splunk · tccontre · Jun 9, 2026 · Jun 9, 2026 · Jun 9, 2026 · Jun 9, 2026
@@ -0,0 +1,14 @@
+name: Cisco SD-WAN Auth Log
+id: a7c9ec91-85cb-44fc-be26-e652ba7e4127
+version: 1
+creation_date: '2026-06-09'
+modification_date: '2026-06-09'
+author: Teoderick Contreras, Splunk
+description: Data source object for Cisco SD-WAN Auth logs
+source: /var/log/auth.log
+sourcetype: cisco:sdwan:syslog
+supported_TA: []
+fields:
+    - _time
+    - _raw
+example_log: '2026-03-30T05:29:57+00:00 vsmart <auth.info> sshd[20244]: Accepted publickey for vmanage-admin from 172.161.255.29 port 37146 ssh2: RSA SHA256:KEY_2'
@@ -0,0 +1,53 @@
+name: Cisco SD-WAN Multiple Source IP vManage Admin SSH Authentication
+id: 7882ec59-0e5b-4899-bd1a-7f9b16078bd4
+version: 1
+creation_date: '2026-06-09'
+modification_date: '2026-06-09'
+author: Teoderick Contreras, Splunk
+status: production
+type: Hunting
+description: |-
+    This analytic identifies multiple unique source IP addresses successfully authenticating as `vmanage-admin` via SSH publickey on Cisco Catalyst SD-WAN control components within a short time window.
+    This aligns with IoC guidance for CVE-2026-20127 (cisco-sa-sdwan-rpa-EHchtZk), which warns that compromised systems may show `Accepted publickey for vmanage-admin` entries from unauthorized IPs.
+    Validate flagged source IPs against known System IPs in SD-WAN Manager and investigate unexpected or concurrent sources.
+data_source:
+    - Cisco SD-WAN Auth Log
+search: |-
+    `cisco_sd_wan_syslog`
+    "Accepted publickey"
+    | rex field=_raw "^(?<event_timestamp>\S+)\s+(?<dest>\S+)\s+<auth\.info>\s+sshd\[\d+\]:\s+Accepted publickey for (?<user>\S+) from (?<src>\S+) port (?<src_port>\d+) ssh2:\s+(?<key_type>\S+)\s+(?<ssh_key>\S+)"
+    | where user="vmanage-admin"
+    | bin event_timestamp span=2m
+    | stats dc(src) as unique_src_ips
+            values(src) as src_ips
+            values(user) as users
+      count as auth_count by event_timestamp dest
+    | where unique_src_ips >= 2
+    | sort 0 - unique_src_ips
+    | `cisco_sd_wan_multiple_source_ip_vmanage_admin_ssh_authentication_filter`
+how_to_implement: |
+    This detection requires Cisco SD-WAN auth logs from the /var/log/auth.log file to be ingested into Splunk.
+known_false_positives: |
+    No false positives have been identified at this time.
+references:
+    - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
+analytic_story:
+    - Cisco Catalyst SD-WAN Analytics
+asset_type: Network
+cve:
+    - CVE-2026-20127
+mitre_attack_id:
+    - T1595
+product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
+category: application
+security_domain: network
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/cisco/CVE-2026-20127/auth_dummy_key.log
+          source: /var/log/auth.log
+          sourcetype: cisco:sdwan:syslog
+      test_type: unit
@@ -0,0 +1,49 @@
+name: Cisco SD-WAN Multiple SSH key Authentication from Same Source
+id: 23e15133-d825-4e1d-b885-b8fe3909e947
+version: 1
+creation_date: '2026-06-09'
+modification_date: '2026-06-09'
+author: Teoderick Contreras, Splunk
+status: production
+type: Hunting
+description: |-
+    This hunting analytic identifies multiple distinct SSH publickey fingerprints used to authenticate the same user from the same source IP against a Cisco Catalyst SD-WAN control component.
+    After legitimate vManage key rotation or reboot, a new key may appear but the old key should no longer be used; continued use of more than one key from the same source may indicate unauthorized key injection or persistence related to CVE-2026-20127 (cisco-sa-sdwan-rpa-EHchtZk).
+    Validate flagged keys and source IPs against known System IPs in SD-WAN Manager and investigate unexpected combinations.
+data_source:
+    - Cisco SD-WAN Auth Log
+search: |-
+    `cisco_sd_wan_syslog`
+    "Accepted publickey"
+    | rex field=_raw "^(?<event_timestamp>\S+)\s+(?<dest>\S+)\s+<auth\.info>\s+sshd\[\d+\]:\s+Accepted publickey for (?<user>\S+) from (?<src>\S+) port (?<src_port>\d+) ssh2:\s+(?<key_type>\S+)\s+(?<ssh_key>\S+)"
+    | stats dc(ssh_key) as distinct_keys
+            values(ssh_key) as ssh_keys
+      count by dest user src
+    | where distinct_keys > 1
+    | `cisco_sd_wan_multiple_ssh_key_authentication_from_same_source_filter`
+how_to_implement: |
+    This detection requires Cisco SD-WAN auth logs from the /var/log/auth.log file to be ingested into Splunk.
+known_false_positives: |
+    No false positives have been identified at this time.
+references:
+    - https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk
+analytic_story:
+    - Cisco Catalyst SD-WAN Analytics
+asset_type: Network
+cve:
+    - CVE-2026-20127
+mitre_attack_id:
+    - T1595
+product:
+    - Splunk Enterprise
+    - Splunk Enterprise Security
+    - Splunk Cloud
+category: application
+security_domain: network
+tests:
+    - name: True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/cisco/CVE-2026-20127/auth_dummy_key.log
+          source: /var/log/auth.log
+          sourcetype: cisco:sdwan:syslog
+      test_type: unit