splunk · patel-bhavin · May 6, 2026 · May 8, 2026 · May 12, 2026 · May 12, 2026
@@ -0,0 +1,118 @@
+name: Cisco Secure Access DNS
+id: 5673dba3-cae9-449e-8991-03832d79f729
+version: 1
+date: '2026-05-06'
+author: Bhavin Patel, Splunk
+description: |
+  Captures DNS security events from Cisco Secure Access (including Umbrella-style DNS policy and roaming client telemetry) with client identity, query and response metadata, resolved domain, and URL/content categorization.
+  This data source supports detections that correlate user or host activity with high-risk categories such as proxy and anonymizer infrastructure.
+source: not_applicable
+sourcetype: cisco:cloud_security:dns
+supported_TA:
+  - name: Cisco Secure Access Add-on for Splunk
+    url: https://splunkbase.splunk.com/app/7569
+    version: 1.0.50
+fields:
+- RecordType
+- ReplyCode
+- Timestamp
+- _time
+- action
+- app
+- blocked_category
+- category
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- destination_countries
+- domain
+- eventtype
+- granular_identity_type
+- host
+- identities
+- identity_type
+- index
+- linecount
+- message_type
+- organization_id
+- product
+- punct
+- query
+- query_type
+- record_type
+- reply_code
+- reply_code_id
+- rule
+- rule_id
+- s3_uri
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_asset
+- src_asset_id
+- src_asset_tag
+- src_bunit
+- src_category
+- src_city
+- src_country
+- src_dns
+- src_external_ip
+- src_ip
+- src_is_expected
+- src_lat
+- src_long
+- src_mac
+- src_nt_host
+- src_owner
+- src_pci_domain
+- src_priority
+- src_requires_av
+- src_should_timesync
+- src_should_update
+- src_translated_ip
+- tag
+- tag::action
+- tag::app
+- tag::eventtype
+- tag::user_category
+- tag::user_identity_tag
+- tag::user_watchlist
+- timeendpos
+- timestartpos
+- user
+- user_bunit
+- user_category
+- user_email
+- user_endDate
+- user_first
+- user_identity
+- user_identity_id
+- user_identity_tag
+- user_last
+- user_managedBy
+- user_nick
+- user_phone
+- user_prefix
+- user_priority
+- user_startDate
+- user_suffix
+- user_watchlist
+- user_work_city
+- user_work_country
+- user_work_lat
+- user_work_long
+- vendor
+- vendor_product
+output_fields:
+  - category
+  - domain
+  - src_ip
+  - user
+example_log: '"2026-04-20 22:23:29","EC2AMAZ-J8G2CH1","EC2AMAZ-J8G2CH1","10.0.1.115","3.151.127.146","Allowed","1 (A)","NOERROR","www.proxysite.com.","Proxy/Anonymizer,Application,Filter Avoidance","Anyconnect Roaming Client","Anyconnect Roaming Client","","139213","","8209150"'
@@ -0,0 +1,188 @@
+name: Cisco Secure Access Proxy
+id: 2dc95ec2-8964-4ddb-8714-8d7dfe264922
+version: 1
+date: '2026-05-08'
+author: Bhavin Patel, Splunk
+description: |
+  Captures HTTP/HTTPS proxy access events from Cisco Secure Access, including requesting source, user identity, URL, HTTP method, response status, and user-agent metadata.
+  This data source supports detection of automated web reconnaissance, suspicious browsing patterns, and policy-evasion behavior based on high-volume client errors and URL enumeration activity.
+source: cisco_cloud_security_addon
+sourcetype: cisco:cloud_security:proxy
+supported_TA:
+  - name: Cisco Secure Access Add-on for Splunk
+    url: https://splunkbase.splunk.com/app/7569
+    version: 1.0.50
+fields:
+- _time
+- action
+- action_isolate
+- amp_disposition
+- amp_malwarename
+- amp_score
+- app
+- application_ids
+- av_detection
+- blocked_category
+- bytes
+- bytes_in
+- bytes_out
+- category
+- certificate_errors
+- content_type
+- data_center
+- datamodel
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_asset
+- dest_asset_id
+- dest_asset_tag
+- dest_bunit
+- dest_category
+- dest_city
+- dest_country
+- dest_dns
+- dest_ip
+- dest_is_expected
+- dest_lat
+- dest_long
+- dest_mac
+- dest_nt_host
+- dest_owner
+- dest_pci_domain
+- dest_priority
+- dest_requires_av
+- dest_should_timesync
+- dest_should_update
+- destination_list_id
+- detected_response_file_type
+- disposition
+- dlp_status
+- egress
+- eventtype
+- file_action
+- file_hash
+- filename
+- forward_method
+- geo_location_of_blocked_destination_countries
+- host
+- hostname
+- http_content_type
+- http_method
+- http_referrer
+- http_user_agent
+- http_user_agent_length
+- identities
+- identity_type
+- index
+- isolateAction
+- linecount
+- malwarename_name
+- message_correlation_id
+- msp_organization_id
+- organization_id
+- policy_identities
+- policy_identity_type
+- policy_type
+- producer
+- product
+- pua
+- punct
+- request_method
+- request_size
+- response_size
+- response_size_body
+- rule_id
+- rule_set_id
+- s3_uri
+- score
+- security_overridden
+- server_name
+- sha256
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_asset
+- src_asset_id
+- src_asset_tag
+- src_bunit
+- src_category
+- src_city
+- src_country
+- src_dns
+- src_ip
+- src_is_expected
+- src_lat
+- src_long
+- src_mac
+- src_nt_host
+- src_owner
+- src_pci_domain
+- src_priority
+- src_requires_av
