From 9c6594ac80330ee98c4ef47cc1914916f66563e1 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Tue, 9 Jun 2026 14:47:49 +0200 Subject: [PATCH 1/5] 2026-20127 --- data_sources/cisco_sd_wan_auth_log.yml | 14 ++++++ ...ce_ip_vmanage_admin_ssh_authentication.yml | 45 +++++++++++++++++++ ...sh_key_authentication_from_same_source.yml | 42 +++++++++++++++++ 3 files changed, 101 insertions(+) create mode 100644 data_sources/cisco_sd_wan_auth_log.yml create mode 100644 detections/network/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml create mode 100644 detections/network/cisco_sd_wan_multiple_ssh_key_authentication_from_same_source.yml diff --git a/data_sources/cisco_sd_wan_auth_log.yml b/data_sources/cisco_sd_wan_auth_log.yml new file mode 100644 index 0000000000..eeed82261e --- /dev/null +++ b/data_sources/cisco_sd_wan_auth_log.yml @@ -0,0 +1,14 @@ +name: Cisco SD-WAN Auth Log +id: a7c9ec91-85cb-44fc-be26-e652ba7e4127 +version: 1 +creation_date: '2026-06-09' +modification_date: '2026-06-09' +author: Teoderick Contreras, Splunk +description: Data source object for Cisco SD-WAN Auth logs +source: /var/log/auth.log +sourcetype: cisco:sdwan:syslog +supported_TA: [] +fields: + - _time + - _raw +example_log: '2026-03-30T05:29:57+00:00 vsmart sshd[20244]: Accepted publickey for vmanage-admin from 172.161.255.29 port 37146 ssh2: RSA SHA256:KEY_2' diff --git a/detections/network/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml b/detections/network/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml new file mode 100644 index 0000000000..697d984680 --- /dev/null +++ b/detections/network/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml @@ -0,0 +1,45 @@ +name: Cisco SD-WAN Multiple Source IP vManage Admin SSH Authentication +id: 7882ec59-0e5b-4899-bd1a-7f9b16078bd4 +version: 1 +date: '2026-06-09' +author: Teoderick Contreras, Splunk +status: production +type: Hunting +description: This analytic identifies multiple unique source IP addresses successfully authenticating as `vmanage-admin` via SSH publickey on Cisco Catalyst SD-WAN control components within a short time window. This aligns with IoC guidance for CVE-2026-20127 (cisco-sa-sdwan-rpa-EHchtZk), which warns that compromised systems may show `Accepted publickey for vmanage-admin` entries from unauthorized IPs. Validate flagged source IPs against known System IPs in SD-WAN Manager and investigate unexpected or concurrent sources. +data_source: + - Cisco SD-WAN Auth Log +search: |- + `cisco_sd_wan_syslog` "Accepted publickey" + | rex field=_raw "^(?\S+)\s+(?\S+)\s+\s+sshd\[\d+\]:\s+Accepted publickey for (?\S+) from (?\S+) port (?\d+) ssh2:\s+(?\S+)\s+(?\S+)" + | where user="vmanage-admin" + | bin _time span=2m + | stats dc(src) as unique_src_ips values(src) as src_ips values(user) as users count as auth_count by _time dest + | where unique_src_ips >= 2 + | sort 0 - unique_src_ips + | `cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication_filter` +how_to_implement: | + This detection requires Cisco SD-WAN Manager Envoy access logs to be ingested into Splunk. + These logs are located in "/var/log/nms/containers/service-proxy/serviceproxy-access.log". +known_false_positives: | + No false positives have been identified at this time. +references: + - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v + - https://github.com/zerozenxlabs/CVE-2026-20127---Cisco-SD-WAN-Preauth-RCE +analytic_story: + - Cisco Catalyst SD-WAN Analytics +asset_type: Network +mitre_attack_id: + - T1595 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: network +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/cisco/CVE-2026-20127/auth_dummy_key.log + source: /var/log/nms/containers/service-proxy/serviceproxy-access.log + sourcetype: cisco:sdwan:syslog + test_type: unit diff --git a/detections/network/cisco_sd_wan_multiple_ssh_key_authentication_from_same_source.yml b/detections/network/cisco_sd_wan_multiple_ssh_key_authentication_from_same_source.yml new file mode 100644 index 0000000000..ecd2d2d9dc --- /dev/null +++ b/detections/network/cisco_sd_wan_multiple_ssh_key_authentication_from_same_source.yml @@ -0,0 +1,42 @@ +name: Cisco SD-WAN Multiple SSH key Authentication from Same Source +id: 23e15133-d825-4e1d-b885-b8fe3909e947 +version: 1 +date: '2026-06-09' +author: Teoderick Contreras, Splunk +status: production +type: Hunting +description: This hunting analytic identifies multiple distinct SSH publickey fingerprints used to authenticate the same user from the same source IP against a Cisco Catalyst SD-WAN control component. After legitimate vManage key rotation or reboot, a new key may appear but the old key should no longer be used; continued use of more than one key from the same source may indicate unauthorized key injection or persistence related to CVE-2026-20127 (cisco-sa-sdwan-rpa-EHchtZk). Validate flagged keys and source IPs against known System IPs in SD-WAN Manager and investigate unexpected combinations. +data_source: + - Cisco SD-WAN Auth Log +search: |- + `cisco_sd_wan_syslog` "Accepted publickey" + | rex field=_raw "^(?\S+)\s+(?\S+)\s+\s+sshd\[\d+\]:\s+Accepted publickey for (?\S+) from (?\S+) port (?\d+) ssh2:\s+(?\S+)\s+(?\S+)" + | stats dc(ssh_key) as distinct_keys values(ssh_key) as ssh_keys count by dest user src + | where distinct_keys > 1 + | `cisco_sd_wan_multiple_ssh_key_authentication_from_same_source_filter` +how_to_implement: | + This detection requires Cisco SD-WAN Manager Envoy access logs to be ingested into Splunk. + These logs are located in "/var/log/nms/containers/service-proxy/serviceproxy-access.log". +known_false_positives: | + No false positives have been identified at this time. +references: + - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v + - https://github.com/zerozenxlabs/CVE-2026-20127---Cisco-SD-WAN-Preauth-RCE +analytic_story: + - Cisco Catalyst SD-WAN Analytics +asset_type: Network +mitre_attack_id: + - T1595 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: network +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/cisco/CVE-2026-20127/auth_dummy_key.log + source: /var/log/nms/containers/service-proxy/serviceproxy-access.log + sourcetype: cisco:sdwan:syslog + test_type: unit From 87857d39ccaecb43b487871652556d1e41ccc44c Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Tue, 9 Jun 2026 14:51:33 +0200 Subject: [PATCH 2/5] 2026-20127 --- ..._wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml | 2 +- ..._sd_wan_multiple_ssh_key_authentication_from_same_source.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/detections/network/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml b/detections/network/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml index 697d984680..c36fe1b2eb 100644 --- a/detections/network/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml +++ b/detections/network/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml @@ -40,6 +40,6 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/cisco/CVE-2026-20127/auth_dummy_key.log - source: /var/log/nms/containers/service-proxy/serviceproxy-access.log + source: /var/log/auth.log sourcetype: cisco:sdwan:syslog test_type: unit diff --git a/detections/network/cisco_sd_wan_multiple_ssh_key_authentication_from_same_source.yml b/detections/network/cisco_sd_wan_multiple_ssh_key_authentication_from_same_source.yml index ecd2d2d9dc..70d2784779 100644 --- a/detections/network/cisco_sd_wan_multiple_ssh_key_authentication_from_same_source.yml +++ b/detections/network/cisco_sd_wan_multiple_ssh_key_authentication_from_same_source.yml @@ -37,6 +37,6 @@ tests: - name: True Positive Test attack_data: - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/cisco/CVE-2026-20127/auth_dummy_key.log - source: /var/log/nms/containers/service-proxy/serviceproxy-access.log + source: /var/log/auth.log sourcetype: cisco:sdwan:syslog test_type: unit From 93334c4f973c75068c860599d1f2760de8bc1dae Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Tue, 9 Jun 2026 14:54:03 +0200 Subject: [PATCH 3/5] 2026-20127 --- ...wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml | 3 ++- ...sd_wan_multiple_ssh_key_authentication_from_same_source.