From 0e56ddf44c71d135ea706f3bd4fdb5e02c677e99 Mon Sep 17 00:00:00 2001
From: Teoderick Contreras <tcontreras@splunk.com>
Date: Tue, 9 Jun 2026 14:35:06 +0200
Subject: [PATCH] 20127

---
 .../T1190/cisco/CVE-2026-20127/CVE-2026-20127.yml   | 13 +++++++++++++
 .../T1190/cisco/CVE-2026-20127/auth_dummy_key.log   |  3 +++
 2 files changed, 16 insertions(+)
 create mode 100644 datasets/attack_techniques/T1190/cisco/CVE-2026-20127/CVE-2026-20127.yml
 create mode 100644 datasets/attack_techniques/T1190/cisco/CVE-2026-20127/auth_dummy_key.log

diff --git a/datasets/attack_techniques/T1190/cisco/CVE-2026-20127/CVE-2026-20127.yml b/datasets/attack_techniques/T1190/cisco/CVE-2026-20127/CVE-2026-20127.yml
new file mode 100644
index 00000000..f1b21dd0
--- /dev/null
+++ b/datasets/attack_techniques/T1190/cisco/CVE-2026-20127/CVE-2026-20127.yml
@@ -0,0 +1,13 @@
+author: Teoderick Contreras, Splunk
+id: 176840b2-63ff-11f1-a152-629be353806a
+date: '2026-06-09'
+description: Generated datasets for CVE-2026-20127 in attack range.
+environment: attack_range
+directory: CVE-2026-20127
+mitre_technique:
+- T1190
+datasets:
+- name: auth_dummy_key.log
+  path: /datasets/attack_techniques/T1190/cisco/CVE-2026-20127/auth_dummy_key.log
+  sourcetype: 'cisco:sdwan:syslog'
+  source: /var/log/nms/containers/service-proxy/serviceproxy-access.log
\ No newline at end of file
diff --git a/datasets/attack_techniques/T1190/cisco/CVE-2026-20127/auth_dummy_key.log b/datasets/attack_techniques/T1190/cisco/CVE-2026-20127/auth_dummy_key.log
new file mode 100644
index 00000000..ba8ecebd
--- /dev/null
+++ b/datasets/attack_techniques/T1190/cisco/CVE-2026-20127/auth_dummy_key.log
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:647ea6eb80b388b415ca6c7ad5b48945be11104287182f582552c618e507522a
+size 36882