From afdfadbecaab735d475e7d005b0b26e784bf1082 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 6 May 2026 17:09:08 +0530 Subject: [PATCH 1/3] new secure access DNS detection --- data_sources/cisco_secure_access_dns.yml | 118 ++++++++++++++++++ ...sco_sa___access_to_anonymizer_services.yml | 64 ++++++++++ macros/cisco_secure_access_dns.yml | 5 + 3 files changed, 187 insertions(+) create mode 100644 data_sources/cisco_secure_access_dns.yml create mode 100644 detections/network/cisco_sa___access_to_anonymizer_services.yml create mode 100644 macros/cisco_secure_access_dns.yml diff --git a/data_sources/cisco_secure_access_dns.yml b/data_sources/cisco_secure_access_dns.yml new file mode 100644 index 0000000000..59d17ac166 --- /dev/null +++ b/data_sources/cisco_secure_access_dns.yml @@ -0,0 +1,118 @@ +name: Cisco Secure Access DNS +id: 5673dba3-cae9-449e-8991-03832d79f729 +version: 1 +date: '2026-05-06' +author: Bhavin Patel, Splunk +description: | + Captures DNS security events from Cisco Secure Access (including Umbrella-style DNS policy and roaming client telemetry) with client identity, query and response metadata, resolved domain, and URL/content categorization. + This data source supports detections that correlate user or host activity with high-risk categories such as proxy and anonymizer infrastructure. +source: not_applicable +sourcetype: cisco:cloud_security:dns +supported_TA: + - name: Cisco Secure Access Add-on for Splunk + url: https://splunkbase.splunk.com/app/7569 + version: 1.0.50 +fields: +- RecordType +- ReplyCode +- Timestamp +- _time +- action +- app +- blocked_category +- category +- date_hour +- date_mday +- date_minute +- date_month +- date_second +- date_wday +- date_year +- date_zone +- destination_countries +- domain +- eventtype +- granular_identity_type +- host +- identities +- identity_type +- index +- linecount +- message_type +- organization_id +- product +- punct +- query +- query_type +- record_type +- reply_code +- reply_code_id +- rule +- rule_id +- s3_uri +- source +- sourcetype +- splunk_server +- splunk_server_group +- src +- src_asset +- src_asset_id +- src_asset_tag +- src_bunit +- src_category +- src_city +- src_country +- src_dns +- src_external_ip +- src_ip +- src_is_expected +- src_lat +- src_long +- src_mac +- src_nt_host +- src_owner +- src_pci_domain +- src_priority +- src_requires_av +- src_should_timesync +- src_should_update +- src_translated_ip +- tag +- tag::action +- tag::app +- tag::eventtype +- tag::user_category +- tag::user_identity_tag +- tag::user_watchlist +- timeendpos +- timestartpos +- user +- user_bunit +- user_category +- user_email +- user_endDate +- user_first +- user_identity +- user_identity_id +- user_identity_tag +- user_last +- user_managedBy +- user_nick +- user_phone +- user_prefix +- user_priority +- user_startDate +- user_suffix +- user_watchlist +- user_work_city +- user_work_country +- user_work_lat +- user_work_long +- vendor +- vendor_product +output_fields: + - category + - domain + - src_ip + - user +example_log: '"2026-04-20 22:23:29","EC2AMAZ-J8G2CH1","EC2AMAZ-J8G2CH1","10.0.1.115","3.151.127.146","Allowed","1 (A)","NOERROR","www.proxysite.com.","Proxy/Anonymizer,Application,Filter Avoidance","Anyconnect Roaming Client","Anyconnect Roaming Client","","139213","","8209150"' diff --git a/detections/network/cisco_sa___access_to_anonymizer_services.yml b/detections/network/cisco_sa___access_to_anonymizer_services.yml new file mode 100644 index 0000000000..5957c95b76 --- /dev/null +++ b/detections/network/cisco_sa___access_to_anonymizer_services.yml @@ -0,0 +1,64 @@ +name: Cisco SA - Access to Anonymizer Services +id: a7c8613a-92e2-4232-b64d-bd39d33dee8b +version: 1 +date: '2026-05-06' +author: Mahamudul Chowdhury, Bhavin Patel, Splunk +status: production +type: Anomaly +description: | + This analytic detects attempts to access proxy-evasion or anonymizer services using Cisco Secure Access DNS and secure web proxy telemetry. + Users who reach anonymizer or proxy-evasion infrastructure are often trying to bypass corporate controls such as secure web gateway inspection, DLP monitoring, CASB visibility, and threat-detection systems. These services frequently establish encrypted tunnels that hide subsequent traffic from inspection. + Early identification helps security teams spot circumvention attempts before potential data exfiltration or follow-on malicious activity. Correlating DNS resolution and proxy session data strengthens confidence that access was intentional. + Activity is mapped to MITRE ATT&CK T1562.001 (Impair Defenses) when categories indicate anonymizer or proxy-evasion infrastructure. +data_source: + - Cisco Secure