diff --git a/data_sources/cisco_secure_access_ravpn_push_security_events.yml b/data_sources/cisco_secure_access_ravpn_push_security_events.yml new file mode 100644 index 0000000000..fec69f1e57 --- /dev/null +++ b/data_sources/cisco_secure_access_ravpn_push_security_events.yml @@ -0,0 +1,145 @@ +name: Cisco Secure Access RAVPN Push Security Events +id: f9ce1c6a-bf61-4a2b-91a6-3c59d837b1a8 +version: 1 +creation_date: '2026-04-27' +modification_date: '2026-04-27' +author: Bhavin Patel, Splunk +description: | + Remote Access VPN (RAVPN) push security events from Cisco Secure Access, including session metadata, tunnel statistics, endpoint posture, ASA syslog context, and OCSF-aligned identifiers for correlation. +source: not_applicable +sourcetype: cisco:secure_access:security_events_ravpn +supported_TA: + - name: Cisco Secure Access Add-on for Splunk + url: https://splunkbase.splunk.com/app/7569 + version: 1.0.48 +fields: +- _time +- action +- activity_id +- app +- category_uid +- cisco_asa.full_log_print_specifiers +- cisco_asa.syslog_class +- cisco_asa.syslog_descriptor +- cisco_asa.syslog_id +- cisco_asa.syslog_id_with_version +- cisco_asa.syslog_severity +- cisco_dtls_ipsec_tunnel.bytes_received +- cisco_dtls_ipsec_tunnel.bytes_transmitted +- cisco_dtls_ipsec_tunnel.cipher_suite +- cisco_dtls_ipsec_tunnel.compression +- cisco_dtls_ipsec_tunnel.connection_timeout +- cisco_dtls_ipsec_tunnel.connection_timeout_left +- cisco_dtls_ipsec_tunnel.destination_port +- cisco_dtls_ipsec_tunnel.dh_group +- cisco_dtls_ipsec_tunnel.encapsulation +- cisco_dtls_ipsec_tunnel.encryption +- cisco_dtls_ipsec_tunnel.filter_name +- cisco_dtls_ipsec_tunnel.hashing +- cisco_dtls_ipsec_tunnel.id +- cisco_dtls_ipsec_tunnel.idle_timeout +- cisco_dtls_ipsec_tunnel.idle_timeout_left +- cisco_dtls_ipsec_tunnel.ipv6_filter_name +- cisco_dtls_ipsec_tunnel.local_selector +- cisco_dtls_ipsec_tunnel.packets_received +- cisco_dtls_ipsec_tunnel.packets_received_dropped +- cisco_dtls_ipsec_tunnel.packets_transmitted +- cisco_dtls_ipsec_tunnel.packets_transmitted_dropped +- cisco_dtls_ipsec_tunnel.pfs_group +- cisco_dtls_ipsec_tunnel.prf +- cisco_dtls_ipsec_tunnel.rekey_data +- cisco_dtls_ipsec_tunnel.rekey_data_left +- cisco_dtls_ipsec_tunnel.rekey_interval +- cisco_dtls_ipsec_tunnel.rekey_interval_left +- cisco_dtls_ipsec_tunnel.remote_selector +- cisco_dtls_ipsec_tunnel.source_port +- cisco_endpoint_posture.dap_connection_type +- cisco_endpoint_posture.dap_record_name +- cisco_event_id +- cisco_event_type +- cisco_organization_id +- cisco_origin.id +- cisco_origin.type +- cisco_ravpn_metadata.anyconnect_version +- cisco_ravpn_metadata.event_type +- cisco_ravpn_session.assigned_ip +- cisco_ravpn_session.assigned_ipv6 +- cisco_ravpn_session.audit_session_id +- cisco_ravpn_session.connected_at +- cisco_ravpn_session.disconnection_reason +- cisco_ravpn_session.duration +- cisco_ravpn_session.id +- cisco_ravpn_session.inactivity +- cisco_ravpn_session.public_ip +- cisco_ravpn_session.public_ipv6 +- cisco_ravpn_session.redirect_acl +- cisco_ravpn_session.redirect_url +- cisco_ravpn_session.security_group_tag +- cisco_ravpn_session.session_type +- cisco_ravpn_session.vpn_profile +- cisco_ravpn_session.warning_reason +- cisco_ssl_ike_tunnel.bytes_received +- cisco_ssl_ike_tunnel.bytes_transmitted +- cisco_ssl_ike_tunnel.cipher_suite +- cisco_ssl_ike_tunnel.compression +- cisco_ssl_ike_tunnel.connection_timeout +- cisco_ssl_ike_tunnel.connection_timeout_left +- cisco_ssl_ike_tunnel.destination_port +- cisco_ssl_ike_tunnel.dh_group +- cisco_ssl_ike_tunnel.encapsulation +- cisco_ssl_ike_tunnel.encryption +- cisco_ssl_ike_tunnel.filter_name +- cisco_ssl_ike_tunnel.hashing +- cisco_ssl_ike_tunnel.id +- cisco_ssl_ike_tunnel.idle_timeout +- cisco_ssl_ike_tunnel.idle_timeout_left +- cisco_ssl_ike_tunnel.ipv6_filter_name +- cisco_ssl_ike_tunnel.local_selector +- cisco_ssl_ike_tunnel.packets_received +- cisco_ssl_ike_tunnel.packets_received_dropped +- cisco_ssl_ike_tunnel.packets_transmitted +- cisco_ssl_ike_tunnel.packets_transmitted_dropped +- cisco_ssl_ike_tunnel.pfs_group +- cisco_ssl_ike_tunnel.prf +- cisco_ssl_ike_tunnel.rekey_data +- cisco_ssl_ike_tunnel.rekey_data_left +- cisco_ssl_ike_tunnel.rekey_interval +- cisco_ssl_ike_tunnel.rekey_interval_left +- cisco_ssl_ike_tunnel.remote_selector +- cisco_ssl_ike_tunnel.source_port +- class_uid +- cloud.region +- dest +- device.os.version +- eventtype +- extracted_source +- host +- index +- linecount +- metadata.product.name +- metadata.version +- policy.data.failed_reasons{} +- product +- punct +- severity_id +- signature +- source +- sourcetype +- splunk_server +- splunk_server_group +- src +- src_endpoint.name +- tag +- tag::action +- tag::eventtype +- time +- type +- type_uid +- user +- vendor +- vendor_product +output_fields: +- _time +- src_ip +example_log: | + {"activity_id":0,"category_uid":4,"cisco_asa":{"full_log_print_specifiers":"[\"\",\"\",\"\",\"\"]","syslog_class":"INFORMATION","syslog_descriptor":"AAA_RESULT_REJECT","syslog_id":"ASA-6-113005","syslog_id_with_version":"ASA-6-113005-0","syslog_severity":"6"},"cisco_dtls_ipsec_tunnel":{"bytes_received":0,"bytes_transmitted":0,"cipher_suite":"","compression":"","connection_timeout":"","connection_timeout_left":"","destination_port":0,"dh_group":"","encapsulation":"","encryption":"","filter_name":"","hashing":"","id":"","idle_timeout":"","idle_timeout_left":"","ipv6_filter_name":"","local_selector":"","packets_received":0,"packets_received_dropped":0,"packets_transmitted":0,"packets_transmitted_dropped":0,"pfs_group":"","prf":"","rekey_data":"","rekey_data_left":"","rekey_interval":"","rekey_interval_left":"","remote_selector":"","source_port":0},"cisco_endpoint_posture":{"dap_connection_type":"","dap_record_name":""},"cisco_event_id":"002d2a48429b9ee68f03743d676acf20e39c411afe61e238378820fa2cb2e724","cisco_event_type":"ravpn","cisco_organization_id":8176184,"cisco_origin":{"id":0,"type":"UNKNOWN"},"cisco_ravpn_metadata":{"anyconnect_version":"","event_type":"FAILED"},"cisco_ravpn_session":{"assigned_ip":"","assigned_ipv6":"","audit_session_id":"","connected_at":0,"disconnection_reason":"","duration":"","id":"","inactivity":"","public_ip":"178.130.47.199","public_ipv6":"","redirect_acl":"","redirect_url":"","security_group_tag":"","session_type":"","vpn_profile":"","warning_reason":""},"cisco_ssl_ike_tunnel":{"bytes_received":0,"bytes_transmitted":0,"cipher_suite":"","compression":"","connection_timeout":"","connection_timeout_left":"","destination_port":0,"dh_group":"","encapsulation":"","encryption":"","filter_name":"","hashing":"","id":"","idle_timeout":"","idle_timeout_left":"","ipv6_filter_name":"","local_selector":"","packets_received":0,"packets_received_dropped":0,"packets_transmitted":0,"packets_transmitted_dropped":0,"pfs_group":"","prf":"","rekey_data":"","rekey_data_left":"","rekey_interval":"","rekey_interval_left":"","remote_selector":"","source_port":0},"class_uid":4001,"cloud":{"region":"us-west-2"},"device":{"os":{"version":""}},"metadata":{"product":{"name":"ciscoSecureAccess"},"version":"1.6.0"},"policy":{"data":{"failed_reasons":["AUTHORIZATION-CHECK"]}},"severity_id":0,"src_endpoint":{"name":""},"time":1777301699000,"type_uid":400100} diff --git a/detections/application/ravpn___high_authentication_failures_from_source.yml b/detections/application/ravpn___high_authentication_failures_from_source.yml new file mode 100644 index 0000000000..26c047b310 --- /dev/null +++ b/detections/application/ravpn___high_authentication_failures_from_source.yml @@ -0,0 +1,68 @@ +name: RAVPN - High Authentication Failures from Source +id: 4a39dfc3-2ab0-4620-8da9-18e6a6bad7b6 +version: 1 +creation_date: '2026-04-27' +modification_date: '2026-04-27' +author: Bhavin Patel, Splunk +status: production +type: Anomaly +description: | + The following analytic detects a high volume of Cisco Secure Access RAVPN authentication failure events from the same client source within a five-minute window. It identifies events where AnyConnect or ASA AAA signals indicate a failed VPN authentication attempt—such as RAVPN metadata event type FAILED or ASA syslog descriptor AAA_RESULT_REJECT—and aggregates failure events per client public IP. This pattern may indicate password guessing, credential stuffing, or brute-force activity against remote access VPN. If confirmed malicious, an attacker may be attempting to obtain valid VPN credentials for initial access or persistence. +data_source: + - Cisco Secure Access RAVPN Push Security Events +search: |- + `cisco_secure_access_ravpn` (cisco_ravpn_metadata.event_type="FAILED" OR cisco_asa.syslog_descriptor="AAA_RESULT_REJECT") + | eval src_ip=coalesce('cisco_ravpn_session.public_ip', src) + | where isnotnull(src_ip) AND src_ip!="" + | bin _time span=5m + | stats count min(_time) as firstTime max(_time) as lastTime + values(cisco_event_id) as cisco_event_ids + values(cisco_asa.syslog_id) as cisco_asa_syslog_ids + values(cloud.region) as cloud_region + BY src_ip _time + | where count >= 10 + | `security_content_ctime(firstTime)` + | `security_content_ctime(lastTime)` + | `ravpn___high_authentication_failures_from_source_filter` +how_to_implement: | + Ingest Cisco Secure Access RAVPN push security events with sourcetype `cisco:secure_access:security_events_ravpn` using the Cisco Secure Access Add-on for Splunk (https://splunkbase.splunk.com/app/7569). This search uses the input macro `cisco_secure_access_ravpn`; replace it with your index, source, or sourcetype qualifiers as needed. A post-filter macro is included for tuning known false positives. Schedule the search every five minutes with a lookback of at least ten minutes so five-minute buckets are complete. +known_false_positives: | + Shared NAT egress, captive portals, misconfigured AnyConnect clients, or legitimate users repeatedly entering wrong passwords can produce bursts of failures. Tune the count threshold, exclude trusted egress IPs via the filter macro, or scope to specific VPN profiles or organizations if your deployment is noisy. +references: + - https://developer.cisco.com/docs/cloud-security/ravpn-push-security-events + - https://attack.mitre.org/techniques/T1110/ + - https://splunkbase.splunk.com/app/7569 +drilldown_searches: + - name: View the detection results for $src_ip$ + search: '%original_detection_search% | search src_ip = $src_ip$' + earliest_offset: $info_min_time$ + latest_offset: $info_max_time$ + - name: View risk events for the last 7 days for $src_ip$ + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ($src_ip$) | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' + earliest_offset: 7d + latest_offset: "0" +intermediate_findings: + entities: + - field: src_ip + type: system + score: 20 + message: High volume of RAVPN authentication failures detected from source $src_ip$ within a five-minute window, which may indicate credential stuffing or brute-force activity. +threat_objects: [] +analytic_story: + - Compromised User Account +asset_type: Identity +mitre_attack_id: + - T1110.001 +product: + - Splunk Enterprise + - Splunk Cloud + - Splunk Enterprise Security +category: application +security_domain: access +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/ravpn/ravpn_high_auth_failures.log + source: not_applicable + sourcetype: cisco:secure_access:security_events_ravpn + test_type: unit diff --git a/dist/.gitkeep b/dist/.gitkeep deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/macros/cisco_secure_access_ravpn.yml b/macros/cisco_secure_access_ravpn.yml new file mode 100644 index 0000000000..a27039a671 --- /dev/null +++ b/macros/cisco_secure_access_ravpn.yml @@ -0,0 +1,8 @@ +name: cisco_secure_access_ravpn +id: 0225c7e6-c52e-44fa-92c3-acd040015f69 +version: 1 +creation_date: '2026-06-03' +modification_date: '2026-06-03' +author: Mahamudul Chowdhury, Bhavin Patel, Splunk +description: customer specific splunk configurations(eg- index, source, sourcetype). Replace the macro definition with configurations for your Splunk Environment. +definition: sourcetype="cisco:secure_access:security_events_ravpn" diff --git a/schemas/Baseline.schema.json b/schemas/Baseline.schema.json index 015747f4cd..bad06964f4 100644 --- a/schemas/Baseline.schema.json +++ b/schemas/Baseline.schema.json @@ -184,7 +184,10 @@ "Cisco SD-WAN NTCE 1000001", "Cisco SD-WAN Service Proxy Access Logs", "Cisco Secure Access Analytics", + "Cisco Secure Access DNS", "Cisco Secure Access Firewall", + "Cisco Secure Access Proxy", + "Cisco Secure Access RAVPN Push Security Events", "Cisco Secure Firewall Threat Defense Analytics", "Cisco Secure Firewall Threat Defense Connection Event", "Cisco Secure Firewall Threat Defense File Event", @@ -707,6 +710,7 @@ "cisco_asa", "cisco_duo_activity", "cisco_duo_administrator", + "cisco_ios", "cisco_isovalent", "cisco_isovalent_allowed_images", "cisco_isovalent_process_connect", @@ -715,6 +719,9 @@ "cisco_networks", "cisco_sd_wan_service_proxy_access", "cisco_sd_wan_syslog", + "cisco_secure_access_dns", + "cisco_secure_access_proxy", + "cisco_secure_access_ravpn", "cisco_secure_firewall", "cisco_secure_firewall_appid_remote_mgmt_and_desktop_tools", "cisco_secure_firewall_filetype_lookup", @@ -1231,8 +1238,8 @@ "94f6a1c9-aae7-46a4-9083-2bb1f5768ec4", "bac8a340-be64-4491-a0cc-0985cb227f5a", "234f9b7c-b53d-4f32-897b-b880a6c9ea7b", - "b8147c9a-84db-4ec1-8eee-4e0da75f0de5", "b877943f-0377-44f4-8477-f79db7f07c4d", + "b8147c9a-84db-4ec1-8eee-4e0da75f0de5", "54782d65-12f0-47a5-b4c1-b70ee23de6df", "e03ada14-0980-4107-aff1-7783b2b59bb1", "e7e3a525-7612-4d68-a5d3-c4649181b8af", @@ -1467,7 +1474,9 @@ "6326dbc4-444b-4c04-88f4-27e94d0327cb", "9ebe7901-7edf-45c0-b5c7-8366300919db", "8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4", + "5fabf878-7dd4-48d3-9995-408fac68e166", "069258f4-2162-46e9-9a25-c9c6c56150d2", + "4383bbd3-aa6c-49fd-a1a9-cf112c95982c", "815bef8b-bf91-4b67-be4c-abe4c2a94ccc", "42510244-5019-48fa-a0e5-66c3b76e6049", "9d04efee-eff5-4240-b8d2-07792b873608", @@ -2064,6 +2073,7 @@ "4c8db261-a58b-42a6-a866-0a294deedde4", "f0027655-25ef-47b0-acaf-3d83d106156c", "c75612b2-9de0-4d7c-879c-10d7b077072d", + "5696f417-30e5-4942-988d-0b9dcfe3a929", "d322cdd7-7d60-46e3-9111-648848da7c02", "a8568b10-9ab9-4140-a523-1c72e0176924", "33ca84bc-4259-4943-bd36-4655dc420932", @@ -2210,6 +2220,7 @@ "5bec4cc8-f41e-437b-b417-33ff60acf9af", "a0c1725f-abcd-40d6-baac-020f3cf94ecd", "d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec", + "3d9e332e-60c9-407a-af4c-a9ae43c4f1d0", "7c8c7bd8-0a5c-4514-a6a3-0814c5a98cf0", "a83ad6e8-6f24-4d7f-8f44-75f8ab742991", "7e7ac3ed-f795-4fa5-b711-09d6fbe9b873", @@ -2293,6 +2304,7 @@ "0315bdff-4178-47e9-81e4-f31a6d23f7e4", "736b4f53-f400-4c22-855d-1a6b5a551600", "114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0", + "3f452c87-25b5-47c0-81d8-01908df1b927", "183235ca-8e6c-422c-88c2-3aa28c4825d9", "b4ca838d-d013-4461-bf2c-f7132617b409", "0b79c06f-c788-44a2-8630-d69051f1123d", @@ -2746,6 +2758,7 @@ "453acf13-1dbd-47d7-b28a-172ce9228023", "da4f751a-020b-40d7-b9ff-d433b7799803", "14033063-ee04-4eaf-8f5d-ba07ca7a097c", + "14bd90b1-c3f3-4115-9861-cf0519a59654", "8bec51da-7a6d-4346-b941-51eca448c4b0", "1d958c61-09c6-4d9e-b26b-4130314e520e", "12e03af7-79f9-4f95-af48-d3f12f28a260", @@ -2795,8 +2808,9 @@ "96db2632-8417-4dbb-b8bb-a8b92ba391de", "a50d5a97-2531-499e-a1de-5544c74432c6", "6cd715aa-20ac-4be1-a8f1-dda7bae160bd", - "44a4bedf-ffe3-452e-bee4-6925ab125662", + "50859b3b-b088-4c7b-973d-03a0365a9bf9", "16f6374f-7600-459a-9b16-6a88fd96d310", + "44a4bedf-ffe3-452e-bee4-6925ab125662", "e9584f82-322c-474a-b831-940fd8b4455c", "e6f36545-dc1e-47f0-9f48-7f730f54a02e", "52778a8f-a10b-41a4-9eae-52ddb74072bf", diff --git a/schemas/EventBasedDetection.schema.json b/schemas/EventBasedDetection.schema.json index a5ea1e4619..42fcfd0ce4 100644 --- a/schemas/EventBasedDetection.schema.json +++ b/schemas/EventBasedDetection.schema.json @@ -193,7 +193,10 @@ "Cisco SD-WAN NTCE 1000001", "Cisco SD-WAN Service Proxy Access Logs", "Cisco Secure Access Analytics", + "Cisco Secure Access DNS", "Cisco Secure Access Firewall", + "Cisco Secure Access Proxy", + "Cisco Secure Access RAVPN Push Security Events", "Cisco Secure Firewall Threat Defense Analytics", "Cisco Secure Firewall Threat Defense Connection Event", "Cisco Secure Firewall Threat Defense File Event", @@ -748,6 +751,7 @@ "cisco_asa", "cisco_duo_activity", "cisco_duo_administrator", + "cisco_ios", "cisco_isovalent", "cisco_isovalent_allowed_images", "cisco_isovalent_process_connect", @@ -756,6 +760,9 @@ "cisco_networks", "cisco_sd_wan_service_proxy_access", "cisco_sd_wan_syslog", + "cisco_secure_access_dns", + "cisco_secure_access_proxy", + "cisco_secure_access_ravpn", "cisco_secure_firewall", "cisco_secure_firewall_appid_remote_mgmt_and_desktop_tools", "cisco_secure_firewall_filetype_lookup", @@ -1316,8 +1323,8 @@ "94f6a1c9-aae7-46a4-9083-2bb1f5768ec4", "bac8a340-be64-4491-a0cc-0985cb227f5a", "234f9b7c-b53d-4f32-897b-b880a6c9ea7b", - "b8147c9a-84db-4ec1-8eee-4e0da75f0de5", "b877943f-0377-44f4-8477-f79db7f07c4d", + "b8147c9a-84db-4ec1-8eee-4e0da75f0de5", "54782d65-12f0-47a5-b4c1-b70ee23de6df", "e03ada14-0980-4107-aff1-7783b2b59bb1", "e7e3a525-7612-4d68-a5d3-c4649181b8af", @@ -1552,7 +1559,9 @@ "6326dbc4-444b-4c04-88f4-27e94d0327cb", "9ebe7901-7edf-45c0-b5c7-8366300919db", "8fe2ccfd-f079-4c03-b1a9-bd9b362b67d4", + "5fabf878-7dd4-48d3-9995-408fac68e166", "069258f4-2162-46e9-9a25-c9c6c56150d2", + "4383bbd3-aa6c-49fd-a1a9-cf112c95982c", "815bef8b-bf91-4b67-be4c-abe4c2a94ccc", "42510244-5019-48fa-a0e5-66c3b76e6049", "9d04efee-eff5-4240-b8d2-07792b873608", @@ -2149,6 +2158,7 @@ "4c8db261-a58b-42a6-a866-0a294deedde4", "f0027655-25ef-47b0-acaf-3d83d106156c", "c75612b2-9de0-4d7c-879c-10d7b077072d", + "5696f417-30e5-4942-988d-0b9dcfe3a929", "d322cdd7-7d60-46e3-9111-648848da7c02", "a8568b10-9ab9-4140-a523-1c72e0176924", "33ca84bc-4259-4943-bd36-4655dc420932", @@ -2295,6 +2305,7 @@ "5bec4cc8-f41e-437b-b417-33ff60acf9af", "a0c1725f-abcd-40d6-baac-020f3cf94ecd", "d1c73b96-ab87-4031-bad8-0e1b3b8bf3ec", + "3d9e332e-60c9-407a-af4c-a9ae43c4f1d0", "7c8c7bd8-0a5c-4514-a6a3-0814c5a98cf0", "a83ad6e8-6f24-4d7f-8f44-75f8ab742991", "7e7ac3ed-f795-4fa5-b711-09d6fbe9b873", @@ -2378,6 +2389,7 @@ "0315bdff-4178-47e9-81e4-f31a6d23f7e4", "736b4f53-f400-4c22-855d-1a6b5a551600", "114dd4e3-8d1c-4ea7-bb8d-8d8f6aca21f0", + "3f452c87-25b5-47c0-81d8-01908df1b927", "183235ca-8e6c-422c-88c2-3aa28c4825d9", "b4ca838d-d013-4461-bf2c-f7132617b409", "0b79c06f-c788-44a2-8630-d69051f1123d", @@ -2831,6 +2843,7 @@ "453acf13-1dbd-47d7-b28a-172ce9228023", "da4f751a-020b-40d7-b9ff-d433b7799803", "14033063-ee04-4eaf-8f5d-ba07ca7a097c", + "14bd90b1-c3f3-4115-9861-cf0519a59654", "8bec51da-7a6d-4346-b941-51eca448c4b0", "1d958c61-09c6-4d9e-b26b-4130314e520e", "12e03af7-79f9-4f95-af48-d3f12f28a260", @@ -2880,8 +2893,9 @@ "96db2632-8417-4dbb-b8bb-a8b92ba391de", "a50d5a97-2531-499e-a1de-5544c74432c6", "6cd715aa-20ac-4be1-a8f1-dda7bae160bd", - "44a4bedf-ffe3-452e-bee4-6925ab125662", + "50859b3b-b088-4c7b-973d-03a0365a9bf9", "16f6374f-7600-459a-9b16-6a88fd96d310", + "44a4bedf-ffe3-452e-bee4-6925ab125662", "e9584f82-322c-474a-b831-940fd8b4455c", "e6f36545-dc1e-47f0-9f48-7f730f54a02e", "52778a8f-a10b-41a4-9eae-52ddb74072bf", diff --git a/schemas/Playbook.schema.json b/schemas/Playbook.schema.json index aa4da253b5..a266397606 100644 --- a/schemas/Playbook.schema.json +++ b/schemas/Playbook.schema.json @@ -360,7 +360,6 @@ "Amazon EKS Kubernetes cluster scan detection", "Anomalous usage of 7zip", "Attacker Tools On Endpoint", - "Attempt To Add Certificate To Untrusted Store", "Auto Admin Logon Registry Entry", "Azure AD Admin Consent Bypassed by Service Principal", "Azure AD Application Administrator Role Assigned", @@ -417,7 +416,6 @@ "BITSAdmin Download File", "Batch File Write to System32", "Bcdedit Command Back To Normal Mode Boot", - "CHCP Command Execution", "CMD Carry Out String Command Parameter", "CMD Echo Pipe - Escalation", "CMLUA Or CMSTPLUA UAC Bypass", @@ -459,7 +457,16 @@ "Cisco Duo Policy Skip 2FA for Other Countries", "Cisco Duo Set User Status to Bypass 2FA", "Cisco IOS Suspicious Privileged Account Creation", + "Cisco IOS XE Guestshell Activation and Destroy", "Cisco IOS XE Implant Access", + "Cisco