splunk
diff --git a/‎contentctl.yml‎
Lines changed: 6 additions & 1 deletion b/‎contentctl.yml‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎data_sources/cisco_ios_logs.yml‎
Lines changed: 87 additions & 0 deletions b/‎data_sources/cisco_ios_logs.yml‎
Lines changed: 87 additions & 0 deletions
diff --git a/‎detections/network/cisco_configuration_archive_logging_analysis.yml‎
Lines changed: 69 additions & 0 deletions b/‎detections/network/cisco_configuration_archive_logging_analysis.yml‎
Lines changed: 69 additions & 0 deletions
diff --git a/‎detections/network/cisco_ios_suspicious_privileged_account_creation.yml‎
Lines changed: 73 additions & 0 deletions b/‎detections/network/cisco_ios_suspicious_privileged_account_creation.yml‎
Lines changed: 73 additions & 0 deletions
diff --git a/‎detections/network/cisco_network_interface_modifications.yml‎
Lines changed: 74 additions & 0 deletions b/‎detections/network/cisco_network_interface_modifications.yml‎
Lines changed: 74 additions & 0 deletions
diff --git a/‎detections/network/cisco_secure_firewall___intrusion_events_by_threat_activity.yml‎
Lines changed: 4 additions & 3 deletions b/‎detections/network/cisco_secure_firewall___intrusion_events_by_threat_activity.yml‎
Lines changed: 4 additions & 3 deletions
@@ -3,7 +3,7 @@ app:
   uid: 3449
   title: ES Content Updates
   appid: DA-ESS-ContentUpdate
-  version: 5.12.0
+  version: 5.13.0
   description: Explore the Analytic Stories included with ES Content Updates.
   prefix: ESCU
   label: ESCU
@@ -246,6 +246,11 @@ apps:
   appid: SPLUNK_ADD_ON_FOR_VMWARE_INDEXES
   version: 4.0.3
   hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/splunk-add-on-for-vmware-indexes_403.tgz
+- uid: 1467
+  title: Cisco Networks Add-on
+  appid: TA-cisco_ios
+  version: 2.7.8
+  hardcoded_path: https://attack-range-appbinaries.s3.us-west-2.amazonaws.com/add-on-for-cisco-network-data_278.tgz
 githash: d6fac80e6d50ae06b40f91519a98489d4ce3a3fd
 test_data_caches:
 - base_url: https://media.githubusercontent.com/media/splunk/attack_data/master/
 
@@ -0,0 +1,87 @@
+name: Cisco IOS Logs
+id: 9e4c8d7b-6f5e-4a3d-b2c1-0a9b8c7d6e5f
+version: 1
+date: '2025-08-21'
+author: Michael Haag, Splunk
+description: Data source object for Cisco IOS system logs. Cisco IOS logs provide operational and security telemetry from Cisco network devices (IOS, IOS XE, IOS XR, NX-OS, WLC, and APs). The Cisco Networks Add-on for Splunk (TA-cisco_ios) normalizes these events by setting proper sourcetypes and extracting fields for switches, routers, controllers, and access points; deploy the TA on indexers/HFs and search heads, and the Cisco Networks (cisco_ios) App on search heads. Supported platforms include Catalyst, ASR, ISR, Nexus, CRS, and other IOS-based devices, enabling consistent investigation, alerting, and reporting in Splunk Enterprise and Splunk Cloud. This data is ingested via SYSLOG.
