splunk · patel-bhavin · Mar 26, 2026 · Mar 27, 2026 · Apr 1, 2026
@@ -0,0 +1,48 @@
+name: Cisco Secure Access Firewall
+id: 5dc07487-f834-4850-b6a7-4cc09e56549b
+version: 1
+date: '2026-02-25'
+author: Bhavin Patel, Splunk
+description: Captures firewall connection events from Cisco Secure Access including user identity, source and destination metadata, protocol details, and session statistics. Enables analysis of network traffic patterns, access policy enforcement, brute force attempts, and anomalous connection behavior across cloud-managed network access infrastructure.
+source: cisco_secure_access:firewall
+sourcetype: cisco:cloud_security:firewall
+supported_TA:
+- name: Cisco Secure Access Add-on for Splunk
+  url: https://splunkbase.splunk.com/app/7569
+  version: 1.0.48
+fields:
+- _time
+- action
+- app
+- bytes_in
+- bytes_out
+- datacenter
+- dest
+- dest_ip
+- dest_port
+- direction
+- duration
+- dvc
+- identity
+- identity_type
+- packets_in
+- packets_out
+- protocol
+- protocol_version
+- rule_id
+- session_id
+- src
+- src_ip
+- src_port
+- transport
+- tunnel_id
+- user
+- vendor_product
+output_fields:
+- dest_ip
+- dest_port
+- src_ip
+- user
+- action
+example_log: '"2026-03-05 17:29:39","[1360486514]","Joe Kehoe (joe.kehoe@d1.pseudoco.org)","AD
+  Users","C2S","6","0","","","10.10.3.220","3389","prod_aws_us-west-2_1_0","1482901","ALLOW","","[]","1772731753","1772731779","93","82","20847","46067","2ef4dc5a90e31b4e2f7d21ec8f863accda6ad5db2d6feeff301ca05d298fcbdb-7-1772731753-45877","","aws-us-west-2","","178937","true","1145001","[]","2","[]","[]","8176184","","","f0b0ce3d69aeedfe"'
@@ -46,6 +46,16 @@ search: |-
        Processes.process_name Processes.process_path Processes.user
        Processes.user_id Processes.vendor_product
     | `drop_dm_object_name("Processes")`
+
+    | where like(process, "%\\Users\\%")
+      OR like(process, "%\\AppData\\%")
+      OR like(process, "%\\Temp\\%")
+
+    | where NOT like(process, "%\\Windows\\System32\\%")
+    | where NOT like(process, "%\\Program Files\\%")
+
+    | where NOT match(user, ".*\\$$")
+
     | `security_content_ctime(firstTime)`
     | `security_content_ctime(lastTime)`
     | `detect_use_of_cmd_exe_to_launch_script_interpreters_filter`

@@ -1,7 +1,7 @@
 name: Detect Large ICMP Traffic
 id: 9cd6d066-94d5-4ccd-a8b9-28c03ca91be8
 version: 5
-date: '2026-03-23'
+date: '2026-03-25'
 author: Rico Valdez, Dean Luxton, Bhavin Patel, Splunk
 status: production
 type: TTP
@@ -11,6 +11,7 @@ description: |
     If validated as malicious, this could signal ICMP tunneling, unauthorized data transfer, or compromised endpoints requiring immediate investigation.