IOS XE Log Clearing Sequence With Optional Loopback Removal", + "Cisco IOS XE Reconnaissance Command Activity", + "Cisco IOS XE Remote Access Probe Burst", + "Cisco IOS XE Request Platform Package Describe Shell Pattern", + "Cisco IOS XE Tunnel Interface Configuration", + "Cisco IOS XE VTY Access Class Tampering", + "Cisco IOS XE WebUI Login From IOSd Local Port", + "Cisco IOS XE WebUI Programmatic Configuration", "Cisco Isovalent - Access To Cloud Metadata Service", "Cisco Isovalent - Cron Job Creation", "Cisco Isovalent - Curl Execution With Insecure Flags", @@ -487,6 +494,8 @@ "Cisco Network Interface Modifications", "Cisco Privileged Account Creation with HTTP Command Execution", "Cisco Privileged Account Creation with Suspicious SSH Activity", + "Cisco SA - Access to Anonymizer Services", + "Cisco SA - Automated Web Reconnaissance via HTTP Access Errors", "Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity", "Cisco SD-WAN - Low Frequency Rogue Peer", "Cisco SD-WAN - Peering Activity", @@ -897,7 +906,6 @@ "Ivanti EPM SQL Injection Remote Code Execution", "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078", "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082", - "Ivanti Sentry Authentication Bypass", "Ivanti VTM New Account Creation", "Java Class File download by Java User Agent", "Java Writing JSP File", @@ -1350,11 +1358,11 @@ "Process Kill Base On File Path", "Process Writing DynamicWrapperX", "Processes Tapping Keyboard Events", - "Processes launching netsh", "Prohibited Network Traffic Allowed", "Protocol or Port Mismatch", "Protocols passing authentication in cleartext", "ProxyShell ProxyNotShell Behavior Detected", + "RAVPN - High Authentication Failures from Source", "Randomly Generated Scheduled Task Name", "Randomly Generated Windows Service Name", "Ransomware Notes bulk creation", @@ -1410,7 +1418,6 @@ "SQL Injection with Long URLs", "SSL Certificates with Punycode", "Samsam Test File Write", - "Sc exe Manipulating Windows Services", "SchCache Change By App Connect And Create ADSI Object", "Schedule Task with HTTP Command Arguments", "Schedule Task with Rundll32 Command Trigger", diff --git a/schemas/RemovedContent.schema.json b/schemas/RemovedContent.schema.json index da74df0347..ee6ca32d7a 100644 --- a/schemas/RemovedContent.schema.json +++ b/schemas/RemovedContent.schema.json @@ -212,7 +212,6 @@ "AsyncRAT", "Atlassian Confluence Server and Data Center CVE-2022-26134", "Attacker Tools On Endpoint", - "Attempt To Add Certificate To Untrusted Store", "Attribute Lookup Dispatch", "Auto Admin Logon Registry Entry", "Automated Enrichment", @@ -337,7 +336,6 @@ "Bro x509", "Browser Hijacking", "Brute Ratel C4", - "CHCP Command Execution", "CISA AA22-257A", "CISA AA22-264A", "CISA AA22-277A", @@ -403,8 +401,17 @@ "Cisco Duo Suspicious Activity", "Cisco IOS Logs", "Cisco IOS Suspicious Privileged Account Creation", + "Cisco IOS XE Guestshell Activation and Destroy", "Cisco IOS XE Implant Access", + "Cisco IOS XE Log Clearing Sequence With Optional Loopback Removal", + "Cisco IOS XE Reconnaissance Command Activity", + "Cisco IOS XE Remote Access Probe Burst", + "Cisco IOS XE Request Platform Package Describe Shell Pattern", "Cisco IOS XE Software Web Management User Interface vulnerability", + "Cisco IOS XE Tunnel Interface Configuration", + "Cisco IOS XE VTY Access Class Tampering", + "Cisco