diff --git a/data_sources/cisco_sd_wan_auth_log.yml b/data_sources/cisco_sd_wan_auth_log.yml new file mode 100644 index 0000000000..eeed82261e --- /dev/null +++ b/data_sources/cisco_sd_wan_auth_log.yml @@ -0,0 +1,14 @@ +name: Cisco SD-WAN Auth Log +id: a7c9ec91-85cb-44fc-be26-e652ba7e4127 +version: 1 +creation_date: '2026-06-09' +modification_date: '2026-06-09' +author: Teoderick Contreras, Splunk +description: Data source object for Cisco SD-WAN Auth logs +source: /var/log/auth.log +sourcetype: cisco:sdwan:syslog +supported_TA: [] +fields: + - _time + - _raw +example_log: '2026-03-30T05:29:57+00:00 vsmart sshd[20244]: Accepted publickey for vmanage-admin from 172.161.255.29 port 37146 ssh2: RSA SHA256:KEY_2' diff --git a/detections/application/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml b/detections/application/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml new file mode 100644 index 0000000000..25e26749f6 --- /dev/null +++ b/detections/application/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml @@ -0,0 +1,53 @@ +name: Cisco SD-WAN Multiple Source IP vManage Admin SSH Authentication +id: 7882ec59-0e5b-4899-bd1a-7f9b16078bd4 +version: 1 +creation_date: '2026-06-09' +modification_date: '2026-06-09' +author: Teoderick Contreras, Splunk +status: production +type: Hunting +description: |- + This analytic identifies multiple unique source IP addresses successfully authenticating as `vmanage-admin` via SSH publickey on Cisco Catalyst SD-WAN control components within a short time window. + This aligns with IoC guidance for CVE-2026-20127 (cisco-sa-sdwan-rpa-EHchtZk), which warns that compromised systems may show `Accepted publickey for vmanage-admin` entries from unauthorized IPs. + Validate flagged source IPs against known System IPs in SD-WAN Manager and investigate unexpected or concurrent sources. +data_source: + - Cisco SD-WAN Auth Log +search: |- + `cisco_sd_wan_syslog` + "Accepted publickey" + | rex field=_raw "^(?\S+)\s+(?\S+)\s+\s+sshd\[\d+\]:\s+Accepted publickey for (?\S+) from (?\S+) port (?\d+) ssh2:\s+(?\S+)\s+(?\S+)" + | where user="vmanage-admin" + | bin event_timestamp span=2m + | stats dc(src) as unique_src_ips + values(src) as src_ips + values(user) as users + count as auth_count by event_timestamp dest + | where unique_src_ips >= 2 + | sort 0 - unique_src_ips + | `cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication_filter` +how_to_implement: | + This detection requires Cisco SD-WAN auth logs from the /var/log/auth.log file to be ingested into Splunk. +known_false_positives: | + No false positives have been identified at this time. +references: + - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk +analytic_story: + - Cisco Catalyst SD-WAN Analytics +asset_type: Network +cve: + - CVE-2026-20127 +mitre_attack_id: + - T1595 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: application +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/cisco/CVE-2026-20127/auth_dummy_key.log + source: /var/log/auth.log + sourcetype: cisco:sdwan:syslog + test_type: unit diff --git a/detections/application/cisco_sd_wan_multiple_ssh_key_authentication_from_same_source.yml b/detections/application/cisco_sd_wan_multiple_ssh_key_authentication_from_same_source.yml new file mode 100644 index 0000000000..eb0575379d --- /dev/null +++ b/detections/application/cisco_sd_wan_multiple_ssh_key_authentication_from_same_source.yml @@ -0,0 +1,49 @@ +name: Cisco SD-WAN Multiple SSH key Authentication from Same Source +id: 23e15133-d825-4e1d-b885-b8fe3909e947 +version: 1 +creation_date: '2026-06-09' +modification_date: '2026-06-09' +author: Teoderick Contreras, Splunk +status: production +type: Hunting +description: |- + This hunting analytic identifies multiple distinct SSH publickey fingerprints used to authenticate the same user from the same source IP against a Cisco Catalyst SD-WAN control component. + After legitimate vManage key rotation or reboot, a new key may appear but the old key should no longer be used; continued use of more than one key from the same source may indicate unauthorized key injection or persistence related to CVE-2026-20127 (cisco-sa-sdwan-rpa-EHchtZk). + Validate flagged keys and source IPs against known System IPs in SD-WAN Manager and investigate unexpected combinations. +data_source: + - Cisco SD-WAN Auth Log +search: |- + `cisco_sd_wan_syslog` + "Accepted publickey" + | rex field=_raw "^(?\S+)\s+(?\S+)\s+\s+sshd\[\d+\]:\s+Accepted publickey for (?\S+) from (?\S+) port (?\d+) ssh2:\s+(?\S+)\s+(?\S+)" + | stats dc(ssh_key) as distinct_keys + values(ssh_key) as ssh_keys + count by dest user src + | where distinct_keys > 1 + | `cisco_sd_wan_multiple_ssh_key_authentication_from_same_source_filter` +how_to_implement: | + This detection requires Cisco SD-WAN auth logs from the /var/log/auth.log file to be ingested into Splunk. +known_false_positives: | + No false positives have been identified at this time. +references: + - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk +analytic_story: + - Cisco Catalyst SD-WAN Analytics +asset_type: Network +cve: + - CVE-2026-20127 +mitre_attack_id: + - T1595 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: application +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/cisco/CVE-2026-20127/auth_dummy_key.log + source: /var/log/auth.log + sourcetype: cisco:sdwan:syslog + test_type: unit