Access DNS +search: | + `cisco_secure_access_dns` + action = "allowed" category= "*anonymizer*" + | fillnull + | stats count min(_time) as firstTime max(_time) as lastTime values(domain) as domain values(query) as query values(reply_code) as reply_code values(record_type) as record_type by src_ip src_external_ip user identity_type action category sourcetype + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_sa___access_to_anonymizer_services_filter` +how_to_implement: | + Ingest Cisco Secure Access DNS and proxy events into Splunk using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404). + Update the `cisco_secure_access_dns` macro so it resolves to the indexes, sources, and sourcetypes used in your environment. +known_false_positives: | + Security research, approved privacy tools, or mis-categorized destinations may appear as anonymizer traffic. Tune this analytic with the filter macro or allow-lists for known-good users, networks, and domains after validating business justification. +references: + - https://attack.mitre.org/techniques/T1562/001/ +drilldown_searches: + - name: View the detection results for user $user$ and source $src_ip$ + search: '%original_detection_search% | search user = "$user$" src_ip = "$src_ip$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for $user$ + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +rba: + message: User $user$ from $src_ip$ accessed proxy-evasion or anonymizer infrastructure (domains=$domain$, categories=$category$). + risk_objects: + - field: src_ip + type: system + score: 20 + threat_objects: + - field: domain + type: domain +tags: + analytic_story: + - Cisco Secure Access Analytics + asset_type: Endpoint + mitre_attack_id: + - T1562.001 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: network +tests: + - name: True Positive Test - DNS telemetry + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/dns/anonymizer_dns.log + source: not_applicable + sourcetype: cisco:cloud_security:dns diff --git a/macros/cisco_secure_access_dns.yml b/macros/cisco_secure_access_dns.yml new file mode 100644 index 0000000000..9106b5c3fe --- /dev/null +++ b/macros/cisco_secure_access_dns.yml @@ -0,0 +1,5 @@ +definition: sourcetype="cisco:cloud_security:dns" +description: | + Customer-specific Splunk configurations (for example index, source, or sourcetype) for Cisco Secure Access DNS telemetry from the Splunk Add-on for Cisco Security Cloud. + Replace the macro definition with settings that match your deployment. The default targets index `sse` and the `cisco:cloud_security:dns` and `cisco:cloud_security:proxy` sourcetypes. +name: cisco_secure_access_dns From b9952b9783dd0cdcbf7ca0b961a5fe057d5a3193 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Fri, 8 May 2026 16:18:59 +0530 Subject: [PATCH 2/3] detection 2 --- data_sources/cisco_secure_access_proxy.yml | 188 ++++++++++++++++++ ..._reconnaissance_via_http_access_errors.yml | 73 +++++++ macros/cisco_secure_access_dns.yml | 2 +- macros/cisco_secure_access_proxy.yml | 5 + 4 files changed, 267 insertions(+), 1 deletion(-) create mode 100644 data_sources/cisco_secure_access_proxy.yml create mode 100644 detections/network/cisco_sa___automated_web_reconnaissance_via_http_access_errors.yml create mode 100644 macros/cisco_secure_access_proxy.yml diff --git a/data_sources/cisco_secure_access_proxy.yml b/data_sources/cisco_secure_access_proxy.yml new file mode 100644 index 0000000000..a82f2f136c --- /dev/null +++ b/data_sources/cisco_secure_access_proxy.yml @@ -0,0 +1,188 @@ +name: Cisco Secure Access Proxy +id: 2dc95ec2-8964-4ddb-8714-8d7dfe264922 +version: 1 +date: '2026-05-08' +author: Bhavin Patel, Splunk +description: | + Captures HTTP/HTTPS proxy access events from Cisco Secure Access, including requesting source, user identity, URL, HTTP method, response status, and user-agent metadata. + This data source supports detection of automated web reconnaissance, suspicious browsing patterns, and policy-evasion behavior based on high-volume client errors and URL enumeration activity. +source: cisco_cloud_security_addon +sourcetype: cisco:cloud_security:proxy +supported_TA: + - name: Cisco Secure Access Add-on for Splunk + url: https://splunkbase.splunk.com/app/7569 + version: 1.0.50 +fields: +- _time +- action +- action_isolate +- amp_disposition +- amp_malwarename +- amp_score +- app +- application_ids +- av_detection +- blocked_category +- bytes +- bytes_in +- bytes_out +- category +- certificate_errors +- content_type +- data_center +- datamodel +- date_hour +- date_mday +- date_minute +- date_month +- date_second +- date_wday +- date_year +- date_zone +- dest +- dest_asset +- dest_asset_id +- dest_asset_tag +- dest_bunit +- dest_category +- dest_city +- dest_country +- dest_dns +- dest_ip +- dest_is_expected +- dest_lat +- dest_long +- dest_mac +- dest_nt_host +- dest_owner +- dest_pci_domain +- dest_priority +- dest_requires_av +- dest_should_timesync +- dest_should_update +- destination_list_id +- detected_response_file_type +- disposition +- dlp_status +- egress +- eventtype +- file_action +- file_hash +- filename +- forward_method +- geo_location_of_blocked_destination_countries +- host +- hostname +- http_content_type +- http_method +- http_referrer +- http_user_agent +- http_user_agent_length +- identities +- identity_type +- index +- isolateAction +- linecount +- malwarename_name +- message_correlation_id +- msp_organization_id +- organization_id +- policy_identities +- policy_identity_type +- policy_type +- producer +- product +- pua +- punct +- request_method +- request_size +- response_size +- response_size_body +- rule_id +- rule_set_id +- s3_uri +- score +- security_overridden +- server_name +- sha256 +- source +- sourcetype +- splunk_server +- splunk_server_group +- src +- src_asset +- src_asset_id +- src_asset_tag +- src_bunit +- src_category +- src_city +- src_country +- src_dns +- src_ip +- src_is_expected +- src_lat +- src_long +- src_mac +- src_nt_host +- src_owner +- src_pci_domain +- src_priority +- src_requires_av +- src_should_timesync +- src_should_update +- src_translated_ip +- ssl_error +- ssl_subject_common_name +- status +- status_warning +- tag +- tag::action +- tag::app +- tag::dest_requires_av +- tag::dest_should_timesync +- tag::dest_should_update +- tag::eventtype +- tag::user_category +- tag::user_identity_tag +- tag::user_watchlist +- time_based_rule +- timeendpos +- timestartpos +- url +- url_domain +- url_length +- user +- user_bunit +- user_category +- user_email +- user_endDate +- user_first +- user_identity +- user_identity_id +- user_identity_tag +- user_last +- user_managedBy +- user_nick +- user_phone +- user_prefix +- user_priority +- user_startDate +- user_suffix +- user_type +- user_watchlist +- user_work_city +- user_work_country +- user_work_lat +- user_work_long +- vendor +- vendor_product +- warnStatus +- warn_categories +output_fields: + - src_ip + - user + - status + - url + - http_user_agent +example_log: | + "2026-04-20 21:57:29","EC2AMAZ-J8G2CH1","10.0.1.115","3.151.127.146","104.20.23.154","text/html","ALLOWED","http://example.com/css-3444","","gobuster/3.8.1","404","","790","528","fb91d75a6bb430787a61b0aec5e374f580030f2878e1613eab5ca6310f7bbb9a","Research/Reference,Reference","","","","","","Anyconnect Roaming Client","","EC2AMAZ-J8G2CH1","Anyconnect Roaming Client","GET","ALLOWED","","css-3444","14303105","139213","","","","","","","","","","mps-7b95df5757-wmc2v.sigproxy.prod_aws_us-east-2_1_0n","PROD_AWS_US-EAST-2_1_0N","false","","false","false","","","8209150" diff --git a/detections/network/cisco_sa___automated_web_reconnaissance_via_http_access_errors.yml b/detections/network/cisco_sa___automated_web_reconnaissance_via_http_access_errors.yml new file mode 100644 index 0000000000..57cc682842 --- /dev/null +++ b/detections/network/cisco_sa___automated_web_reconnaissance_via_http_access_errors.yml @@ -0,0 +1,73 @@ +name: Cisco SA - Automated Web Reconnaissance via HTTP Access Errors +id: 4cd44520-d404-4ca8-b736-c9d6b86ecf31 +version: 1 +date: '2026-05-08' +author: Mahamudul Chowdhury, Bhavin Patel, Splunk +status: production +type: Anomaly +description: | + This analytic detects probable automated web reconnaissance using Cisco Secure Access proxy telemetry. + A high volume of HTTP client errors (401/403/404) across many unique URLs in a short window is consistent with directory/file enumeration behavior generated by tools such as Gobuster, DirBuster, ffuf, or Burp Intruder. + Detecting this pattern helps identify pre-exploitation scanning activity, insider reconnaissance, compromised endpoints performing discovery, and attempts to find hidden administrative paths, APIs, backups, and exposed application files. + Activity is mapped to MITRE ATT&CK T1595 (Active Scanning). +data_source: + - Cisco Secure Access Proxy +search: | + `cisco_secure_access_proxy` + | eval src_ip=coalesce(src_ip, src) + | eval host=coalesce(hostname, host) + | eval user=coalesce(user, identities) + | eval status=tonumber(status) + | eval domain=replace(url, "^https?://([^/]+).