From b48ee5e3802ad2a8079b0c8f3b8da3ef77dd107d Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Tue, 2 Jun 2026 14:21:39 +0100 Subject: [PATCH 1/5] first batch --- ...s_xe_guestshell_activation_and_destroy.yml | 102 +++++++++++++++++ .../cisco_ios_xe_log_clearing_sequence.yml | 88 +++++++++++++++ ...ios_xe_reconnaissance_command_activity.yml | 103 ++++++++++++++++++ ...cisco_ios_xe_remote_access_probe_burst.yml | 85 +++++++++++++++ ...latform_package_describe_shell_pattern.yml | 70 ++++++++++++ ..._ios_xe_tunnel_interface_configuration.yml | 93 ++++++++++++++++ ...isco_ios_xe_vty_access_class_tampering.yml | 95 ++++++++++++++++ ...sco_ios_xe_webui_login_localport_21111.yml | 78 +++++++++++++ ...os_xe_webui_programmatic_configuration.yml | 63 +++++++++++ macros/cisco_ios.yml | 8 ++ 10 files changed, 785 insertions(+) create mode 100644 detections/network/cisco_ios_xe_guestshell_activation_and_destroy.yml create mode 100644 detections/network/cisco_ios_xe_log_clearing_sequence.yml create mode 100644 detections/network/cisco_ios_xe_reconnaissance_command_activity.yml create mode 100644 detections/network/cisco_ios_xe_remote_access_probe_burst.yml create mode 100644 detections/network/cisco_ios_xe_request_platform_package_describe_shell_pattern.yml create mode 100644 detections/network/cisco_ios_xe_tunnel_interface_configuration.yml create mode 100644 detections/network/cisco_ios_xe_vty_access_class_tampering.yml create mode 100644 detections/network/cisco_ios_xe_webui_login_localport_21111.yml create mode 100644 detections/network/cisco_ios_xe_webui_programmatic_configuration.yml create mode 100644 macros/cisco_ios.yml diff --git a/detections/network/cisco_ios_xe_guestshell_activation_and_destroy.yml b/detections/network/cisco_ios_xe_guestshell_activation_and_destroy.yml new file mode 100644 index 0000000000..804d122481 --- /dev/null +++ b/detections/network/cisco_ios_xe_guestshell_activation_and_destroy.yml @@ -0,0 +1,102 @@ +name: Cisco IOS XE Guestshell Activation and Destroy +id: ff82a536-8fde-4963-a801-815826fcdf75 +version: 1 +creation_date: '2026-05-19' +modification_date: '2026-05-20' +author: Nasreddine Bencherchali +status: production +type: Anomaly +description: | + This analytic detects Cisco IOS-XE guestshell enable activity followed by activation and destroy lifecycle logs. + The detection focuses on HA_EM command logging for "guestshell enable" and "guestshell destroy", VMAN activation and destroy messages, and IM/IOX guestshell activation logs observed on some IOS-XE images. +data_source: + - Cisco IOS Logs +search: |- + `cisco_ios` + facility IN ("HA_EM", "VMAN", "IM", "AAA") + mnemonic IN ("LOG", "ACTIVATION_STATE", "IOX_INST_INFO", "INSTALL_STATE", "AAA_ACCOUNTING_MESSAGE") + message_text IN ( + "*guestshell enable*", + "*guestshell destroy*", + "*Successfully activated virtual service 'guestshell*", + "*IOX SERVICE guestshell*", + "*Destroying virtual service 'guestshell*", + "*Successfully destroyed virtual service 'guestshell*" + ) + | eval dest=coalesce(host, dvc, dest, "unknown") + | eval event_type=case( + like(message_text, "%guestshell enable%"), "guestshell_enable_command", + like(message_text, "%guestshell destroy%"), "guestshell_destroy_command", + like(message_text, "%Successfully activated virtual service 'guestshell%"), "vman_guestshell_activated", + like(message_text, "%IOX SERVICE guestshell%"), "im_iox_guestshell_activated", + like(message_text, "%Destroying virtual service 'guestshell%"), "vman_guestshell_destroying", + like(message_text, "%Successfully destroyed virtual service 'guestshell%"), "vman_guestshell_destroyed", + true(), "other" + ) + | bin _time span=30m + | stats count min(_time) as firstTime + max(_time) as lastTime + values(event_type) as event_types + values(message_text) as message + by _time dest + | where + ( + mvfind(event_types, "vman_guestshell_activated") >= 0 + OR + mvfind(event_types, "im_iox_guestshell_activated") >= 0 + OR + mvfind(event_types, "guestshell_enable_command") >= 0 + ) + AND + ( + mvfind(event_types, "vman_guestshell_destroying") >= 0 + OR + mvfind(event_types, "vman_guestshell_destroyed") >= 0 + OR + mvfind(event_types, "guestshell_destroy_command") >= 0 + ) + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_ios_xe_guestshell_activation_and_destroy_filter` +how_to_implement: | + Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". + EEM catchall command logging should capture the "guestshell enable" and "guestshell destroy" commands as HA_EM/LOG events. + Platform lifecycle logs may appear as VMAN activation/install-state messages on some IOS-XE images or as IM/IOX guestshell service messages on others. +known_false_positives: | + Lab testing, software troubleshooting, and container lifecycle maintenance may enable and destroy guestshell. Filter approved maintenance windows. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a +drilldown_searches: + - name: View guestshell lifecycle events for $dest$ + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +intermediate_findings: + entities: + - field: dest + type: system + score: 35 + message: Cisco IOS-XE device $dest$ had guestshell enabled and destroyed by $user$ within a short period. + - field: user + type: user + score: 35 + message: User $user$ enabled and destroyed guestshell on $dest$ within a short period. +analytic_story: + - Salt Typhoon +asset_type: Network +mitre_attack_id: + - T1059 + - T1611 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: network +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/emerging_threats/SaltTyphoon/salttyphoon_cisco.log + source: ctb:catalyst:syslog + sourcetype: cisco:ios + test_type: unit diff --git a/detections/network/cisco_ios_xe_log_clearing_sequence.yml b/detections/network/cisco_ios_xe_log_clearing_sequence.yml new file mode 100644 index 0000000000..a36d9e8655 --- /dev/null +++ b/detections/network/cisco_ios_xe_log_clearing_sequence.yml @@ -0,0 +1,88 @@ +name: Cisco IOS XE Log Clearing Sequence With Loopback Removal +id: e20a6709-5f2c-4508-83fb-b3af6f705717 +version: 1 +creation_date: '2026-05-19' +modification_date: '2026-05-20' +author: Nasreddine Bencherchali +status: production +type: Anomaly +description: | + This analytic detects Cisco IOS-XE command sequences where show logging, clear logging, and exit occur within a short period. + It also detects the pattern where a loopback interface is removed before clearing logs and exiting. +data_source: + - Cisco IOS Logs +search: |- + `cisco_ios` + facility IN ("AAA", "HA_EM", "PARSER") + mnemonic IN ("AAA_ACCOUNTING_MESSAGE", "LOG", "CFGLOG_LOGGEDCMD") + message_text IN ("*show logging*", "*clear logging*", "*exit*", "*no interface Loopback*") + + | eval event_type=case( + like(command, "show logging%"), "show_logging", + like(command, "clear logging%"), "clear_logging", + command="exit", "exit", + like(command, "no interface loopback%"), "remove_loopback", + true(), null()) + | where isnotnull(event_type) + | eval dest=coalesce(host, dvc, dest, "unknown") + | bin _time span=2m + | stats count min(_time) as firstTime + max(_time) as lastTime + values(event_type) as event_types + values(message_text) as message_text + by _time dest + | where mvfind(event_types, "clear_logging") >= 0 + AND + mvfind(event_types, "exit") >= 0 + AND + ( + mvfind(event_types, "show_logging") >= 0 + OR + mvfind(event_types, "remove_loopback") >= 0 + ) + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_ios_xe_log_clearing_sequence_filter` +how_to_implement: | + Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". Command visibility requires AAA command accounting, archive/config logging for configuration commands, or EEM catchall logging. +known_false_positives: | + Administrators may clear logs during lab work or maintenance. This should be rare in production and should be validated against change control. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a +drilldown_searches: + - name: View log clearing sequence for $dest$ and $user$ + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +intermediate_findings: + entities: + - field: dest + type: system + score: 35 + message: Cisco IOS-XE log clearing sequence was observed on $dest$ by $user$. + - field: user + type: user + score: 35 + message: User $user$ executed a Cisco IOS-XE log clearing sequence on $dest$. +threat_objects: + - field: commands + type: command +analytic_story: + - Salt Typhoon +asset_type: Network +mitre_attack_id: + - T1070.001 + - T1562 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: network +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/emerging_threats/SaltTyphoon/salttyphoon_cisco.log + source: ctb:catalyst:syslog + sourcetype: cisco:ios + test_type: unit diff --git a/detections/network/cisco_ios_xe_reconnaissance_command_activity.yml b/detections/network/cisco_ios_xe_reconnaissance_command_activity.yml new file mode 100644 index 0000000000..e22c8a1d3c --- /dev/null +++ b/detections/network/cisco_ios_xe_reconnaissance_command_activity.yml @@ -0,0 +1,103 @@ +name: Cisco IOS XE Reconnaissance Command Activity +id: 71ac5328-2364-40cf-8381-92b8dc531399 +version: 1 +creation_date: '2026-05-19' +modification_date: '2026-05-20' +author: Nasreddine Bencherchali +status: production +type: Anomaly +description: | + This analytic detects bursts of Cisco IOS or NX-OS discovery commands associated with Salt Typhoon tradecraft. +data_source: + - Cisco IOS Logs +search: |- + `cisco_ios` + facility IN ("AAA", "HA_EM") + mnemonic IN ("AAA_ACCOUNTING_MESSAGE", "LOG") + message_text IN ( + "*show running-config*", + "*show tacacs*", + "*show cdp neighbors*", + "*show file systems*", + "*dir bootflash:*", + "*show clock*", + "*show platform software status control-processor brief*", + "*terminal length 0*", + "*terminal width 0*" + ) + + | rex field=message_text "^\w+:(?[^:@]+)(?:@[^:]*)?:(?[^:]*):(?.*?)(?:\s+\((?SUCCESS|FAILURE)\))?$" + | rex field=message_text "^(?:[^:]+:\s+)?(?:catchall:\s+)?(?.+?)\s*$" + | eval command=lower(trim(coalesce(aaa_command, eem_command, ""))) + + | eval command_type=case( + like(command, "show running-config%"), "show_conf", + like(command, "show tacacs%"), "show_tacacs", + like(command, "show cdp neighbors detail%"), "show_cdp", + like(command, "show cdp neighbors%"), "show_cdp", + like(command, "show file systems%"), "show_file", + like(command, "dir bootflash:%"), "dir_bootflash", + like(command, "show clock%"), "show_clock", + like(command, "show platform software status control-processor brief%"), "show_platform", + like(command, "terminal length 0%"), "terminal", + like(command, "terminal width 0%"), "terminal", + true(), null()) + | where isnotnull(command_type) + | eval user=coalesce(aaa_user, user, "unknown") + | eval src_ip=coalesce(aaa_src, src_ip, "unknown") + | eval dest=coalesce(host, dvc, dest, "unknown") + | bin _time span=5m + | stats count min(_time) as firstTime + max(_time) as lastTime + dc(command_type) as unique_recon_commands + values(command_type) as command_types + values(command) as commands + by _time dest user src_ip + | where unique_recon_commands >= 4 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_ios_xe_reconnaissance_command_activity_filter` +how_to_implement: | + Ingest Cisco IOS/NX-OS command logs with sourcetype "cisco:ios". On Nexus, local accounting can emit "%AAA-6-AAA_ACCOUNTING_MESSAGE". On Catalyst, use TACACS+ command accounting or EEM catchall syslog for exec command visibility. +known_false_positives: | + Network audits and troubleshooting can produce similar command bursts. Tune the command list, threshold, and approved administrators for the environment. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a +drilldown_searches: + - name: View reconnaissance commands for $dest$ and $user$ + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +intermediate_findings: + entities: + - field: dest + type: system + score: 25 + message: User $user$ executed $unique_recon_commands$ Cisco reconnaissance command categories on $dest$. + - field: user + type: user + score: 25 + message: User $user$ executed Cisco reconnaissance commands on $dest$ from $src_ip$. +threat_objects: + - field: commands + type: command +analytic_story: + - Salt Typhoon +asset_type: Network +mitre_attack_id: + - T1082 + - T1016 + - T1590 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: network +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/emerging_threats/SaltTyphoon/salttyphoon_cisco.log + source: ctb:nexus:syslog + sourcetype: cisco:ios + test_type: unit diff --git a/detections/network/cisco_ios_xe_remote_access_probe_burst.yml b/detections/network/cisco_ios_xe_remote_access_probe_burst.yml new file mode 100644 index 0000000000..a303f11e98 --- /dev/null +++ b/detections/network/cisco_ios_xe_remote_access_probe_burst.yml @@ -0,0 +1,85 @@ +name: Cisco IOS XE Remote Access Probe Burst +id: efb20922-17bc-4fb0-880c-be50cfc100dd +version: 1 +creation_date: '2026-05-19' +modification_date: '2026-05-20' +author: Nasreddine Bencherchali +status: production +type: Anomaly +description: | + This analytic detects bursts of ping, SSH, and Telnet commands issued from Cisco IOS or NX-OS devices. The Salt Typhoon notes describe repeated SSH, Telnet-to-port-22, and ping activity across multiple IP addresses in a short time window. +data_source: + - Cisco IOS Logs +search: |- + `cisco_ios` + facility IN ("AAA", "HA_EM") + mnemonic IN ("AAA_ACCOUNTING_MESSAGE", "LOG") + message_text IN ("*ssh *", "*telnet *", "*ping *") + | rex field=message_text "^\w+:(?[^:@]+)(?:@[^:]*)?:(?[^:]*):(?.*?)(?:\s+\((?SUCCESS|FAILURE)\))?$" + | rex field=message_text "^(?:[^:]+:\s+)?(?:catchall:\s+)?(?.+?)\s*$" + | eval command=lower(trim(coalesce(aaa_command, eem_command, ""))) + | where match(command, "^(ssh|telnet|ping)\s+") + | rex field=command "(?i)^(?:ssh(?:\s+-l\s+\S+)?|telnet|ping)\s+(?\d{1,3}(?:\.\d{1,3}){3})" + | eval command_type=case(match(command, "^ssh\s+"), "ssh", match(command, "^telnet\s+"), "telnet", match(command, "^ping\s+"), "ping") + | eval user=coalesce(aaa_user, user, "unknown") + | eval src_ip=coalesce(aaa_src, src_ip, "unknown") + | eval dest=coalesce(host, dvc, dest, "unknown") + | bin _time span=10m + | stats count as command_count + min(_time) as firstTime + max(_time) as lastTime + dc(target_ip) as distinct_targets + values(target_ip) as target_ips + values(command_type) as command_types + values(command) as commands + by _time dest user src_ip + | where command_count >= 8 OR distinct_targets >= 5 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_ios_xe_remote_access_probe_burst_filter` +how_to_implement: | + Ingest Cisco IOS/NX-OS command logs with sourcetype "cisco:ios". Command visibility requires Nexus accounting, Catalyst TACACS+ accounting, or the Catalyst EEM catchall logger used in the lab. +known_false_positives: | + Network reachability testing, migration validation, and troubleshooting can generate repeated ping, SSH, or Telnet commands. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a +drilldown_searches: + - name: View remote access probe commands for $dest$ and $user$ + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +intermediate_findings: + entities: + - field: dest + type: system + score: 25 + message: User $user$ issued $command_count$ ping, SSH, or Telnet commands from Cisco device $dest$ across $distinct_targets$ targets. + - field: user + type: user + score: 25 + message: User $user$ issued a Cisco remote access probe burst from $dest$. +threat_objects: + - field: target_ips + type: ip_address + - field: commands + type: command +analytic_story: + - Salt Typhoon +asset_type: Network +mitre_attack_id: + - T1018 + - T1021.004 + - T1046 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: network +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/emerging_threats/SaltTyphoon/salttyphoon_cisco.log + source: ctb:nexus:syslog + sourcetype: cisco:ios + test_type: unit diff --git a/detections/network/cisco_ios_xe_request_platform_package_describe_shell_pattern.yml b/detections/network/cisco_ios_xe_request_platform_package_describe_shell_pattern.yml new file mode 100644 index 0000000000..7fc198dc2b --- /dev/null +++ b/detections/network/cisco_ios_xe_request_platform_package_describe_shell_pattern.yml @@ -0,0 +1,70 @@ +name: Cisco IOS XE Request Platform Package Describe Shell Pattern +id: a113a8be-7386-46e0-a079-d9fd46f9631f +version: 1 +creation_date: '2026-05-19' +modification_date: '2026-05-20' +author: Nasreddine Bencherchali +status: production +type: TTP +description: | + This analytic detects Cisco IOS-XE "request platform software package describe" commands containing suspicious shell-style filename patterns. Indicative of Slat Typhoon tradecraft. +data_source: + - Cisco IOS Logs +search: |- + `cisco_ios` + facility IN ("AAA", "HA_EM") + mnemonic IN ("AAA_ACCOUNTING_MESSAGE", "LOG") + message_text="*request platform software package describe*" + message_text IN ("*--filename=/(bash)n*", "*--filename=$(bash)n*") + + | eval dest=coalesce(host, dvc, dest, "unknown") + | stats count min(_time) as firstTime + max(_time) as lastTime + values(message_text) as message + by dest + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_ios_xe_request_platform_package_describe_shell_pattern_filter` +how_to_implement: | + Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". Command visibility requires AAA command accounting or EEM catchall command logging. +known_false_positives: | + No common administrative use is expected for these filename patterns. Validate lab testing before suppressing. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a +drilldown_searches: + - name: View request platform package describe events for $dest$ + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +intermediate_findings: + entities: + - field: dest + type: system + score: 45 + message: Cisco IOS-XE device $dest$ received a suspicious request platform package describe command. + - field: user + type: user + score: 45 + message: User $user$ executed a suspicious request platform package describe command on $dest$. +threat_objects: + - field: commands + type: command +analytic_story: + - Salt Typhoon +asset_type: Network +mitre_attack_id: + - T1059 + - T1190 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: network +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/emerging_threats/SaltTyphoon/salttyphoon_cisco.log + source: ctb:catalyst:syslog + sourcetype: cisco:ios + test_type: unit diff --git a/detections/network/cisco_ios_xe_tunnel_interface_configuration.yml b/detections/network/cisco_ios_xe_tunnel_interface_configuration.yml new file mode 100644 index 0000000000..9e61c70e23 --- /dev/null +++ b/detections/network/cisco_ios_xe_tunnel_interface_configuration.yml @@ -0,0 +1,93 @@ +name: Cisco IOS XE Tunnel Interface Configuration +id: 8654314d-8e4d-4971-9f35-b9d477bf668e +version: 1 +creation_date: '2026-05-19' +modification_date: '2026-05-20' +author: Nasreddine Bencherchali +status: production +type: Anomaly +description: | + This analytic detects creation of a Cisco IOS-XE tunnel interface with tunnel source, tunnel destination, and an IP address in the 10.10.12.0 network. The Salt Typhoon notes identify this tunnel configuration pattern as suspicious. +data_source: + - Cisco IOS Logs +search: |- + `cisco_ios` + facility IN ("HA_EM", "PARSER") + mnemonic IN ("LOG", "CFGLOG_LOGGEDCMD") + message_text IN ("*interface Tunnel*", "*tunnel source*", "*tunnel destination*", "*ip address 10.10.12.*") + | rex field=message_text "^(?:[^:]+:\s+)?(?:catchall:\s+)?(?.+?)\s*$" + | rex field=message_text "(?.*?)" + | rex field=message_text "(?[^<]+)" + | rex field=message_text "(?[^<]+)" + | eval command=lower(trim(coalesce(parser_command, eem_command, ""))) + | eval event_type=case( + match(command, "^interface\s+tunnel"), "interface_tunnel", + match(command, "^tunnel\s+source"), "tunnel_source", + match(command, "^tunnel\s+destination"), "tunnel_destination", + match(command, "^ip\s+address\s+10\.10\.12\."), "tunnel_ip_address", + true(), null()) + | where isnotnull(event_type) + | eval user=coalesce(parser_user, user, "unknown") + | eval src_ip=coalesce(parser_src_ip, src_ip, "unknown") + | eval dest=coalesce(host, dvc, dest, "unknown") + | bin _time span=15m + | stats count min(_time) as firstTime + max(_time) as lastTime + values(event_type) as event_types + values(user) as user + values(src_ip) as src_ip + values(command) as commands + by _time dest + | where mvfind(event_types, "interface_tunnel") >= 0 + AND + mvfind(event_types, "tunnel_source") >= 0 + AND + mvfind(event_types, "tunnel_destination") >= 0 + AND + mvfind(event_types, "tunnel_ip_address") >= 0 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_ios_xe_tunnel_interface_configuration_filter` +how_to_implement: | + Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios" and enable archive/config command logging. The lab also records these commands through the EEM catchall logger. +known_false_positives: | + Legitimate tunnel provisioning may match this analytic. Tune for expected tunnel IDs, approved administrators, and planned network changes. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a +drilldown_searches: + - name: View tunnel configuration commands for $dest$ and $user$ + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +intermediate_findings: + entities: + - field: dest + type: system + score: 30 + message: Cisco IOS-XE tunnel interface configuration matching Salt Typhoon notes was observed on $dest$ by $user$. + - field: user + type: user + score: 30 + message: User $user$ configured a suspicious Cisco IOS-XE tunnel interface on $dest$. +threat_objects: + - field: commands + type: command +analytic_story: + - Salt Typhoon +asset_type: Network +mitre_attack_id: + - T1572 + - T1090 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: network +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/emerging_threats/SaltTyphoon/salttyphoon_cisco.log + source: ctb:catalyst:syslog + sourcetype: cisco:ios + test_type: unit diff --git a/detections/network/cisco_ios_xe_vty_access_class_tampering.yml b/detections/network/cisco_ios_xe_vty_access_class_tampering.yml new file mode 100644 index 0000000000..757089c986 --- /dev/null +++ b/detections/network/cisco_ios_xe_vty_access_class_tampering.yml @@ -0,0 +1,95 @@ +name: Cisco IOS XE VTY Access Class Tampering +id: a01ca274-16cb-476d-a814-d2ffe29d8905 +version: 1 +creation_date: '2026-05-19' +modification_date: '2026-05-20' +author: Nasreddine Bencherchali +status: production +type: Anomaly +description: | + This analytic detects rapid modification of Cisco IOS-XE VTY access-class settings. The Salt Typhoon notes describe configure HTTP activity followed by line vty changes and removal/re-application of an access-class within 60 seconds. +data_source: + - Cisco IOS Logs +search: |- + `cisco_ios` + facility IN ("HA_EM", "PARSER") + mnemonic IN ("LOG", "CFGLOG_LOGGEDCMD") + message_text IN ( + "*access-class*", + "*configure http*", + "*line vty*" + ) + | rex field=message_text "^(?:[^:]+:\s+)?(?:catchall:\s+)?(?.+?)\s*$" + | rex field=message_text "(?.*?)" + | rex field=message_text "(?[^<]+)" + | rex field=message_text "(?[^<]+)" + | eval command=lower(trim(coalesce(parser_command, eem_command, ""))) + | eval event_type=case( + like(command, "configure http%") OR like(command, "ip http secure-server%"), "http_config", + like(command, "line vty%"), "line_vty", + like(command, "no access-class%"), "remove_access_class", + like(command, "access-class%"), "add_access_class", + true(), null()) + | where isnotnull(event_type) + | eval user=coalesce(parser_user, user, "unknown") + | eval src_ip=coalesce(parser_src_ip, src_ip, "unknown") + | eval dest=coalesce(host, dvc, dest, "unknown") + | bin _time span=1m + | stats count min(_time) as firstTime + max(_time) as lastTime + values(event_type) as event_types + values(user) as user + values(src_ip) as src_ip + values(command) as commands + by _time dest + | where mvfind(event_types, "line_vty") >= 0 + AND + mvfind(event_types, "remove_access_class") >= 0 + AND + mvfind(event_types, "add_access_class") >= 0 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_ios_xe_vty_access_class_tampering_filter` +how_to_implement: | + Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios" and enable archive/config command logging. EEM catchall logging can also provide command visibility in the lab. +known_false_positives: | + VTY ACL changes occur during legitimate management access updates. Filter approved maintenance windows and known administrators. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a +drilldown_searches: + - name: View VTY access-class changes for $dest$ and $user$ + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +intermediate_findings: + entities: + - field: dest + type: system + score: 30 + message: Cisco IOS-XE VTY access-class settings were removed and reapplied on $dest$ by $user$. + - field: user + type: user + score: 30 + message: User $user$ modified Cisco IOS-XE VTY access-class settings on $dest$. +threat_objects: + - field: commands + type: command +analytic_story: + - Salt Typhoon +asset_type: Network +mitre_attack_id: + - T1562 + - T1021 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: network +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/emerging_threats/SaltTyphoon/salttyphoon_cisco.log + source: ctb:catalyst:syslog + sourcetype: cisco:ios + test_type: unit diff --git a/detections/network/cisco_ios_xe_webui_login_localport_21111.yml b/detections/network/cisco_ios_xe_webui_login_localport_21111.yml new file mode 100644 index 0000000000..eea210b3a1 --- /dev/null +++ b/detections/network/cisco_ios_xe_webui_login_localport_21111.yml @@ -0,0 +1,78 @@ +name: Cisco IOS XE WebUI Login From IOSd Local Port +id: 77a1751f-552f-456c-b9ae-cdb66eec3e42 +version: 1 +creation_date: '2026-05-19' +modification_date: '2026-05-19' +author: Nasreddine Bencherchali +status: production +type: TTP +description: | + This analytic detects Cisco IOS-XE WebUI authentication failure and success logs that include local port 21111. + This is a strong an indicator of WebUI exploitation because normal users should not authenticate through the underlying IOS-XE Linux shell path. +data_source: + - Cisco IOS Logs +search: |- + `cisco_ios` + facility="SEC_LOGIN" + mnemonic IN ("QUIET_MODE_ON", "LOGIN_SUCCESS", "LOGIN_FAILED") + message_text="*[localport: 21111]*" + | rex field=_raw "\[user:\s*(?[^\]]+)\]" + | rex field=_raw "\[Source:\s*(?[^\]]+)\]" + | rex field=_raw "\[localport:\s*(?[^\]]+)\]" + | rex field=_raw "\[Reason:\s*(?[^\]]+)\]" + | rex field=_raw "\[ACL:\s*(?[^\]]+)\]" + | eval dest=coalesce(host, dvc, dest, "unknown") + | stats count min(_time) as firstTime + max(_time) as lastTime + values(local_port) as local_port + values(acl) as acl + by dest user src_ip reason + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_ios_xe_webui_login_localport_21111_filter` +how_to_implement: | + Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". + Login failure logging must be enabled with "login on-failure log". +known_false_positives: | + This local port value should not appear for normal WebUI logins. So false positives should very minimal. +references: + - https://blog.talosintelligence.com/salt-typhoon-analysis/ +drilldown_searches: + - name: View matching WebUI login failures for $dest$ + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +finding: + title: A process $parent_process_name$ attempted to resize shadow copy with commandline $process$ in host $dest$ + entity: + field: user + type: user + score: 50 +intermediate_findings: + entities: + - field: dest + type: system + score: 40 + message: Cisco IOS-XE device $dest$ logged a WebUI authentication failure with local port 21111 from $src_ip$. +threat_objects: + - field: src_ip + type: ip_address +analytic_story: + - Salt Typhoon +asset_type: Network +mitre_attack_id: + - T1190 + - T1078 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: network +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/emerging_threats/SaltTyphoon/salttyphoon_cisco.log + source: ctb:catalyst:syslog + sourcetype: cisco:ios + test_type: unit diff --git a/detections/network/cisco_ios_xe_webui_programmatic_configuration.yml b/detections/network/cisco_ios_xe_webui_programmatic_configuration.yml new file mode 100644 index 0000000000..c33c835557 --- /dev/null +++ b/detections/network/cisco_ios_xe_webui_programmatic_configuration.yml @@ -0,0 +1,63 @@ +name: Cisco IOS XE WebUI Programmatic Configuration +id: f9686576-a23d-4c4d-bfad-a45499dc448a +version: 1 +creation_date: '2026-05-19' +modification_date: '2026-05-19' +author: Nasreddine Bencherchali +status: production +type: Anomaly +description: | + This analytic detects Cisco IOS-XE configuration changes performed by the WebUI WSMA process. +data_source: + - Cisco IOS Logs +search: |- + `cisco_ios` + facility="SYS" + mnemonic="CONFIG_P" + message_text="*Configured programmatically by process SEP_webui_wsma_http*" + | rex field=_raw "process\s(?\S+)\sfrom.*as\s(?\S+)\son\s(?