From b407d960a273a9802e8bf1d582976e1296c4e042 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 26 Mar 2026 12:42:22 +0530 Subject: [PATCH 1/2] updating detection yamls --- data_sources/cisco_secure_access_firewall.yml | 48 +++++++++++++++++++ ..._cmd_exe_to_launch_script_interpreters.yml | 44 ++++++++++------- .../network/detect_large_icmp_traffic.yml | 12 +++-- .../network/detect_outbound_ldap_traffic.yml | 9 +++- ...ote_desktop_network_bruteforce_attempt.yml | 9 +++- stories/cisco_secure_access_analytics.yml | 24 ++++++++++ 6 files changed, 123 insertions(+), 23 deletions(-) create mode 100644 data_sources/cisco_secure_access_firewall.yml create mode 100644 stories/cisco_secure_access_analytics.yml diff --git a/data_sources/cisco_secure_access_firewall.yml b/data_sources/cisco_secure_access_firewall.yml new file mode 100644 index 0000000000..4c93bd3945 --- /dev/null +++ b/data_sources/cisco_secure_access_firewall.yml @@ -0,0 +1,48 @@ +name: Cisco Secure Access Firewall +id: 5dc07487-f834-4850-b6a7-4cc09e56549b +version: 1 +date: '2026-02-25' +author: Bhavin Patel, Splunk +description: Captures firewall connection events from Cisco Secure Access including user identity, source and destination metadata, protocol details, and session statistics. Enables analysis of network traffic patterns, access policy enforcement, brute force attempts, and anomalous connection behavior across cloud-managed network access infrastructure. +source: cisco_secure_access:firewall +sourcetype: cisco:cloud_security:firewall +supported_TA: +- name: Cisco Secure Access Add-on for Splunk + url: https://splunkbase.splunk.com/app/7569 + version: 1.0.48 +fields: +- _time +- action +- app +- bytes_in +- bytes_out +- datacenter +- dest +- dest_ip +- dest_port +- direction +- duration +- dvc +- identity +- identity_type +- packets_in +- packets_out +- protocol +- protocol_version +- rule_id +- session_id +- src +- src_ip +- src_port +- transport +- tunnel_id +- user +- vendor_product +output_fields: +- dest_ip +- dest_port +- src_ip +- user +- action +example_log: '"2026-03-05 17:29:39","[1360486514]","Joe Kehoe (joe.kehoe@d1.pseudoco.org)","AD + Users","C2S","6","0","","","10.10.3.220","3389","prod_aws_us-west-2_1_0","1482901","ALLOW","","[]","1772731753","1772731779","93","82","20847","46067","2ef4dc5a90e31b4e2f7d21ec8f863accda6ad5db2d6feeff301ca05d298fcbdb-7-1772731753-45877","","aws-us-west-2","","178937","true","1145001","[]","2","[]","[]","8176184","","","f0b0ce3d69aeedfe"' diff --git a/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml b/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml index bee03fba09..63a7237a77 100644 --- a/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml +++ b/detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml @@ -1,28 +1,38 @@ name: Detect Use of cmd exe to Launch Script Interpreters id: b89919ed-fe5f-492c-b139-95dbb162039e -version: 13 -date: '2026-03-10' +version: 14 +date: '2026-03-24' author: Bhavin Patel, Mauricio Velazco, Splunk status: production type: TTP -description: The following analytic detects the execution of cscript.exe or wscript.exe processes initiated by cmd.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes within the Endpoint data model. This activity is significant as it may indicate script-based attacks or administrative actions that could be leveraged for malicious purposes. If confirmed malicious, this behavior could allow attackers to execute scripts, potentially leading to code execution, privilege escalation, or persistence within the environment. +description: The following detects the execution of cscript.exe or wscript.exe processes spawned by cmd.exe, leveraging Endpoint Detection and Response (EDR) telemetry mapped to the Endpoint data model, with additional contextual filtering to improve fidelity and reduce false positives. It focuses on executions originating from user-writable directories such as Users, AppData, Temp, and Downloads, which are commonly abused by attackers to stage and execute malicious scripts, while excluding trusted system paths like C:\Windows\System32\ and C:\Program Files\ that are typically associated with legitimate activity. The detection also filters out service accounts (e.g., accounts ending with $ or known naming conventions) to minimize noise from automated processes and incorporates command-line context to better assess script execution patterns and identify potentially suspicious behavior. These enhancements transform the analytic from a broad pattern-based detection into a more behavior-driven approach, increasing its effectiveness in identifying malicious script interpreter usage that could indicate initial access, persistence, or lateral movement. data_source: - Sysmon EventID 1 - Windows Event Log Security 4688 - CrowdStrike ProcessRollup2 search: |- - | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes - WHERE Processes.parent_process_name="cmd.exe" (Processes.process_name=cscript.exe - OR - Processes.process_name =wscript.exe) - BY Processes.action Processes.dest Processes.original_file_name - Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid - Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path - Processes.process Processes.process_exec Processes.process_guid - Processes.process_hash Processes.process_id Processes.process_integrity_level - Processes.process_name Processes.process_path Processes.user - Processes.user_id Processes.vendor_product + | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime + FROM datamodel=Endpoint.Processes + WHERE Processes.parent_process_name="cmd.exe" + AND (Processes.process_name="cscript.exe" OR Processes.process_name="wscript.exe") + BY Processes.action Processes.dest Processes.original_file_name + Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid + Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path + Processes.process Processes.process_exec Processes.process_guid + Processes.process_hash Processes.process_id Processes.process_integrity_level + Processes.process_name Processes.process_path Processes.user + Processes.user_id Processes.vendor_product | `drop_dm_object_name("Processes")` + + | where like(process, "%\\Users\\%") + OR like(process, "%\\AppData\\%") + OR like(process, "%\\Temp\\%") + + | where NOT like(process, "%\\Windows\\System32\\%") + | where NOT like(process, "%\\Program Files\\%") + + | where NOT match(user, ".*\\$$") + | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `detect_use_of_cmd_exe_to_launch_script_interpreters_filter` @@ -41,12 +51,14 @@ drilldown_searches: earliest_offset: $info_min_time$ latest_offset: $info_max_time$ rba: - message: cmd.exe launching script interpreters $process_name$ on $dest$ + message: cmd.exe launching script interpreters [$process_name$] with commandline [$process$] on [$dest$] risk_objects: - field: dest type: system score: 50 - threat_objects: [] + threat_objects: + - field: process + type: process tags: analytic_story: - Emotet Malware DHS Report TA18-201A diff --git a/detections/network/detect_large_icmp_traffic.yml b/detections/network/detect_large_icmp_traffic.yml index cba58c1784..9126a0f8cc 100644 --- a/detections/network/detect_large_icmp_traffic.yml +++ b/detections/network/detect_large_icmp_traffic.yml @@ -1,16 +1,17 @@ name: Detect Large ICMP Traffic id: 9cd6d066-94d5-4ccd-a8b9-28c03ca91be8 -version: 4 -date: '2026-03-10' +version: 5 +date: '2026-03-25' author: Rico Valdez, Dean Luxton, Bhavin Patel, Splunk status: production type: TTP description: The following analytic identifies ICMP traffic to external IP addresses with total bytes (sum of bytes in and bytes out) greater than 1,000 bytes. It leverages the Network_Traffic data model to detect large ICMP packet that aren't blocked and are directed toward external networks. We use All_Traffic.bytes in the detection to capture variations in inbound versus outbound traffic sizes, as significant discrepancies or unusually large ICMP exchanges can indicate information smuggling, covert communication, or command-and-control (C2) activities. If validated as malicious, this could signal ICMP tunneling, unauthorized data transfer, or compromised endpoints requiring immediate investigation. data_source: - Palo Alto Network Traffic + - Cisco Secure Access Firewall search: |- | tstats `security_content_summariesonly` count earliest(_time) as firstTime latest(_time) as lastTime values(All_Traffic.action) as action - from datamodel=Network_Traffic where All_Traffic.bytes > 1000 AND All_Traffic.action != blocked AND (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") + from datamodel=Network_Traffic where All_Traffic.bytes > 1000 AND All_Traffic.action != blocked AND (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") AND NOT All_Traffic.dest IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.protocol, All_Traffic.bytes, All_Traffic.app, All_Traffic.bytes_in, All_Traffic.bytes_out, All_Traffic.dest_port, All_Traffic.dvc, All_Traffic.protocol_version, All_Traffic.src_port, All_Traffic.user, All_Traffic.vendor_product | `drop_dm_object_name("All_Traffic")` @@ -59,3 +60,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1095/palologs/large_icmp.log sourcetype: pan:traffic source: pan:traffic + - name: True Positive Test - Cisco Secure Access Firewall + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/firewall/large_icmp.log + source: not_applicable + sourcetype: cisco:secure_access:firewall diff --git a/detections/network/detect_outbound_ldap_traffic.yml b/detections/network/detect_outbound_ldap_traffic.yml index 66816bdf90..47a951c16b 100644 --- a/detections/network/detect_outbound_ldap_traffic.yml +++ b/detections/network/detect_outbound_ldap_traffic.yml @@ -1,7 +1,7 @@ name: Detect Outbound LDAP Traffic id: 5e06e262-d7cd-4216-b2f8-27b437e18458 -version: 10 -date: '2026-02-25' +version: 11 +date: '2026-03-25' author: Bhavin Patel, Johan Bjerke, Splunk status: production type: Hunting @@ -61,3 +61,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log source: not_applicable sourcetype: cisco:sfw:estreamer + - name: Cisco Secure Access Firewall True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/firewall/ldap.log + source: not_applicable + sourcetype: cisco:secure_access:firewall diff --git a/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml b/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml index 87f7729874..22557cbe9f 100644 --- a/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml +++ b/detections/network/windows_remote_desktop_network_bruteforce_attempt.yml @@ -1,7 +1,7 @@ name: Windows Remote Desktop Network Bruteforce Attempt id: 908bf0d5-0983-4afd-b6a4-e9eb5d361a7d -version: 7 -date: '2026-03-10' +version: 8 +date: '2026-03-29' author: Jose Hernandez, Bhavin Patel, Splunk status: production