+source: cisco:ios
+sourcetype: cisco:ios
+separator: null
+supported_TA:
+- name: Cisco Networks Add-on
+  url: https://splunkbase.splunk.com/app/1467
+  version: 2.7.8
+fields:
+- _time
+- aci_message_text
+- action
+- app
+- authenticator
+- bytes
+- change_type
+- cipher
+- cisco_header
+- command
+- config_source
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- dest_interface
+- dest_mac
+- dest_port
+- device_time
+- direct_ap_mac
+- dvc
+- event_id
+- eventtype
+- facility
+- hmac
+- host
+- index
+- line
+- linecount
+- message_text
+- mnemonic
+- product
+- punct
+- reliable_time
+- severity
+- severity_description
+- severity_id
+- severity_id_and_name
+- severity_name
+- source
+- sourcetype
+- splunk_server
+- splunk_server_group
+- src
+- src_interface
+- src_ip
+- src_mac
+- subfacility
+- tag
+- tag::action
+- tag::app
+- tag::eventtype
+- timeendpos
+- timestartpos
+- transport
+- tty
+- type
+- user
+- vendor
+- vendor_action
+- vlan
+output_fields:
+- user
+- dest
+example_log: 'Aug 20 17:10:21.639: %AAA-6-USERNAME_CONFIGURATION: user with username: attacker configured
+  Aug 20 17:10:21.664: %AAA-6-USER_PRIVILEGE_UPDATE: username: attacker privilege updated with priv-15
+  Aug 20 17:10:21.665: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user logged command:username attacker privilege 15 secret *
+  Aug 20 17:10:21.665: %PARSER-5-CFGLOG_LOGGEDCMD: User:ec2-user logged command:!config: USER TABLE MODIFIED'
@@ -0,0 +1,69 @@
+name: Cisco Configuration Archive Logging Analysis
+id: f52d5c0b-d45d-4304-b300-a4f6a1130dec
+version: 1
+date: '2025-08-21'
+author: Bhavin Patel, Michael Haag, Splunk
+status: production
+type: Hunting
+description: This analytic provides comprehensive monitoring of configuration changes on Cisco devices by analyzing archive logs. Configuration archive logging captures all changes made to a device's configuration, providing a detailed audit trail that can be used to identify suspicious or malicious activities. This detection is particularly valuable for identifying patterns of malicious configuration changes that might indicate an attacker's presence, such as the creation of backdoor accounts, SNMP community string modifications, and TFTP server configurations for data exfiltration. By analyzing these logs, security teams can gain a holistic view of configuration changes across sessions and users, helping to detect sophisticated attack campaigns like those conducted by threat actors such as Static Tundra.
+data_source:
+- Cisco IOS Logs
+search: '| tstats `security_content_summariesonly` count values(All_Changes.command) as commands min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes 
+    where (
+    (All_Changes.command="*username*privilege 15*") OR 
+    (All_Changes.command="*username*password*") OR
+    (All_Changes.command="*USER TABLE MODIFIED*") OR
+    (All_Changes.command="*tftp-server*") OR
+    (All_Changes.command="*snmp-server community*")
+    )
+    by All_Changes.dvc All_Changes.user
+  | `drop_dm_object_name("All_Changes")` 
+  | rename dvc as dest 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `cisco_configuration_archive_logging_analysis_filter`'
+how_to_implement: To implement this search, you need to be ingesting Cisco IOS logs with the sourcetype "cisco:ios" and have these logs mapped to the Change datamodel. Ensure that your Cisco IOS devices are configured to send logs to your Splunk environment, with configuration archive logging enabled. On Cisco devices, enable archive logging with the commands "archive" and "log config" in global configuration mode. Configure command logging with "archive log config logging enable" and ensure that the appropriate logging levels are set with "logging trap informational". The detection looks for patterns of suspicious configuration changes across sessions, focusing on account creation, SNMP modifications, and TFTP server configurations.
+known_false_positives: Legitimate configuration changes during routine maintenance or device setup may trigger this detection, especially when multiple related changes are made in a single session. Network administrators often make several configuration changes in sequence during maintenance windows. To reduce false positives, consider implementing a baseline of expected administrative activities, including approved administrative usernames and scheduled maintenance windows. The detection includes a threshold (count > 2) to filter out isolated configuration changes, but this threshold may need to be adjusted based on your environment's normal activity patterns.