*$", "\\1") + | eval user_agent=coalesce(http_user_agent, user_agent) + | where status IN (401, 403, 404) + | bucket _time span=10m + | stats count as errors dc(url) as unique_urls values(status) as statuses values(user_agent) as user_agent values(host) as host values(user) as user by src_ip domain _time + | where errors > 100 AND unique_urls > 50 + | eval firstTime=_time, lastTime=_time + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `cisco_sa___automated_web_reconnaissance_via_http_access_errors_filter` +how_to_implement: | + Ingest Cisco Secure Access proxy logs into Splunk using the Splunk Add-on for Cisco Security Cloud. + Update the `cisco_secure_access_proxy` macro so it resolves to the index, source, and sourcetype values used in your deployment. +known_false_positives: | + Aggressive web vulnerability scanners, QA automation, uptime monitoring, and authorized security assessments can generate high HTTP error volumes with large URL diversity. + Tune by allow-listing known scanner hosts, user agents, test domains, and approved assessment windows using the filter macro. +references: + - https://attack.mitre.org/techniques/T1595/ +drilldown_searches: + - name: View the detection results for source $src_ip$ and domain $domain$ + search: '%original_detection_search% | search src_ip = "$src_ip$" domain = "$domain$"' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for $src_ip$ + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +rba: + message: Source $src_ip$ triggered probable automated web reconnaissance on $domain$ with $errors$ HTTP access errors across $unique_urls$ unique URLs. + risk_objects: + - field: src_ip + type: system + score: 70 + threat_objects: + - field: domain + type: domain +tags: + analytic_story: + - Cisco Secure Access Analytics + asset_type: Endpoint + mitre_attack_id: + - T1595 + product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud + security_domain: network +tests: + - name: Cisco Secure Access Proxy True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/proxy/automated_web_recon_http_errors.log + source: cisco_cloud_security_addon + sourcetype: cisco:cloud_security:proxy diff --git a/macros/cisco_secure_access_dns.yml b/macros/cisco_secure_access_dns.yml index 9106b5c3fe..b4fcecc7ab 100644 --- a/macros/cisco_secure_access_dns.yml +++ b/macros/cisco_secure_access_dns.yml @@ -1,5 +1,5 @@ definition: sourcetype="cisco:cloud_security:dns" description: | Customer-specific Splunk configurations (for example index, source, or sourcetype) for Cisco Secure Access DNS telemetry from the Splunk Add-on for Cisco Security Cloud. - Replace the macro definition with settings that match your deployment. The default targets index `sse` and the `cisco:cloud_security:dns` and `cisco:cloud_security:proxy` sourcetypes. + Replace the macro definition with settings that match your deployment. The default targets index `sse` and the `cisco:cloud_security:dns` sourcetype. name: cisco_secure_access_dns diff --git a/macros/cisco_secure_access_proxy.yml b/macros/cisco_secure_access_proxy.yml new file mode 100644 index 0000000000..49be8fc1b0 --- /dev/null +++ b/macros/cisco_secure_access_proxy.yml @@ -0,0 +1,5 @@ +definition: sourcetype="cisco:cloud_security:proxy" +description: | + Customer-specific Splunk configurations (for example index, source, or sourcetype) for Cisco Secure Access proxy telemetry from the Splunk Add-on for Cisco Security Cloud. + Replace the macro definition with settings that match your deployment. The default targets index `sse` and the `cisco:cloud_security:proxy` sourcetype. +name: cisco_secure_access_proxy From 719affe56d5559d6cc0688876df9ddd2589d9788 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Tue, 12 May 2026 11:56:10 +0530 Subject: [PATCH 3/3] mitre ID update --- .../network/cisco_sa___access_to_anonymizer_services.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/network/cisco_sa___access_to_anonymizer_services.yml b/detections/network/cisco_sa___access_to_anonymizer_services.yml index 5957c95b76..cf9e5d24ce 100644 --- a/detections/network/cisco_sa___access_to_anonymizer_services.yml +++ b/detections/network/cisco_sa___access_to_anonymizer_services.yml @@ -26,7 +26,7 @@ how_to_implement: | known_false_positives: | Security research, approved privacy tools, or mis-categorized destinations may appear as anonymizer traffic. Tune this analytic with the filter macro or allow-lists for known-good users, networks, and domains after validating business justification. references: - - https://attack.mitre.org/techniques/T1562/001/ + - https://attack.mitre.org/techniques/T1090/003 drilldown_searches: - name: View the detection results for user $user$ and source $src_ip$ search: '%original_detection_search% | search user = "$user$" src_ip = "$src_ip$"' @@ -50,7 +50,7 @@ tags: - Cisco Secure Access Analytics asset_type: Endpoint mitre_attack_id: - - T1562.001 + - T1090.003 product: - Splunk Enterprise - Splunk Enterprise Security