type: Anomaly @@ -69,3 +69,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/sysmon.log source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational sourcetype: XmlWinEventLog + - name: True Positive Test - Cisco Secure Access Firewall + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/firewall/rdp_brute_force.log + source: not_applicable + sourcetype: cisco:cloud_security:firewall diff --git a/stories/cisco_secure_access_analytics.yml b/stories/cisco_secure_access_analytics.yml new file mode 100644 index 0000000000..f09b44460f --- /dev/null +++ b/stories/cisco_secure_access_analytics.yml @@ -0,0 +1,24 @@ +name: Cisco Secure Access Analytics +id: 5ba62cae-0757-497c-9226-771e3bf37eb8 +version: 1 +date: '2026-02-25' +author: Bhavin Patel, Splunk +status: production +description: | + This analytic story provides a suite of detections built to analyze network and access logs from Cisco Secure Access. + The included analytics focus on uncovering suspicious and potentially malicious behavior such as unauthorized access attempts, anomalous authentication patterns, policy violations, and indicators of compromised credentials. + These detections help security teams identify threats that may bypass traditional perimeter defenses, offering deeper insight into user access behavior, device posture anomalies, and adversary abuse of legitimate access pathways. +narrative: | + Cisco Secure Access is a cloud-delivered security service edge (SSE) solution that provides secure connectivity and access control for users, devices, and applications regardless of location. + It combines zero trust network access (ZTNA), secure web gateway (SWG), cloud access security broker (CASB), and firewall-as-a-service capabilities into a unified platform. + This analytic story leverages the rich telemetry generated by Cisco Secure Access to detect behaviors commonly associated with advanced threats and adversary techniques across multiple ATT&CK tactics, including Initial Access, Credential Access, Lateral Movement, and Exfiltration. +references: +- https://www.cisco.com/site/us/en/products/security/secure-access/index.html +tags: + category: + - Adversary Tactics + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + usecase: Advanced Threat Detection From 01f4611f5f23be750c3253cb47eb86a5381238ec Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Fri, 27 Mar 2026 14:05:12 +0530 Subject: [PATCH 2/2] fixing SPL --- .../network/detect_outbound_smb_traffic.yml | 24 +++++++++---------- macros/non_public_ip_blocks.yml | 8 +++++++ 2 files changed, 20 insertions(+), 12 deletions(-) create mode 100644 macros/non_public_ip_blocks.yml diff --git a/detections/network/detect_outbound_smb_traffic.yml b/detections/network/detect_outbound_smb_traffic.yml index 82903c3932..eccb55a89d 100644 --- a/detections/network/detect_outbound_smb_traffic.yml +++ b/detections/network/detect_outbound_smb_traffic.yml @@ -16,18 +16,12 @@ search: | values(All_Traffic.app) as app values(sourcetype) as sourcetype count from datamodel=Network_Traffic where - All_Traffic.action IN ("allowed", "allow") AND - (All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb") - AND All_Traffic.src_ip IN ( - "10.0.0.0/8","172.16.0.0/12","192.168.0.0/16" - ) - AND NOT All_Traffic.dest_ip IN ( - "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", - "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", - "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", - "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24", - "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1" - ) + All_Traffic.action IN ("allowed", "allow") + AND (All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb") + AND All_Traffic.src_ip IN `non_public_ip_blocks` + AND All_Traffic.src IN `non_public_ip_blocks` + AND NOT All_Traffic.dest_ip IN `non_public_ip_blocks` + AND NOT All_Traffic.dest IN `non_public_ip_blocks` by All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port @@ -35,6 +29,7 @@ search: | | `drop_dm_object_name("All_Traffic")` | `security_content_ctime(start_time)` | `security_content_ctime(end_time)` + | rename dest as dest_ip | iplocation dest_ip | `detect_outbound_smb_traffic_filter` how_to_implement: This search requires you to be ingesting your network traffic and populating the Network_Traffic data model. @@ -78,3 +73,8 @@ tests: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log source: not_applicable sourcetype: cisco:sfw:estreamer + - name: Cisco Secure Firewall True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/firewall/smb.log + source: not_applicable + sourcetype: cisco:sfw:estreamer diff --git a/macros/non_public_ip_blocks.yml b/macros/non_public_ip_blocks.yml new file mode 100644 index 0000000000..e07b9a515e --- /dev/null +++ b/macros/non_public_ip_blocks.yml @@ -0,0 +1,8 @@ +definition: ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10", + "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", + "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", + "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24", + "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1") +description: customer specific splunk configurations to normalized Windows Event Log System 7036 to recover actual services execution. + Replace the macro definition with configurations for your Splunk Environment. +name: non_public_ip_blocks \ No newline at end of file