+- src_should_timesync
+- src_should_update
+- src_translated_ip
+- ssl_error
+- ssl_subject_common_name
+- status
+- status_warning
+- tag
+- tag::action
+- tag::app
+- tag::dest_requires_av
+- tag::dest_should_timesync
+- tag::dest_should_update
+- tag::eventtype
+- tag::user_category
+- tag::user_identity_tag
+- tag::user_watchlist
+- time_based_rule
+- timeendpos
+- timestartpos
+- url
+- url_domain
+- url_length
+- user
+- user_bunit
+- user_category
+- user_email
+- user_endDate
+- user_first
+- user_identity
+- user_identity_id
+- user_identity_tag
+- user_last
+- user_managedBy
+- user_nick
+- user_phone
+- user_prefix
+- user_priority
+- user_startDate
+- user_suffix
+- user_type
+- user_watchlist
+- user_work_city
+- user_work_country
+- user_work_lat
+- user_work_long
+- vendor
+- vendor_product
+- warnStatus
+- warn_categories
+output_fields:
+  - src_ip
+  - user
+  - status
+  - url
+  - http_user_agent
+example_log: |
+ "2026-04-20 21:57:29","EC2AMAZ-J8G2CH1","10.0.1.115","3.151.127.146","104.20.23.154","text/html","ALLOWED","http://example.com/css-3444","","gobuster/3.8.1","404","","790","528","fb91d75a6bb430787a61b0aec5e374f580030f2878e1613eab5ca6310f7bbb9a","Research/Reference,Reference","","","","","","Anyconnect Roaming Client","","EC2AMAZ-J8G2CH1","Anyconnect Roaming Client","GET","ALLOWED","","css-3444","14303105","139213","","","","","","","","","","mps-7b95df5757-wmc2v.sigproxy.prod_aws_us-east-2_1_0n","PROD_AWS_US-EAST-2_1_0N","false","","false","false","","","8209150"
@@ -0,0 +1,64 @@
+name: Cisco SA - Access to Anonymizer Services
+id: a7c8613a-92e2-4232-b64d-bd39d33dee8b
+version: 1
+date: '2026-05-06'
+author: Mahamudul Chowdhury, Bhavin Patel, Splunk
+status: production
+type: Anomaly
+description: |
+    This analytic detects attempts to access proxy-evasion or anonymizer services using Cisco Secure Access DNS and secure web proxy telemetry.
+    Users who reach anonymizer or proxy-evasion infrastructure are often trying to bypass corporate controls such as secure web gateway inspection, DLP monitoring, CASB visibility, and threat-detection systems. These services frequently establish encrypted tunnels that hide subsequent traffic from inspection.
+    Early identification helps security teams spot circumvention attempts before potential data exfiltration or follow-on malicious activity. Correlating DNS resolution and proxy session data strengthens confidence that access was intentional.
+    Activity is mapped to MITRE ATT&CK T1562.001 (Impair Defenses) when categories indicate anonymizer or proxy-evasion infrastructure.
+data_source:
+    - Cisco Secure Access DNS
+search: |
+    `cisco_secure_access_dns`
+    action = "allowed" category= "*anonymizer*"
+    | fillnull
+    | stats count min(_time) as firstTime max(_time) as lastTime values(domain) as domain values(query) as query values(reply_code) as reply_code values(record_type) as record_type by src_ip src_external_ip user identity_type action category sourcetype
+    | `security_content_ctime(firstTime)`
+    | `security_content_ctime(lastTime)`
+    | `cisco_sa___access_to_anonymizer_services_filter`
+how_to_implement: |
+    Ingest Cisco Secure Access DNS and proxy events into Splunk using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
+    Update the `cisco_secure_access_dns` macro so it resolves to the indexes, sources, and sourcetypes used in your environment.
+known_false_positives: |
+    Security research, approved privacy tools, or mis-categorized destinations may appear as anonymizer traffic. Tune this analytic with the filter macro or allow-lists for known-good users, networks, and domains after validating business justification.
+references:
+    - https://attack.mitre.org/techniques/T1090/003
+drilldown_searches:
+    - name: View the detection results for user $user$ and source $src_ip$
+      search: '%original_detection_search% | search user = "$user$" src_ip = "$src_ip$"'
+      earliest_offset: $info_min_time$
+      latest_offset: $info_max_time$
+    - name: View risk events for the last 7 days for $user$
+      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+      earliest_offset: 7d
+      latest_offset: "0"
+rba:
+    message: User $user$ from $src_ip$ accessed proxy-evasion or anonymizer infrastructure (domains=$domain$, categories=$category$).
+    risk_objects:
+        - field: src_ip
+          type: system
+          score: 20
+    threat_objects:
+        - field: domain
+          type: domain
+tags:
+    analytic_story:
+        - Cisco Secure Access Analytics
+    asset_type: Endpoint
+    mitre_attack_id:
+        - T1090.003
+    product:
+        - Splunk Enterprise
+        - Splunk Enterprise Security
+        - Splunk Cloud
+    security_domain: network
+tests:
+    - name: True Positive Test - DNS telemetry
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/dns/anonymizer_dns.log
+          source: not_applicable
+          sourcetype: cisco:cloud_security:dns