 data_source:
     - Palo Alto Network Traffic
+    - Cisco Secure Access Firewall
 search: |-
     | tstats `security_content_summariesonly`
               count earliest(_time) as firstTime
@@ -85,4 +86,9 @@ tests:
       attack_data:
         - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1095/palologs/large_icmp.log
           sourcetype: pan:traffic
+          source: pan:traffic
+    - name: True Positive Test - Cisco Secure Access Firewall
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/firewall/large_icmp.log
           source: not_applicable
+          sourcetype: cisco:secure_access:firewall
@@ -1,7 +1,7 @@
 name: Detect Outbound LDAP Traffic
 id: 5e06e262-d7cd-4216-b2f8-27b437e18458
 version: 11
-date: '2026-03-23'
+date: '2026-03-25'
 author: Bhavin Patel, Johan Bjerke, Splunk
 status: production
 type: Hunting
@@ -70,3 +70,8 @@ tests:
         - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log
           source: not_applicable
           sourcetype: cisco:sfw:estreamer
+    - name: Cisco Secure Access Firewall True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/firewall/ldap.log
+          source: not_applicable
+          sourcetype: cisco:secure_access:firewall
@@ -16,25 +16,20 @@ search: |
     values(All_Traffic.app) as app
     values(sourcetype) as sourcetype count
     from datamodel=Network_Traffic where
-      All_Traffic.action IN ("allowed", "allow") AND
-      (All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb")
-    AND All_Traffic.src_ip IN (
-      "10.0.0.0/8","172.16.0.0/12","192.168.0.0/16"
-    )
-    AND NOT All_Traffic.dest_ip IN (
-    "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
-    "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
-    "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
-    "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
-    "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1"
-    )
+      All_Traffic.action IN ("allowed", "allow")
+    AND (All_Traffic.dest_port=139 OR All_Traffic.dest_port=445 OR All_Traffic.app="smb")
+    AND All_Traffic.src_ip IN `non_public_ip_blocks`
+    AND All_Traffic.src IN `non_public_ip_blocks`
+    AND NOT All_Traffic.dest_ip IN `non_public_ip_blocks`
+    AND NOT All_Traffic.dest IN `non_public_ip_blocks`
     by All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in All_Traffic.bytes_out
     All_Traffic.dest All_Traffic.dest_ip All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol
     All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip All_Traffic.src_port
     All_Traffic.transport All_Traffic.user All_Traffic.vendor_product All_Traffic.rule
     | `drop_dm_object_name("All_Traffic")`
     | `security_content_ctime(start_time)`
     | `security_content_ctime(end_time)`
+    | rename dest as dest_ip
     | iplocation dest_ip
     | `detect_outbound_smb_traffic_filter`
 how_to_implement: This search requires you to be ingesting your network traffic and populating the Network_Traffic data model.
@@ -78,3 +73,8 @@ tests:
         - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log
           source: not_applicable
           sourcetype: cisco:sfw:estreamer
+    - name: Cisco Secure Firewall True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/firewall/smb.log
+          source: not_applicable
+          sourcetype: cisco:sfw:estreamer
@@ -1,7 +1,7 @@
 name: Windows Remote Desktop Network Bruteforce Attempt
 id: 908bf0d5-0983-4afd-b6a4-e9eb5d361a7d
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-29'
 author: Jose Hernandez, Bhavin Patel, Splunk
 status: production
 type: Anomaly
@@ -69,3 +69,8 @@ tests:
         - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/sysmon.log
           source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
           sourcetype: XmlWinEventLog
+    - name: True Positive Test - Cisco Secure Access Firewall
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/firewall/rdp_brute_force.log
+          source: not_applicable
+          sourcetype: cisco:cloud_security:firewall
@@ -0,0 +1,8 @@
+definition: ("10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "100.64.0.0/10",
+    "127.0.0.0/8", "169.254.0.0/16", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32",
+    "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24",
+    "192.31.196.0/24", "192.52.193.0/24", "192.88.99.0/24", "224.0.0.0/4", "192.175.48.0/24",
+    "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1")
+description: customer specific splunk configurations to normalized Windows Event Log System 7036 to recover actual services execution.
+  Replace the macro definition with configurations for your Splunk Environment.
+name: non_public_ip_blocks
@@ -0,0 +1,24 @@
+name: Cisco Secure Access Analytics
+id: 5ba62cae-0757-497c-9226-771e3bf37eb8
+version: 1
+date: '2026-02-25'
+author: Bhavin Patel, Splunk
+status: production
+description: |
+  This analytic story provides a suite of detections built to analyze network and access logs from Cisco Secure Access.
+  The included analytics focus on uncovering suspicious and potentially malicious behavior such as unauthorized access attempts, anomalous authentication patterns, policy violations, and indicators of compromised credentials.
+  These detections help security teams identify threats that may bypass traditional perimeter defenses, offering deeper insight into user access behavior, device posture anomalies, and adversary abuse of legitimate access pathways.
+narrative: |
+  Cisco Secure Access is a cloud-delivered security service edge (SSE) solution that provides secure connectivity and access control for users, devices, and applications regardless of location.
+  It combines zero trust network access (ZTNA), secure web gateway (SWG), cloud access security broker (CASB), and firewall-as-a-service capabilities into a unified platform.
+  This analytic story leverages the rich telemetry generated by Cisco Secure Access to detect behaviors commonly associated with advanced threats and adversary techniques across multiple ATT&CK tactics, including Initial Access, Credential Access, Lateral Movement, and Exfiltration.
+references:
+- https://www.cisco.com/site/us/en/products/security/secure-access/index.html
+tags:
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection