissance Command Activity",
+            "Cisco IOS XE Remote Access Probe Burst",
+            "Cisco IOS XE Request Platform Package Describe Shell Pattern",
+            "Cisco IOS XE Tunnel Interface Configuration",
+            "Cisco IOS XE VTY Access Class Tampering",
+            "Cisco IOS XE WebUI Login From IOSd Local Port",
+            "Cisco IOS XE WebUI Programmatic Configuration",
             "Cisco Isovalent - Access To Cloud Metadata Service",
             "Cisco Isovalent - Cron Job Creation",
             "Cisco Isovalent - Curl Execution With Insecure Flags",
@@ -487,6 +494,8 @@
             "Cisco Network Interface Modifications",
             "Cisco Privileged Account Creation with HTTP Command Execution",
             "Cisco Privileged Account Creation with Suspicious SSH Activity",
+            "Cisco SA - Access to Anonymizer Services",
+            "Cisco SA - Automated Web Reconnaissance via HTTP Access Errors",
             "Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity",
             "Cisco SD-WAN - Low Frequency Rogue Peer",
             "Cisco SD-WAN - Peering Activity",
@@ -897,7 +906,6 @@
             "Ivanti EPM SQL Injection Remote Code Execution",
             "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078",
             "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082",
-            "Ivanti Sentry Authentication Bypass",
             "Ivanti VTM New Account Creation",
             "Java Class File download by Java User Agent",
             "Java Writing JSP File",
@@ -1350,11 +1358,11 @@
             "Process Kill Base On File Path",
             "Process Writing DynamicWrapperX",
             "Processes Tapping Keyboard Events",
-            "Processes launching netsh",
             "Prohibited Network Traffic Allowed",
             "Protocol or Port Mismatch",
             "Protocols passing authentication in cleartext",
             "ProxyShell ProxyNotShell Behavior Detected",
+            "RAVPN - High Authentication Failures from Source",
             "Randomly Generated Scheduled Task Name",
             "Randomly Generated Windows Service Name",
             "Ransomware Notes bulk creation",
@@ -1410,7 +1418,6 @@
             "SQL Injection with Long URLs",
             "SSL Certificates with Punycode",
             "Samsam Test File Write",
-            "Sc exe Manipulating Windows Services",
             "SchCache Change By App Connect And Create ADSI Object",
             "Schedule Task with HTTP Command Arguments",
             "Schedule Task with Rundll32 Command Trigger",
diff --git a/schemas/RemovedContent.schema.json b/schemas/RemovedContent.schema.json
index da74df0347..ee6ca32d7a 100644
--- a/schemas/RemovedContent.schema.json
+++ b/schemas/RemovedContent.schema.json
@@ -212,7 +212,6 @@
             "AsyncRAT",
             "Atlassian Confluence Server and Data Center CVE-2022-26134",
             "Attacker Tools On Endpoint",
-            "Attempt To Add Certificate To Untrusted Store",
             "Attribute Lookup Dispatch",
             "Auto Admin Logon Registry Entry",
             "Automated Enrichment",
@@ -337,7 +336,6 @@
             "Bro x509",
             "Browser Hijacking",
             "Brute Ratel C4",
-            "CHCP Command Execution",
             "CISA AA22-257A",
             "CISA AA22-264A",
             "CISA AA22-277A",
@@ -403,8 +401,17 @@
             "Cisco Duo Suspicious Activity",
             "Cisco IOS Logs",
             "Cisco IOS Suspicious Privileged Account Creation",
+            "Cisco IOS XE Guestshell Activation and Destroy",
             "Cisco IOS XE Implant Access",
+            "Cisco IOS XE Log Clearing Sequence With Optional Loopback Removal",
+            "Cisco IOS XE Reconnaissance Command Activity",
+            "Cisco IOS XE Remote Access Probe Burst",
+            "Cisco IOS XE Request Platform Package Describe Shell Pattern",
             "Cisco IOS XE Software Web Management User Interface vulnerability",
+            "Cisco IOS XE Tunnel Interface Configuration",
+            "Cisco IOS XE VTY Access Class Tampering",
+            "Cisco IOS XE WebUI Login From IOSd Local Port",
+            "Cisco IOS XE WebUI Programmatic Configuration",
             "Cisco Isovalent - Access To Cloud Metadata Service",
             "Cisco Isovalent - Cron Job Creation",
             "Cisco Isovalent - Curl Execution With Insecure Flags",
@@ -439,6 +446,8 @@
             "Cisco Network Visibility Module OSquery",
             "Cisco Privileged Account Creation with HTTP Command Execution",
             "Cisco Privileged Account Creation with Suspicious SSH Activity",
+            "Cisco SA - Access to Anonymizer Services",
+            "Cisco SA - Automated Web Reconnaissance via HTTP Access Errors",
             "Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity",
             "Cisco SD-WAN - Low Frequency Rogue Peer",
             "Cisco SD-WAN - Peering Activity",
@@ -447,7 +456,10 @@
             "Cisco SD-WAN Service Proxy Access Logs",
             "Cisco SNMP Community String Configuration Changes",
             "Cisco Secure Access Analytics",
+            "Cisco Secure Access DNS",
             "Cisco Secure Access Firewall",
+            "Cisco Secure Access Proxy",
+            "Cisco Secure Access RAVPN Push Security Events",
             "Cisco Secure Firewall - Binary File Type Download",
             "Cisco Secure Firewall - Bits Network Activity",
             "Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint",
@@ -989,7 +1001,6 @@
             "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078",
             "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082",
             "Ivanti EPMM Remote Unauthenticated Access",
-            "Ivanti Sentry Authentication Bypass",
             "Ivanti Sentry Authentication Bypass CVE-2023-38035",
             "Ivanti VTM Audit",
             "Ivanti VTM New Account Creation",
@@ -1601,7 +1612,6 @@
             "Process Kill Base On File Path",
             "Process Writing DynamicWrapperX",
             "Processes Tapping Keyboard Events",
-            "Processes launching netsh",
             "Prohibited Network Traffic Allowed",
             "Prohibited Traffic Allowed or Protocol Mismatch",
             "PromptFlux",
@@ -1614,6 +1624,7 @@
             "Qakbot",
             "Quasar RAT",
             "QuietVault",
+            "RAVPN - High Authentication Failures from Source",
             "RMM Software Tracking",
             "Randomly Generated Scheduled Task Name",
             "Randomly Generated Windows Service Name",
@@ -1700,7 +1711,6 @@
             "SamSam Ransomware",
             "Samsam Test File Write",
             "Sandworm Tools",
-            "Sc exe Manipulating Windows Services",
             "Scattered Lapsus$ Hunters",
             "Scattered Spider",
             "SchCache Change By App Connect And Create ADSI Object",
@@ -2907,6 +2917,7 @@
             "cisco_asa",
             "cisco_duo_activity",
             "cisco_duo_administrator",
+            "cisco_ios",
             "cisco_isovalent",
             "cisco_isovalent_allowed_images",
             "cisco_isovalent_process_connect",
@@ -2915,6 +2926,9 @@
             "cisco_networks",
             "cisco_sd_wan_service_proxy_access",
             "cisco_sd_wan_syslog",
+            "cisco_secure_access_dns",
+            "cisco_secure_access_proxy",
+            "cisco_secure_access_ravpn",
             "cisco_secure_firewall",
             "cisco_secure_firewall_appid_remote_mgmt_and_desktop_tools",
             "cisco_secure_firewall_filetype_lookup",
diff --git a/schemas/Story.schema.json b/schemas/Story.schema.json
index 74eb40bd23..cd12db70f9 100644
--- a/schemas/Story.schema.json
+++ b/schemas/Story.schema.json
@@ -49,6 +49,7 @@
             "cisco_asa",
             "cisco_duo_activity",
             "cisco_duo_administrator",
+            "cisco_ios",
             "cisco_isovalent",
             "cisco_isovalent_allowed_images",
             "cisco_isovalent_process_connect",
@@ -57,6 +58,9 @@
             "cisco_networks",
             "cisco_sd_wan_service_proxy_access",
             "cisco_sd_wan_syslog",
+            "cisco_secure_access_dns",
+            "cisco_secure_access_proxy",
+            "cisco_secure_access_ravpn",
             "cisco_secure_firewall",
             "cisco_secure_firewall_appid_remote_mgmt_and_desktop_tools",
             "cisco_secure_firewall_filetype_lookup",