splunk
diff --git a/‎detections/network/cisco_configuration_archive_logging_analysis.yml‎
Lines changed: 8 additions & 11 deletions b/‎detections/network/cisco_configuration_archive_logging_analysis.yml‎
Lines changed: 8 additions & 11 deletions
diff --git a/‎detections/network/cisco_configuration_file_exfiltration_attempts.yml‎
Lines changed: 0 additions & 76 deletions b/‎detections/network/cisco_configuration_file_exfiltration_attempts.yml‎
Lines changed: 0 additions & 76 deletions
@@ -9,22 +9,19 @@ description: This analytic provides comprehensive monitoring of configuration ch
 data_source:
 - Cisco IOS Logs
 search: '| tstats `security_content_summariesonly` count values(All_Changes.command) as commands min(_time) as firstTime max(_time) as lastTime from datamodel=Change.All_Changes 
-  where sourcetype="cisco:ios" 
-  AND (
+    where (
     (All_Changes.command="*username*privilege 15*") OR 
     (All_Changes.command="*username*password*") OR
     (All_Changes.command="*USER TABLE MODIFIED*") OR
     (All_Changes.command="*tftp-server*") OR
     (All_Changes.command="*snmp-server community*")
-  )
-  by All_Changes.dvc All_Changes.user All_Changes.session_id
-| `drop_dm_object_name("All_Changes")`
-| rename dvc as dest
-| stats count dc(commands) as commands min(firstTime) as firstTime max(lastTime) as lastTime by dest user session_id
-| where commands > 2
-| `security_content_ctime(firstTime)`
-| `security_content_ctime(lastTime)`
-| `cisco_configuration_archive_logging_analysis_filter`'
+    )
+    by All_Changes.dvc All_Changes.user
+  | `drop_dm_object_name("All_Changes")` 
+  | rename dvc as dest 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `cisco_configuration_archive_logging_analysis_filter`'
 how_to_implement: To implement this search, you need to be ingesting Cisco IOS logs with the sourcetype "cisco:ios" and have these logs mapped to the Change datamodel. Ensure that your Cisco IOS devices are configured to send logs to your Splunk environment, with configuration archive logging enabled. On Cisco devices, enable archive logging with the commands "archive" and "log config" in global configuration mode. Configure command logging with "archive log config logging enable" and ensure that the appropriate logging levels are set with "logging trap informational". The detection looks for patterns of suspicious configuration changes across sessions, focusing on account creation, SNMP modifications, and TFTP server configurations.
 known_false_positives: Legitimate configuration changes during routine maintenance or device setup may trigger this detection, especially when multiple related changes are made in a single session. Network administrators often make several configuration changes in sequence during maintenance windows. To reduce false positives, consider implementing a baseline of expected administrative activities, including approved administrative usernames and scheduled maintenance windows. The detection includes a threshold (count > 2) to filter out isolated configuration changes, but this threshold may need to be adjusted based on your environment's normal activity patterns.
 references: