Skip to content

Commit a063ed3

Browse files
patel-bhavinpatel-bhavin
authored
Merge pull request #3654 from splunk/fixes_5130
Remove Drilldown
2 parents 2f988c5 + 227bb64 commit a063ed3

File tree

1 file changed

+1
-5
lines changed

1 file changed

+1
-5
lines changed

detections/network/cisco_configuration_archive_logging_analysis.yml

Lines changed: 1 addition & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -21,7 +21,7 @@ search: '| tstats `security_content_summariesonly` count values(All_Changes.comm
2121
| rename dvc as dest
2222
| `security_content_ctime(firstTime)`
2323
| `security_content_ctime(lastTime)`
24-
| `cisco_configuration_archive_logging_analysis_filter`'
24+
| `cisco_configuration_archive_logging_analysis_filter`'
2525
how_to_implement: To implement this search, you need to be ingesting Cisco IOS logs with the sourcetype "cisco:ios" and have these logs mapped to the Change datamodel. Ensure that your Cisco IOS devices are configured to send logs to your Splunk environment, with configuration archive logging enabled. On Cisco devices, enable archive logging with the commands "archive" and "log config" in global configuration mode. Configure command logging with "archive log config logging enable" and ensure that the appropriate logging levels are set with "logging trap informational". The detection looks for patterns of suspicious configuration changes across sessions, focusing on account creation, SNMP modifications, and TFTP server configurations.
2626
known_false_positives: Legitimate configuration changes during routine maintenance or device setup may trigger this detection, especially when multiple related changes are made in a single session. Network administrators often make several configuration changes in sequence during maintenance windows. To reduce false positives, consider implementing a baseline of expected administrative activities, including approved administrative usernames and scheduled maintenance windows. The detection includes a threshold (count > 2) to filter out isolated configuration changes, but this threshold may need to be adjusted based on your environment's normal activity patterns.
2727
references:
@@ -33,10 +33,6 @@ drilldown_searches:
3333
search: '%original_detection_search% | search dest = "$dest$" user = "$user$"'
3434
earliest_offset: $info_min_time$
3535
latest_offset: $info_max_time$
36-
- name: View session details for - "$session_id$"
37-
search: '%original_detection_search% | search session_id = "$session_id$"'
38-
earliest_offset: $info_min_time$
39-
latest_offset: $info_max_time$
4036
- name: View risk events for the last 7 days for - "$dest$" and "$user$"
4137
search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$",
4238
"$user$") starthoursago=168 | stats count min(_time)

0 commit comments

Comments
 (0)