IOS XE WebUI Login From IOSd Local Port", + "Cisco IOS XE WebUI Programmatic Configuration", "Cisco Isovalent - Access To Cloud Metadata Service", "Cisco Isovalent - Cron Job Creation", "Cisco Isovalent - Curl Execution With Insecure Flags", @@ -439,6 +446,8 @@ "Cisco Network Visibility Module OSquery", "Cisco Privileged Account Creation with HTTP Command Execution", "Cisco Privileged Account Creation with Suspicious SSH Activity", + "Cisco SA - Access to Anonymizer Services", + "Cisco SA - Automated Web Reconnaissance via HTTP Access Errors", "Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity", "Cisco SD-WAN - Low Frequency Rogue Peer", "Cisco SD-WAN - Peering Activity", @@ -447,7 +456,10 @@ "Cisco SD-WAN Service Proxy Access Logs", "Cisco SNMP Community String Configuration Changes", "Cisco Secure Access Analytics", + "Cisco Secure Access DNS", "Cisco Secure Access Firewall", + "Cisco Secure Access Proxy", + "Cisco Secure Access RAVPN Push Security Events", "Cisco Secure Firewall - Binary File Type Download", "Cisco Secure Firewall - Bits Network Activity", "Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint", @@ -989,7 +1001,6 @@ "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35078", "Ivanti EPMM Remote Unauthenticated API Access CVE-2023-35082", "Ivanti EPMM Remote Unauthenticated Access", - "Ivanti Sentry Authentication Bypass", "Ivanti Sentry Authentication Bypass CVE-2023-38035", "Ivanti VTM Audit", "Ivanti VTM New Account Creation", @@ -1601,7 +1612,6 @@ "Process Kill Base On File Path", "Process Writing DynamicWrapperX", "Processes Tapping Keyboard Events", - "Processes launching netsh", "Prohibited Network Traffic Allowed", "Prohibited Traffic Allowed or Protocol Mismatch", "PromptFlux", @@ -1614,6 +1624,7 @@ "Qakbot", "Quasar RAT", "QuietVault", + "RAVPN - High Authentication Failures from Source", "RMM Software Tracking", "Randomly Generated Scheduled Task Name", "Randomly Generated Windows Service Name", @@ -1700,7 +1711,6 @@ "SamSam Ransomware", "Samsam Test File Write", "Sandworm Tools", - "Sc exe Manipulating Windows Services", "Scattered Lapsus$ Hunters", "Scattered Spider", "SchCache Change By App Connect And Create ADSI Object", @@ -2907,6 +2917,7 @@ "cisco_asa", "cisco_duo_activity", "cisco_duo_administrator", + "cisco_ios", "cisco_isovalent", "cisco_isovalent_allowed_images", "cisco_isovalent_process_connect", @@ -2915,6 +2926,9 @@ "cisco_networks", "cisco_sd_wan_service_proxy_access", "cisco_sd_wan_syslog", + "cisco_secure_access_dns", + "cisco_secure_access_proxy", + "cisco_secure_access_ravpn", "cisco_secure_firewall", "cisco_secure_firewall_appid_remote_mgmt_and_desktop_tools", "cisco_secure_firewall_filetype_lookup", diff --git a/schemas/Story.schema.json b/schemas/Story.schema.json index 74eb40bd23..cd12db70f9 100644 --- a/schemas/Story.schema.json +++ b/schemas/Story.schema.json @@ -49,6 +49,7 @@ "cisco_asa", "cisco_duo_activity", "cisco_duo_administrator", + "cisco_ios", "cisco_isovalent", "cisco_isovalent_allowed_images", "cisco_isovalent_process_connect", @@ -57,6 +58,9 @@ "cisco_networks", "cisco_sd_wan_service_proxy_access", "cisco_sd_wan_syslog", + "cisco_secure_access_dns", + "cisco_secure_access_proxy", + "cisco_secure_access_ravpn", "cisco_secure_firewall", "cisco_secure_firewall_appid_remote_mgmt_and_desktop_tools", "cisco_secure_firewall_filetype_lookup",