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/detections/network/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml b/detections/network/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml index c36fe1b2eb..7a7bb8426a 100644 --- a/detections/network/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml +++ b/detections/network/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml @@ -1,7 +1,8 @@ name: Cisco SD-WAN Multiple Source IP vManage Admin SSH Authentication id: 7882ec59-0e5b-4899-bd1a-7f9b16078bd4 version: 1 -date: '2026-06-09' +creation_date: '2026-06-09' +modification_date: '2026-06-09' author: Teoderick Contreras, Splunk status: production type: Hunting diff --git a/detections/network/cisco_sd_wan_multiple_ssh_key_authentication_from_same_source.yml b/detections/network/cisco_sd_wan_multiple_ssh_key_authentication_from_same_source.yml index 70d2784779..36ecbbba09 100644 --- a/detections/network/cisco_sd_wan_multiple_ssh_key_authentication_from_same_source.yml +++ b/detections/network/cisco_sd_wan_multiple_ssh_key_authentication_from_same_source.yml @@ -1,7 +1,8 @@ name: Cisco SD-WAN Multiple SSH key Authentication from Same Source id: 23e15133-d825-4e1d-b885-b8fe3909e947 version: 1 -date: '2026-06-09' +creation_date: '2026-06-09' +modification_date: '2026-06-09' author: Teoderick Contreras, Splunk status: production type: Hunting From f1d95b7b7eb8d7def884f288368da64d9f19b1a5 Mon Sep 17 00:00:00 2001 From: Teoderick Contreras Date: Tue, 9 Jun 2026 16:41:09 +0200 Subject: [PATCH 4/5] 2026-20127 --- ..._source_ip_vmanage_admin_ssh_authentication.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/detections/network/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml b/detections/network/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml index 7a7bb8426a..d2b9f11c19 100644 --- a/detections/network/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml +++ b/detections/network/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml @@ -11,13 +11,13 @@ data_source: - Cisco SD-WAN Auth Log search: |- `cisco_sd_wan_syslog` "Accepted publickey" - | rex field=_raw "^(?\S+)\s+(?\S+)\s+\s+sshd\[\d+\]:\s+Accepted publickey for (?\S+) from (?\S+) port (?\d+) ssh2:\s+(?\S+)\s+(?\S+)" - | where user="vmanage-admin" - | bin _time span=2m - | stats dc(src) as unique_src_ips values(src) as src_ips values(user) as users count as auth_count by _time dest - | where unique_src_ips >= 2 - | sort 0 - unique_src_ips - | `cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication_filter` + | rex field=_raw "^(?\S+)\s+(?\S+)\s+\s+sshd\[\d+\]:\s+Accepted publickey for (?\S+) from (?\S+) port (?\d+) ssh2:\s+(?\S+)\s+(?\S+)" + | where user="vmanage-admin" + | bin event_timestamp span=2m + | stats dc(src) as unique_src_ips values(src) as src_ips values(user) as users count as auth_count by event_timestamp dest + | where unique_src_ips >= 2 + | sort 0 - unique_src_ips + | `cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication_filter` how_to_implement: | This detection requires Cisco SD-WAN Manager Envoy access logs to be ingested into Splunk. These logs are located in "/var/log/nms/containers/service-proxy/serviceproxy-access.log". From e8a41c65e295328ae74cda25070d62333ee25a2a Mon Sep 17 00:00:00 2001 From: nasbench <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Jun 2026 13:40:40 +0200 Subject: [PATCH 5/5] update metadata --- ...ce_ip_vmanage_admin_ssh_authentication.yml | 53 +++++++++++++++++++ ...sh_key_authentication_from_same_source.yml | 22 +++++--- ...ce_ip_vmanage_admin_ssh_authentication.yml | 46 ---------------- 3 files changed, 67 insertions(+), 54 deletions(-) create mode 100644 detections/application/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml rename detections/{network => application}/cisco_sd_wan_multiple_ssh_key_authentication_from_same_source.yml (55%) delete mode 100644 detections/network/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml diff --git a/detections/application/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml b/detections/application/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml new file mode 100644 index 0000000000..25e26749f6 --- /dev/null +++ b/detections/application/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml @@ -0,0 +1,53 @@ +name: Cisco SD-WAN Multiple Source IP vManage Admin SSH Authentication +id: 7882ec59-0e5b-4899-bd1a-7f9b16078bd4 +version: 1 +creation_date: '2026-06-09' +modification_date: '2026-06-09' +author: Teoderick Contreras, Splunk +status: production +type: Hunting +description: |- + This analytic identifies multiple unique source IP addresses successfully authenticating as `vmanage-admin` via SSH publickey on Cisco Catalyst SD-WAN control components within a short time window. + This aligns with IoC guidance for CVE-2026-20127 (cisco-sa-sdwan-rpa-EHchtZk), which warns that compromised systems may show `Accepted publickey for vmanage-admin` entries from unauthorized IPs. + Validate flagged source IPs against known System IPs in SD-WAN Manager and investigate unexpected or concurrent sources. +data_source: + - Cisco SD-WAN Auth Log +search: |- + `cisco_sd_wan_syslog` + "Accepted publickey" + | rex field=_raw "^(?\S+)\s+(?\S+)\s+\s+sshd\[\d+\]:\s+Accepted publickey for (?\S+) from (?\S+) port (?\d+) ssh2:\s+(?\S+)\s+(?\S+)" + | where user="vmanage-admin" + | bin event_timestamp span=2m + | stats dc(src) as unique_src_ips + values(src) as src_ips + values(user) as users + count as auth_count by event_timestamp dest + | where unique_src_ips >= 2 + | sort 0 - unique_src_ips + | `cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication_filter` +how_to_implement: | + This detection requires Cisco SD-WAN auth logs from the /var/log/auth.log file to be ingested into Splunk. +known_false_positives: | + No false positives have been identified at this time. +references: + - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk +analytic_story: + - Cisco Catalyst SD-WAN Analytics +asset_type: Network +cve: + - CVE-2026-20127 +mitre_attack_id: + - T1595 +product: + - Splunk Enterprise + - Splunk Enterprise Security + - Splunk Cloud +category: application +security_domain: network +tests: + - name: True Positive Test + attack_data: + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/cisco/CVE-2026-20127/auth_dummy_key.log + source: /var/log/auth.log + sourcetype: cisco:sdwan:syslog + test_type: unit diff --git a/detections/network/cisco_sd_wan_multiple_ssh_key_authentication_from_same_source.yml b/detections/application/cisco_sd_wan_multiple_ssh_key_authentication_from_same_source.yml similarity index 55% rename from detections/network/cisco_sd_wan_multiple_ssh_key_authentication_from_same_source.yml rename to detections/application/cisco_sd_wan_multiple_ssh_key_authentication_from_same_source.yml index 36ecbbba09..eb0575379d 100644 --- a/detections/network/cisco_sd_wan_multiple_ssh_key_authentication_from_same_source.yml +++ b/detections/application/cisco_sd_wan_multiple_ssh_key_authentication_from_same_source.yml @@ -6,33 +6,39 @@ modification_date: '2026-06-09' author: Teoderick Contreras, Splunk status: production type: Hunting -description: This hunting analytic identifies multiple distinct SSH publickey fingerprints used to authenticate the same user from the same source IP against a Cisco Catalyst SD-WAN control component. After legitimate vManage key rotation or reboot, a new key may appear but the old key should no longer be used; continued use of more than one key from the same source may indicate unauthorized key injection or persistence related to CVE-2026-20127 (cisco-sa-sdwan-rpa-EHchtZk). Validate flagged keys and source IPs against known System IPs in SD-WAN Manager and investigate unexpected combinations. +description: |- + This hunting analytic identifies multiple distinct SSH publickey fingerprints used to authenticate the same user from the same source IP against a Cisco Catalyst SD-WAN control component. + After legitimate vManage key rotation or reboot, a new key may appear but the old key should no longer be used; continued use of more than one key from the same source may indicate unauthorized key injection or persistence related to CVE-2026-20127 (cisco-sa-sdwan-rpa-EHchtZk). + Validate flagged keys and source IPs against known System IPs in SD-WAN Manager and investigate unexpected combinations. data_source: - Cisco SD-WAN Auth Log search: |- - `cisco_sd_wan_syslog` "Accepted publickey" + `cisco_sd_wan_syslog` + "Accepted publickey" | rex field=_raw "^(?