+references:
+- https://blog.talosintelligence.com/static-tundra/
+- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2
+- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/config-mgmt/configuration/15-mt/config-mgmt-15-mt-book/cm-config-logger.html
+drilldown_searches:
+- name: View the detection results for - "$dest$" and "$user$"
+  search: '%original_detection_search% | search dest = "$dest$" user = "$user$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View session details for - "$session_id$"
+  search: '%original_detection_search% | search session_id = "$session_id$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$" and "$user$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$",
+    "$user$") starthoursago=168  | stats count min(_time)
+    as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message)
+    as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - Cisco Smart Install Remote Code Execution CVE-2018-0171
+  asset_type: Network
+  mitre_attack_id:
+  - T1562.001
+  - T1098
+  - T1505.003
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+  cve:
+  - CVE-2018-0171
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1190/cisco/cisco_smart_install/cisco_ios.log
+    sourcetype: cisco:ios
+    source: cisco:ios
@@ -0,0 +1,73 @@
+name: Cisco IOS Suspicious Privileged Account Creation
+id: 63e3aff9-45d7-4d41-bcdb-9da561fb4533
+version: 1
+date: '2025-08-21'
+author: Bhavin Patel, Michael Haag, Splunk
+status: production
+type: Anomaly
+description: This analytic detects the creation of privileged user accounts on Cisco IOS devices, which could indicate an attacker establishing backdoor access. The detection focuses on identifying when user accounts are created with privilege level 15 (the highest administrative privilege level in Cisco IOS) or when existing accounts have their privileges elevated. This type of activity is particularly concerning when performed by unauthorized users or during unusual hours, as it may represent a key step in establishing persistence following the exploitation of vulnerabilities like CVE-2018-0171 in Cisco Smart Install. Threat actors like Static Tundra have been observed creating privileged accounts as part of their attack chain after gaining initial access to network devices.
+data_source:
+- Cisco IOS Logs
+search: '| tstats `security_content_summariesonly` count values(All_Changes.command) as command min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes 
+    where (
+      (All_Changes.command="*username * privilege 15*") OR 
+      (All_Changes.command="*username * password*" AND All_Changes.command="*USER TABLE MODIFIED*") OR
+      (All_Changes.command="*USER_PRIVILEGE_UPDATE*priv-15*")
+    )
+    by All_Changes.dvc All_Changes.user 
+  | `drop_dm_object_name("All_Changes")`
+  | rename dvc as dest
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)`
+  | `cisco_ios_suspicious_privileged_account_creation_filter`'
+how_to_implement: To implement this search, you need to be ingesting Cisco IOS logs with the sourcetype "cisco:ios" and have these logs mapped to the Change datamodel, with AAA accounting and command logging enabled on your Cisco devices.
+known_false_positives: Legitimate account creation and privilege elevation activities by authorized administrators will generate alerts with this detection. To reduce false positives, consider implementing a baseline of expected administrative activities, including approved administrative usernames, typical times for account management, and authorized administrators who regularly perform these actions. You may also want to create a lookup table of approved administrative accounts and filter out alerts for these accounts. Additionally, scheduled maintenance windows should be taken into account when evaluating alerts.
+references:
+- https://blog.talosintelligence.com/static-tundra/
+- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2
+- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-a2.html#wp3796044403
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time)
+    as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message)
+    as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: A suspicious privileged account was created or modified on Cisco IOS device $dest$ by user $user$
+  risk_objects:
+  - field: dest
+    type: system
+    score: 50
+  - field: user
+    type: user
+    score: 50
+  threat_objects:
+  - field: command
+    type: command
+tags:
+  analytic_story:
+  - Cisco Smart Install Remote Code Execution CVE-2018-0171
+  asset_type: Network
+  mitre_attack_id:
+  - T1136
+  - T1078
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+  cve:
+  - CVE-2018-0171
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1190/cisco/cisco_smart_install/cisco_ios.log
+    sourcetype: cisco:ios
+    source: cisco:ios
@@ -0,0 +1,74 @@
+name: Cisco Network Interface Modifications
+id: 61ae09c2-079e-44b1-8be0-74e35c5a679e
+version: 1
+date: '2025-08-21'
+author: Bhavin Patel, Michael Haag, Splunk
+status: production
+type: Anomaly
+description: This analytic detects the creation or modification of network interfaces on Cisco devices, which could indicate an attacker establishing persistence or preparing for lateral movement. After gaining initial access to network devices, threat actors like Static Tundra often create new interfaces (particularly loopback interfaces) to establish covert communication channels or maintain persistence. This detection specifically looks for the configuration of new interfaces, interface state changes, and the assignment of IP addresses to interfaces. These activities are particularly concerning when they involve unusual interface names or descriptions containing suspicious terms.