\S+)" + | eval dest=coalesce(host, dvc, dest, "unknown") + | stats count min(_time) as firstTime + max(_time) as lastTime + values(process) as process + values(vty) as vty + by dest user + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_ios_xe_webui_programmatic_configuration_filter` +how_to_implement: | + Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". This requires WebUI activity to be logged by IOS-XE and forwarded to Splunk. In the lab, enable WebUI only long enough to generate controlled events. +known_false_positives: | + Legitimate WebUI administrative configuration changes may trigger this analytic. Filter approved administrators and maintenance windows. +references: + - https://blog.talosintelligence.com/salt-typhoon-analysis/ +drilldown_searches: + - name: View WebUI programmatic configuration events for $dest$ + search: '%original_detection_search% | search dest = "$dest$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ +intermediate_findings: + entities: + - field: user + type: user + score: 30 + message: User $user$ performed Cisco IOS-XE WebUI programmatic configuration on $dest$. +analytic_story: + - Salt Typhoon +asset_type: Network +mitre_attack_id: + - T1190 + - T1078 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: network +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/emerging_threats/SaltTyphoon/salttyphoon_cisco.log + source: ctb:catalyst:syslog + sourcetype: cisco:ios + test_type: unit diff --git a/macros/cisco_ios.yml b/macros/cisco_ios.yml new file mode 100644 index 0000000000..af49e3f648 --- /dev/null +++ b/macros/cisco_ios.yml @@ -0,0 +1,8 @@ +name: cisco_ios +id: dee2e4eb-4925-4378-9b8d-4b14fbb40132 +version: 1 +creation_date: '2026-06-02' +modification_date: '2026-06-02' +author: Nasreddine Bencherchali, Splunk Threat Research Team +description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment. +definition: sourcetype=cisco:ios From c6b912b0c4823a18b7bcf865b436cc721e406f63 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Wed, 3 Jun 2026 00:24:41 +0100 Subject: [PATCH 2/5] small ci fixes --- .../cisco_ios_xe_guestshell_activation_and_destroy.yml | 6 +----- ...xe_log_clearing_sequence_with_loopback_removal.yml} | 0 ...request_platform_package_describe_shell_pattern.yml | 10 ++++++---- ... cisco_ios_xe_webui_login_from_iosd_local_port.yml} | 0 4 files changed, 7 insertions(+), 9 deletions(-) rename detections/network/{cisco_ios_xe_log_clearing_sequence.yml => cisco_ios_xe_log_clearing_sequence_with_loopback_removal.yml} (100%) rename detections/network/{cisco_ios_xe_webui_login_localport_21111.yml => cisco_ios_xe_webui_login_from_iosd_local_port.yml} (100%) diff --git a/detections/network/cisco_ios_xe_guestshell_activation_and_destroy.yml b/detections/network/cisco_ios_xe_guestshell_activation_and_destroy.yml index 804d122481..46a0cd569e 100644 --- a/detections/network/cisco_ios_xe_guestshell_activation_and_destroy.yml +++ b/detections/network/cisco_ios_xe_guestshell_activation_and_destroy.yml @@ -76,11 +76,7 @@ intermediate_findings: - field: dest type: system score: 35 - message: Cisco IOS-XE device $dest$ had guestshell enabled and destroyed by $user$ within a short period. - - field: user - type: user - score: 35 - message: User $user$ enabled and destroyed guestshell on $dest$ within a short period. + message: Cisco IOS-XE device $dest$ had guestshell enabled and destroyed within a short period. analytic_story: - Salt Typhoon asset_type: Network diff --git a/detections/network/cisco_ios_xe_log_clearing_sequence.yml b/detections/network/cisco_ios_xe_log_clearing_sequence_with_loopback_removal.yml similarity index 100% rename from detections/network/cisco_ios_xe_log_clearing_sequence.yml rename to detections/network/cisco_ios_xe_log_clearing_sequence_with_loopback_removal.yml diff --git a/detections/network/cisco_ios_xe_request_platform_package_describe_shell_pattern.yml b/detections/network/cisco_ios_xe_request_platform_package_describe_shell_pattern.yml index 7fc198dc2b..578bc83e48 100644 --- a/detections/network/cisco_ios_xe_request_platform_package_describe_shell_pattern.yml +++ b/detections/network/cisco_ios_xe_request_platform_package_describe_shell_pattern.yml @@ -36,16 +36,18 @@ drilldown_searches: search: '%original_detection_search% | search dest = "$dest$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ +finding: + title: User $user$ executed a suspicious request platform package describe command on $dest$. + entity: + field: user + type: user + score: 50 intermediate_findings: entities: - field: dest type: system score: 45 message: Cisco IOS-XE device $dest$ received a suspicious request platform package describe command. - - field: user - type: user - score: 45 - message: User $user$ executed a suspicious request platform package describe command on $dest$. threat_objects: - field: commands type: command diff --git a/detections/network/cisco_ios_xe_webui_login_localport_21111.yml b/detections/network/cisco_ios_xe_webui_login_from_iosd_local_port.yml similarity index 100% rename from detections/network/cisco_ios_xe_webui_login_localport_21111.yml rename to detections/network/cisco_ios_xe_webui_login_from_iosd_local_port.yml From 29c2e86a0400b9f9c7f019f4a33ac42fc1239a26 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Mon, 8 Jun 2026 12:22:46 +0200 Subject: [PATCH 3/5] multiples fixes --- ...s_xe_guestshell_activation_and_destroy.yml | 5 ++--- ...learing_sequence_with_loopback_removal.yml | 13 ++++-------- ...ios_xe_reconnaissance_command_activity.yml | 4 +++- ...cisco_ios_xe_remote_access_probe_burst.yml | 3 ++- ...latform_package_describe_shell_pattern.yml | 21 +++++++------------ ..._ios_xe_tunnel_interface_configuration.yml | 4 ++-- ...isco_ios_xe_vty_access_class_tampering.yml | 3 ++- ...os_xe_webui_login_from_iosd_local_port.yml | 4 ++-- ...os_xe_webui_programmatic_configuration.yml | 5 +++-- 9 files changed, 27 insertions(+), 35 deletions(-) diff --git a/detections/network/cisco_ios_xe_guestshell_activation_and_destroy.yml b/detections/network/cisco_ios_xe_guestshell_activation_and_destroy.yml index 46a0cd569e..0352d54209 100644 --- a/detections/network/cisco_ios_xe_guestshell_activation_and_destroy.yml +++ b/detections/network/cisco_ios_xe_guestshell_activation_and_destroy.yml @@ -60,10 +60,9 @@ search: |- | `cisco_ios_xe_guestshell_activation_and_destroy_filter` how_to_implement: | Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". - EEM catchall command logging should capture the "guestshell enable" and "guestshell destroy" commands as HA_EM/LOG events. - Platform lifecycle logs may appear as VMAN activation/install-state messages on some IOS-XE images or as IM/IOX guestshell service messages on others. + Enable EEM catchall command logging to capture the "guestshell enable" and "guestshell destroy" commands as HA_EM/LOG events. known_false_positives: | - Lab testing, software troubleshooting, and container lifecycle maintenance may enable and destroy guestshell. Filter approved maintenance windows. + No false positives have been identified at this time. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a drilldown_searches: diff --git a/detections/network/cisco_ios_xe_log_clearing_sequence_with_loopback_removal.yml b/detections/network/cisco_ios_xe_log_clearing_sequence_with_loopback_removal.yml index a36d9e8655..45544a01a5 100644 --- a/detections/network/cisco_ios_xe_log_clearing_sequence_with_loopback_removal.yml +++ b/detections/network/cisco_ios_xe_log_clearing_sequence_with_loopback_removal.yml @@ -44,7 +44,8 @@ search: |- | `security_content_ctime(lastTime)` | `cisco_ios_xe_log_clearing_sequence_filter` how_to_implement: | - Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". Command visibility requires AAA command accounting, archive/config logging for configuration commands, or EEM catchall logging. + Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". + Command visibility requires AAA command accounting, archive/config logging for configuration commands, or EEM catchall logging. known_false_positives: | Administrators may clear logs during lab work or maintenance. This should be rare in production and should be validated against change control. references: @@ -59,14 +60,8 @@ intermediate_findings: - field: dest type: system score: 35 - message: Cisco IOS-XE log clearing sequence was observed on $dest$ by $user$. - - field: user - type: user - score: 35 - message: User $user$ executed a Cisco IOS-XE log clearing sequence on $dest$. -threat_objects: - - field: commands - type: command + message: Cisco IOS-XE log clearing sequence was observed on $dest$. +threat_objects: [] analytic_story: - Salt Typhoon asset_type: Network diff --git a/detections/network/cisco_ios_xe_reconnaissance_command_activity.yml b/detections/network/cisco_ios_xe_reconnaissance_command_activity.yml index e22c8a1d3c..20846f1406 100644 --- a/detections/network/cisco_ios_xe_reconnaissance_command_activity.yml +++ b/detections/network/cisco_ios_xe_reconnaissance_command_activity.yml @@ -58,7 +58,9 @@ search: |- | `security_content_ctime(lastTime)` | `cisco_ios_xe_reconnaissance_command_activity_filter` how_to_implement: | - Ingest Cisco IOS/NX-OS command logs with sourcetype "cisco:ios". On Nexus, local accounting can emit "%AAA-6-AAA_ACCOUNTING_MESSAGE". On Catalyst, use TACACS+ command accounting or EEM catchall syslog for exec command visibility. + Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". + On Nexus, local accounting can emit "%AAA-6-AAA_ACCOUNTING_MESSAGE". + On Catalyst, use TACACS+ command accounting or EEM catchall syslog for exec command visibility. known_false_positives: | Network audits and troubleshooting can produce similar command bursts. Tune the command list, threshold, and approved administrators for the environment. references: diff --git a/detections/network/cisco_ios_xe_remote_access_probe_burst.yml b/detections/network/cisco_ios_xe_remote_access_probe_burst.yml index a303f11e98..4b42dd0b45 100644 --- a/detections/network/cisco_ios_xe_remote_access_probe_burst.yml +++ b/detections/network/cisco_ios_xe_remote_access_probe_burst.yml @@ -38,7 +38,8 @@ search: |- | `security_content_ctime(lastTime)` | `cisco_ios_xe_remote_access_probe_burst_filter` how_to_implement: | - Ingest Cisco IOS/NX-OS command logs with sourcetype "cisco:ios". Command visibility requires Nexus accounting, Catalyst TACACS+ accounting, or the Catalyst EEM catchall logger used in the lab. + Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". + Command visibility requires AAA command accounting, archive/config logging for configuration commands, or EEM catchall logging. known_false_positives: | Network reachability testing, migration validation, and troubleshooting can generate repeated ping, SSH, or Telnet commands. references: diff --git a/detections/network/cisco_ios_xe_request_platform_package_describe_shell_pattern.yml b/detections/network/cisco_ios_xe_request_platform_package_describe_shell_pattern.yml index 578bc83e48..50b9ece669 100644 --- a/detections/network/cisco_ios_xe_request_platform_package_describe_shell_pattern.yml +++ b/detections/network/cisco_ios_xe_request_platform_package_describe_shell_pattern.yml @@ -26,9 +26,10 @@ search: |- | `security_content_ctime(lastTime)` | `cisco_ios_xe_request_platform_package_describe_shell_pattern_filter` how_to_implement: | - Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". Command visibility requires AAA command accounting or EEM catchall command logging. + Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". + Command visibility requires AAA command accounting or EEM catchall command logging. known_false_positives: | - No common administrative use is expected for these filename patterns. Validate lab testing before suppressing. + No false positives have been identified at this time. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a drilldown_searches: @@ -37,20 +38,12 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ finding: - title: User $user$ executed a suspicious request platform package describe command on $dest$. + title: Suspicious request platform package describe command was issued on $dest$. entity: - field: user - type: user + field: dest + type: system score: 50 -intermediate_findings: - entities: - - field: dest - type: system - score: 45 - message: Cisco IOS-XE device $dest$ received a suspicious request platform package describe command. -threat_objects: - - field: commands - type: command +threat_objects: [] analytic_story: - Salt Typhoon asset_type: Network diff --git a/detections/network/cisco_ios_xe_tunnel_interface_configuration.yml b/detections/network/cisco_ios_xe_tunnel_interface_configuration.yml index 9e61c70e23..02ad8746d4 100644 --- a/detections/network/cisco_ios_xe_tunnel_interface_configuration.yml +++ b/detections/network/cisco_ios_xe_tunnel_interface_configuration.yml @@ -49,9 +49,9 @@ search: |- | `security_content_ctime(lastTime)` | `cisco_ios_xe_tunnel_interface_configuration_filter` how_to_implement: | - Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios" and enable archive/config command logging. The lab also records these commands through the EEM catchall logger. + Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios" and enable archive/config command logging. known_false_positives: | - Legitimate tunnel provisioning may match this analytic. Tune for expected tunnel IDs, approved administrators, and planned network changes. + No false positives have been identified at this time. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a drilldown_searches: diff --git a/detections/network/cisco_ios_xe_vty_access_class_tampering.yml b/detections/network/cisco_ios_xe_vty_access_class_tampering.yml index 757089c986..c261a04755 100644 --- a/detections/network/cisco_ios_xe_vty_access_class_tampering.yml +++ b/detections/network/cisco_ios_xe_vty_access_class_tampering.yml @@ -51,7 +51,8 @@ search: |- | `security_content_ctime(lastTime)` | `cisco_ios_xe_vty_access_class_tampering_filter` how_to_implement: | - Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios" and enable archive/config command logging. EEM catchall logging can also provide command visibility in the lab. + Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios" and enable archive/config command logging. + EEM catchall logging can also provide command visibility in the lab. known_false_positives: | VTY ACL changes occur during legitimate management access updates. Filter approved maintenance windows and known administrators. references: diff --git a/detections/network/cisco_ios_xe_webui_login_from_iosd_local_port.yml b/detections/network/cisco_ios_xe_webui_login_from_iosd_local_port.yml index eea210b3a1..dfe784ad27 100644 --- a/detections/network/cisco_ios_xe_webui_login_from_iosd_local_port.yml +++ b/detections/network/cisco_ios_xe_webui_login_from_iosd_local_port.yml @@ -43,7 +43,7 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ finding: - title: A process $parent_process_name$ attempted to resize shadow copy with commandline $process$ in host $dest$ + title: WebUI authentication failure with local port 21111 from $src_ip$. entity: field: user type: user @@ -53,7 +53,7 @@ intermediate_findings: - field: dest type: system score: 40 - message: Cisco IOS-XE device $dest$ logged a WebUI authentication failure with local port 21111 from $src_ip$. + message: WebUI authentication failure with local port 21111 from $src_ip$ on $dest$. threat_objects: - field: src_ip type: ip_address diff --git a/detections/network/cisco_ios_xe_webui_programmatic_configuration.yml b/detections/network/cisco_ios_xe_webui_programmatic_configuration.yml index c33c835557..d788e43876 100644 --- a/detections/network/cisco_ios_xe_webui_programmatic_configuration.yml +++ b/detections/network/cisco_ios_xe_webui_programmatic_configuration.yml @@ -26,9 +26,10 @@ search: |- | `security_content_ctime(lastTime)` | `cisco_ios_xe_webui_programmatic_configuration_filter` how_to_implement: | - Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". This requires WebUI activity to be logged by IOS-XE and forwarded to Splunk. In the lab, enable WebUI only long enough to generate controlled events. + Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". + Enable WebUI activity logging by IOS-XE. known_false_positives: | - Legitimate WebUI administrative configuration changes may trigger this analytic. Filter approved administrators and maintenance windows. + No false positives have been identified at this time. references: - https://blog.talosintelligence.com/salt-typhoon-analysis/ drilldown_searches: From 7c2f4aaebe5d16ed1a892fa90b92055dabeae187 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Mon, 8 Jun 2026 12:39:27 +0200 Subject: [PATCH 4/5] more fixes --- ...sco_ios_xe_log_clearing_sequence_with_loopback_removal.yml | 4 ++-- .../network/cisco_ios_xe_vty_access_class_tampering.yml | 1 - .../network/cisco_ios_xe_webui_login_from_iosd_local_port.yml | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/detections/network/cisco_ios_xe_log_clearing_sequence_with_loopback_removal.yml b/detections/network/cisco_ios_xe_log_clearing_sequence_with_loopback_removal.yml index 45544a01a5..a48fe1e4a7 100644 --- a/detections/network/cisco_ios_xe_log_clearing_sequence_with_loopback_removal.yml +++ b/detections/network/cisco_ios_xe_log_clearing_sequence_with_loopback_removal.yml @@ -42,12 +42,12 @@ search: |- ) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `cisco_ios_xe_log_clearing_sequence_filter` + | `cisco_ios_xe_log_clearing_sequence_with_loopback_removal_filter` how_to_implement: | Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". Command visibility requires AAA command accounting, archive/config logging for configuration commands, or EEM catchall logging. known_false_positives: | - Administrators may clear logs during lab work or maintenance. This should be rare in production and should be validated against change control. + No false positives have been identified at this time. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a drilldown_searches: diff --git a/detections/network/cisco_ios_xe_vty_access_class_tampering.yml b/detections/network/cisco_ios_xe_vty_access_class_tampering.yml index c261a04755..35ff06fca1 100644 --- a/detections/network/cisco_ios_xe_vty_access_class_tampering.yml +++ b/detections/network/cisco_ios_xe_vty_access_class_tampering.yml @@ -52,7 +52,6 @@ search: |- | `cisco_ios_xe_vty_access_class_tampering_filter` how_to_implement: | Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios" and enable archive/config command logging. - EEM catchall logging can also provide command visibility in the lab. known_false_positives: | VTY ACL changes occur during legitimate management access updates. Filter approved maintenance windows and known administrators. references: diff --git a/detections/network/cisco_ios_xe_webui_login_from_iosd_local_port.yml b/detections/network/cisco_ios_xe_webui_login_from_iosd_local_port.yml index dfe784ad27..df2a23efd6 100644 --- a/detections/network/cisco_ios_xe_webui_login_from_iosd_local_port.yml +++ b/detections/network/cisco_ios_xe_webui_login_from_iosd_local_port.yml @@ -29,7 +29,7 @@ search: |- by dest user src_ip reason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `cisco_ios_xe_webui_login_localport_21111_filter` + | `cisco_ios_xe_webui_login_from_iosd_local_port_filter` how_to_implement: | Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". Login failure logging must be enabled with "login on-failure log". From 23eaa0c5a18be3ec9bdd06886288e02b3cbb54c9 Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Mon, 8 Jun 2026 15:54:43 +0200 Subject: [PATCH 5/5] metadata update --- ...s_xe_guestshell_activation_and_destroy.yml | 9 +++++-- ...quence_with_optional_loopback_removal.yml} | 25 ++++++++++++------- ...ios_xe_reconnaissance_command_activity.yml | 9 +++++-- ...cisco_ios_xe_remote_access_probe_burst.yml | 9 +++++-- ...latform_package_describe_shell_pattern.yml | 9 +++++-- ..._ios_xe_tunnel_interface_configuration.yml | 9 +++++-- ...isco_ios_xe_vty_access_class_tampering.yml | 9 +++++-- ...os_xe_webui_login_from_iosd_local_port.yml | 9 +++++-- ...os_xe_webui_programmatic_configuration.yml | 9 +++++-- 9 files changed, 72 insertions(+), 25 deletions(-) rename detections/network/{cisco_ios_xe_log_clearing_sequence_with_loopback_removal.yml => cisco_ios_xe_log_clearing_sequence_with_optional_loopback_removal.yml} (67%) diff --git a/detections/network/cisco_ios_xe_guestshell_activation_and_destroy.yml b/detections/network/cisco_ios_xe_guestshell_activation_and_destroy.yml index 0352d54209..627d70a8c7 100644 --- a/detections/network/cisco_ios_xe_guestshell_activation_and_destroy.yml +++ b/detections/network/cisco_ios_xe_guestshell_activation_and_destroy.yml @@ -65,11 +65,16 @@ known_false_positives: | No false positives have been identified at this time. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a + - https://blog.talosintelligence.com/salt-typhoon-analysis/ drilldown_searches: - - name: View guestshell lifecycle events for $dest$ - search: '%original_detection_search% | search dest = "$dest$"' + - name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" intermediate_findings: entities: - field: dest diff --git a/detections/network/cisco_ios_xe_log_clearing_sequence_with_loopback_removal.yml b/detections/network/cisco_ios_xe_log_clearing_sequence_with_optional_loopback_removal.yml similarity index 67% rename from detections/network/cisco_ios_xe_log_clearing_sequence_with_loopback_removal.yml rename to detections/network/cisco_ios_xe_log_clearing_sequence_with_optional_loopback_removal.yml index a48fe1e4a7..6a7b02d3fe 100644 --- a/detections/network/cisco_ios_xe_log_clearing_sequence_with_loopback_removal.yml +++ b/detections/network/cisco_ios_xe_log_clearing_sequence_with_optional_loopback_removal.yml @@ -1,4 +1,4 @@ -name: Cisco IOS XE Log Clearing Sequence With Loopback Removal +name: Cisco IOS XE Log Clearing Sequence With Optional Loopback Removal id: e20a6709-5f2c-4508-83fb-b3af6f705717 version: 1 creation_date: '2026-05-19' @@ -17,12 +17,13 @@ search: |- mnemonic IN ("AAA_ACCOUNTING_MESSAGE", "LOG", "CFGLOG_LOGGEDCMD") message_text IN ("*show logging*", "*clear logging*", "*exit*", "*no interface Loopback*") + | eval cmd=lower(coalesce(command, message_text)) | eval event_type=case( - like(command, "show logging%"), "show_logging", - like(command, "clear logging%"), "clear_logging", - command="exit", "exit", - like(command, "no interface loopback%"), "remove_loopback", - true(), null()) + like(cmd, "%show logging%"), "show_logging", + like(cmd, "%clear logging%"), "clear_logging", + like(cmd, "%exit%"), "exit", + like(cmd, "%no interface loopback%"), "remove_loopback" + ) | where isnotnull(event_type) | eval dest=coalesce(host, dvc, dest, "unknown") | bin _time span=2m @@ -30,6 +31,7 @@ search: |- max(_time) as lastTime values(event_type) as event_types values(message_text) as message_text + values(cmd) as cmd by _time dest | where mvfind(event_types, "clear_logging") >= 0 AND @@ -42,7 +44,7 @@ search: |- ) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` - | `cisco_ios_xe_log_clearing_sequence_with_loopback_removal_filter` + | `cisco_ios_xe_log_clearing_sequence_with_optional_loopback_removal_filter` how_to_implement: | Use the Cisco Catalyst Add-on for Splunk (https://splunkbase.splunk.com/app/7538) to Ingest Cisco IOS-XE syslog with sourcetype "cisco:ios". Command visibility requires AAA command accounting, archive/config logging for configuration commands, or EEM catchall logging. @@ -50,11 +52,16 @@ known_false_positives: | No false positives have been identified at this time. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a + - https://blog.talosintelligence.com/salt-typhoon-analysis/ drilldown_searches: - - name: View log clearing sequence for $dest$ and $user$ - search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + - name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" intermediate_findings: entities: - field: dest diff --git a/detections/network/cisco_ios_xe_reconnaissance_command_activity.yml b/detections/network/cisco_ios_xe_reconnaissance_command_activity.yml index 20846f1406..f158830928 100644 --- a/detections/network/cisco_ios_xe_reconnaissance_command_activity.yml +++ b/detections/network/cisco_ios_xe_reconnaissance_command_activity.yml @@ -65,11 +65,16 @@ known_false_positives: | Network audits and troubleshooting can produce similar command bursts. Tune the command list, threshold, and approved administrators for the environment. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a + - https://blog.talosintelligence.com/salt-typhoon-analysis/ drilldown_searches: - - name: View reconnaissance commands for $dest$ and $user$ - search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + - name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" intermediate_findings: entities: - field: dest diff --git a/detections/network/cisco_ios_xe_remote_access_probe_burst.yml b/detections/network/cisco_ios_xe_remote_access_probe_burst.yml index 4b42dd0b45..eeb6b82435 100644 --- a/detections/network/cisco_ios_xe_remote_access_probe_burst.yml +++ b/detections/network/cisco_ios_xe_remote_access_probe_burst.yml @@ -44,11 +44,16 @@ known_false_positives: | Network reachability testing, migration validation, and troubleshooting can generate repeated ping, SSH, or Telnet commands. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a + - https://blog.talosintelligence.com/salt-typhoon-analysis/ drilldown_searches: - - name: View remote access probe commands for $dest$ and $user$ - search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + - name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" intermediate_findings: entities: - field: dest diff --git a/detections/network/cisco_ios_xe_request_platform_package_describe_shell_pattern.yml b/detections/network/cisco_ios_xe_request_platform_package_describe_shell_pattern.yml index 50b9ece669..f70f7e3ed1 100644 --- a/detections/network/cisco_ios_xe_request_platform_package_describe_shell_pattern.yml +++ b/detections/network/cisco_ios_xe_request_platform_package_describe_shell_pattern.yml @@ -32,11 +32,16 @@ known_false_positives: | No false positives have been identified at this time. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a + - https://blog.talosintelligence.com/salt-typhoon-analysis/ drilldown_searches: - - name: View request platform package describe events for $dest$ - search: '%original_detection_search% | search dest = "$dest$"' + - name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" finding: title: Suspicious request platform package describe command was issued on $dest$. entity: diff --git a/detections/network/cisco_ios_xe_tunnel_interface_configuration.yml b/detections/network/cisco_ios_xe_tunnel_interface_configuration.yml index 02ad8746d4..904196285e 100644 --- a/detections/network/cisco_ios_xe_tunnel_interface_configuration.yml +++ b/detections/network/cisco_ios_xe_tunnel_interface_configuration.yml @@ -54,11 +54,16 @@ known_false_positives: | No false positives have been identified at this time. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a + - https://blog.talosintelligence.com/salt-typhoon-analysis/ drilldown_searches: - - name: View tunnel configuration commands for $dest$ and $user$ - search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + - name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" intermediate_findings: entities: - field: dest diff --git a/detections/network/cisco_ios_xe_vty_access_class_tampering.yml b/detections/network/cisco_ios_xe_vty_access_class_tampering.yml index 35ff06fca1..9c432b2af4 100644 --- a/detections/network/cisco_ios_xe_vty_access_class_tampering.yml +++ b/detections/network/cisco_ios_xe_vty_access_class_tampering.yml @@ -56,11 +56,16 @@ known_false_positives: | VTY ACL changes occur during legitimate management access updates. Filter approved maintenance windows and known administrators. references: - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a + - https://blog.talosintelligence.com/salt-typhoon-analysis/ drilldown_searches: - - name: View VTY access-class changes for $dest$ and $user$ - search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' + - name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" intermediate_findings: entities: - field: dest diff --git a/detections/network/cisco_ios_xe_webui_login_from_iosd_local_port.yml b/detections/network/cisco_ios_xe_webui_login_from_iosd_local_port.yml index df2a23efd6..2141d41d13 100644 --- a/detections/network/cisco_ios_xe_webui_login_from_iosd_local_port.yml +++ b/detections/network/cisco_ios_xe_webui_login_from_iosd_local_port.yml @@ -36,12 +36,17 @@ how_to_implement: | known_false_positives: | This local port value should not appear for normal WebUI logins. So false positives should very minimal. references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a - https://blog.talosintelligence.com/salt-typhoon-analysis/ drilldown_searches: - - name: View matching WebUI login failures for $dest$ - search: '%original_detection_search% | search dest = "$dest$"' + - name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" finding: title: WebUI authentication failure with local port 21111 from $src_ip$. entity: diff --git a/detections/network/cisco_ios_xe_webui_programmatic_configuration.yml b/detections/network/cisco_ios_xe_webui_programmatic_configuration.yml index d788e43876..23df2e63bf 100644 --- a/detections/network/cisco_ios_xe_webui_programmatic_configuration.yml +++ b/detections/network/cisco_ios_xe_webui_programmatic_configuration.yml @@ -31,12 +31,17 @@ how_to_implement: | known_false_positives: | No false positives have been identified at this time. references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a - https://blog.talosintelligence.com/salt-typhoon-analysis/ drilldown_searches: - - name: View WebUI programmatic configuration events for $dest$ - search: '%original_detection_search% | search dest = "$dest$"' + - name: View the detection results for - "$risk_object$" + search: '%original_detection_search% | search risk_object = "$risk_object$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for - "$risk_object$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" intermediate_findings: entities: - field: user