\S+)\s+(?\S+)\s+\s+sshd\[\d+\]:\s+Accepted publickey for (?\S+) from (?\S+) port (?\d+) ssh2:\s+(?\S+)\s+(?\S+)" - | stats dc(ssh_key) as distinct_keys values(ssh_key) as ssh_keys count by dest user src + | stats dc(ssh_key) as distinct_keys + values(ssh_key) as ssh_keys + count by dest user src | where distinct_keys > 1 | `cisco_sd_wan_multiple_ssh_key_authentication_from_same_source_filter` how_to_implement: | - This detection requires Cisco SD-WAN Manager Envoy access logs to be ingested into Splunk. - These logs are located in "/var/log/nms/containers/service-proxy/serviceproxy-access.log". + This detection requires Cisco SD-WAN auth logs from the /var/log/auth.log file to be ingested into Splunk. known_false_positives: | No false positives have been identified at this time. references: - - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v - - https://github.com/zerozenxlabs/CVE-2026-20127---Cisco-SD-WAN-Preauth-RCE + - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk analytic_story: - Cisco Catalyst SD-WAN Analytics asset_type: Network +cve: + - CVE-2026-20127 mitre_attack_id: - T1595 product: - Splunk Enterprise - Splunk Enterprise Security - Splunk Cloud -category: network +category: application security_domain: network tests: - name: True Positive Test diff --git a/detections/network/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml b/detections/network/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml deleted file mode 100644 index d2b9f11c19..0000000000 --- a/detections/network/cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication.yml +++ /dev/null @@ -1,46 +0,0 @@ -name: Cisco SD-WAN Multiple Source IP vManage Admin SSH Authentication -id: 7882ec59-0e5b-4899-bd1a-7f9b16078bd4 -version: 1 -creation_date: '2026-06-09' -modification_date: '2026-06-09' -author: Teoderick Contreras, Splunk -status: production -type: Hunting -description: This analytic identifies multiple unique source IP addresses successfully authenticating as `vmanage-admin` via SSH publickey on Cisco Catalyst SD-WAN control components within a short time window. This aligns with IoC guidance for CVE-2026-20127 (cisco-sa-sdwan-rpa-EHchtZk), which warns that compromised systems may show `Accepted publickey for vmanage-admin` entries from unauthorized IPs. Validate flagged source IPs against known System IPs in SD-WAN Manager and investigate unexpected or concurrent sources. -data_source: - - Cisco SD-WAN Auth Log -search: |- - `cisco_sd_wan_syslog` "Accepted publickey" - | rex field=_raw "^(?\S+)\s+(?\S+)\s+\s+sshd\[\d+\]:\s+Accepted publickey for (?\S+) from (?\S+) port (?\d+) ssh2:\s+(?\S+)\s+(?\S+)" - | where user="vmanage-admin" - | bin event_timestamp span=2m - | stats dc(src) as unique_src_ips values(src) as src_ips values(user) as users count as auth_count by event_timestamp dest - | where unique_src_ips >= 2 - | sort 0 - unique_src_ips - | `cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication_filter` -how_to_implement: | - This detection requires Cisco SD-WAN Manager Envoy access logs to be ingested into Splunk. - These logs are located in "/var/log/nms/containers/service-proxy/serviceproxy-access.log". -known_false_positives: | - No false positives have been identified at this time. -references: - - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-authbp-qwCX8D4v - - https://github.com/zerozenxlabs/CVE-2026-20127---Cisco-SD-WAN-Preauth-RCE -analytic_story: - - Cisco Catalyst SD-WAN Analytics -asset_type: Network -mitre_attack_id: - - T1595 -product: - - Splunk Enterprise - - Splunk Enterprise Security - - Splunk Cloud -category: network -security_domain: network -tests: - - name: True Positive Test - attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/cisco/CVE-2026-20127/auth_dummy_key.log - source: /var/log/auth.log - sourcetype: cisco:sdwan:syslog - test_type: unit