+data_source:
+- Cisco IOS Logs
+search: '| tstats `security_content_summariesonly` count values(All_Changes.command) as command min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes 
+  where (
+    (All_Changes.command="*interface*") OR 
+    (All_Changes.command="*LINEPROTO-5-UPDOWN*") OR
+    (All_Changes.command="*ip address*")
+  )
+  by All_Changes.dvc All_Changes.user
+| `drop_dm_object_name("All_Changes")`
+| rename dvc as dest
+| `security_content_ctime(firstTime)`
+| `security_content_ctime(lastTime)`
+| `cisco_network_interface_modifications_filter`'
+how_to_implement: To implement this search, you need to be ingesting Cisco IOS logs with the sourcetype "cisco:ios" and have these logs mapped to the Change datamodel. Ensure that your Cisco IOS devices are configured to send logs to your Splunk environment, with appropriate logging levels enabled to capture interface configuration changes and line protocol state changes. Configure command logging on Cisco IOS devices using the "archive log config logging enable" command and ensure that syslog is properly configured to capture LINEPROTO-5-UPDOWN messages.
+known_false_positives: Legitimate network interface configuration changes may trigger this detection during routine network maintenance or initial device setup. Network administrators often need to create or modify interfaces as part of normal operations. To reduce false positives, consider implementing a baseline of expected administrative activities, including approved administrative usernames, typical times for interface configuration changes, and scheduled maintenance windows. You may also want to create a lookup table of approved interface naming conventions and filter out alerts for standard interface configurations.
+references:
+- https://blog.talosintelligence.com/static-tundra/
+- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi2
+- https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/interface/command/ir-cr-book/ir-i1.html#wp1389942834
+drilldown_searches:
+- name: View the detection results for - "$dest$"
+  search: '%original_detection_search% | search dest = "$dest$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$dest$"
+  search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168  | stats count min(_time)
+    as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message)
+    as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+    as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+    by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+rba:
+  message: Suspicious network interface modifications detected on Cisco device $dest$ by user $user$, which may indicate persistence establishment
+  risk_objects:
+  - field: dest
+    type: system
+    score: 55
+  - field: user
+    type: user
+    score: 45
+  threat_objects:
+  - field: command
+    type: command
+tags:
+  analytic_story:
+  - Cisco Smart Install Remote Code Execution CVE-2018-0171
+  asset_type: Network
+  mitre_attack_id:
+  - T1556
+  - T1021
+  - T1133
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: network
+  cve:
+  - CVE-2018-0171
+tests:
+- name: True Positive Test
+  attack_data:
+  - data: https://media.githubusercontent.com/media/splunk/attack_data/refs/heads/master/datasets/attack_techniques/T1190/cisco/cisco_smart_install/cisco_ios.log
+    sourcetype: cisco:ios
+    source: cisco:ios
@@ -1,7 +1,7 @@
 name: Cisco Secure Firewall - Intrusion Events by Threat Activity
 id: b71e57e8-c571-4ff1-ae13-bc4384a9e891
-version: 2  
-date: '2025-07-03'
+version: 3  
+date: '2025-08-21'
 author: Bhavin Patel, Nasreddine Bencherchali, Splunk
 status: production
 type: Anomaly
@@ -16,7 +16,7 @@ description: |
   events that occur in close temporal proximity.
 
   Currently, this detection will alert on the following threat actors or malware families as defined in the cisco_snort_ids_to_threat_mapping lookup:
-
+  * Static Tundra
   * AgentTesla
   * Amadey
   * AsyncRAT
@@ -55,6 +55,7 @@ how_to_implement: |
 known_false_positives: False positives may occur due to legitimate security testing or research activities.
 references:
   - https://www.cisco.com/c/en/us/products/security/firewalls/index.html
+  - https://blog.talosintelligence.com/static-tundra/
 drilldown_searches:
 - name: View the detection results for - "$dest_ip$"
   search: '%original_detection_search% | search  dest_ip = "$dest_ip$"'