updating detection yamls

Author: patel-bhavin

data_sources/cisco_secure_access_firewall.yml

@@ -0,0 +1,48 @@
+name: Cisco Secure Access Firewall
+id: 5dc07487-f834-4850-b6a7-4cc09e56549b
+version: 1
+date: '2026-02-25'
+author: Bhavin Patel, Splunk
+description: Captures firewall connection events from Cisco Secure Access including user identity, source and destination metadata, protocol details, and session statistics. Enables analysis of network traffic patterns, access policy enforcement, brute force attempts, and anomalous connection behavior across cloud-managed network access infrastructure.
+source: cisco_secure_access:firewall
+sourcetype: cisco:cloud_security:firewall
+supported_TA:
+- name: Cisco Secure Access Add-on for Splunk
+  url: https://splunkbase.splunk.com/app/7569
+  version: 1.0.48
+fields:
+- _time
+- action
+- app
+- bytes_in
+- bytes_out
+- datacenter
+- dest
+- dest_ip
+- dest_port
+- direction
+- duration
+- dvc
+- identity
+- identity_type
+- packets_in
+- packets_out
+- protocol
+- protocol_version
+- rule_id
+- session_id
+- src
+- src_ip
+- src_port
+- transport
+- tunnel_id
+- user
+- vendor_product
+output_fields:
+- dest_ip
+- dest_port
+- src_ip
+- user
+- action
+example_log: '"2026-03-05 17:29:39","[1360486514]","Joe Kehoe (joe.kehoe@d1.pseudoco.org)","AD
+  Users","C2S","6","0","","","10.10.3.220","3389","prod_aws_us-west-2_1_0","1482901","ALLOW","","[]","1772731753","1772731779","93","82","20847","46067","2ef4dc5a90e31b4e2f7d21ec8f863accda6ad5db2d6feeff301ca05d298fcbdb-7-1772731753-45877","","aws-us-west-2","","178937","true","1145001","[]","2","[]","[]","8176184","","","f0b0ce3d69aeedfe"'

detections/endpoint/detect_use_of_cmd_exe_to_launch_script_interpreters.yml

@@ -1,28 +1,38 @@
 name: Detect Use of cmd exe to Launch Script Interpreters
 id: b89919ed-fe5f-492c-b139-95dbb162039e
-version: 13
-date: '2026-03-10'
+version: 14
+date: '2026-03-24'
 author: Bhavin Patel, Mauricio Velazco, Splunk
 status: production
 type: TTP
-description: The following analytic detects the execution of cscript.exe or wscript.exe processes initiated by cmd.exe. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes within the Endpoint data model. This activity is significant as it may indicate script-based attacks or administrative actions that could be leveraged for malicious purposes. If confirmed malicious, this behavior could allow attackers to execute scripts, potentially leading to code execution, privilege escalation, or persistence within the environment.
+description: The following detects the execution of cscript.exe or wscript.exe processes spawned by cmd.exe, leveraging Endpoint Detection and Response (EDR) telemetry mapped to the Endpoint data model, with additional contextual filtering to improve fidelity and reduce false positives. It focuses on executions originating from user-writable directories such as Users, AppData, Temp, and Downloads, which are commonly abused by attackers to stage and execute malicious scripts, while excluding trusted system paths like C:\Windows\System32\ and C:\Program Files\ that are typically associated with legitimate activity. The detection also filters out service accounts (e.g., accounts ending with $ or known naming conventions) to minimize noise from automated processes and incorporates command-line context to better assess script execution patterns and identify potentially suspicious behavior. These enhancements transform the analytic from a broad pattern-based detection into a more behavior-driven approach, increasing its effectiveness in identifying malicious script interpreter usage that could indicate initial access, persistence, or lateral movement.
 data_source:
     - Sysmon EventID 1
     - Windows Event Log Security 4688
     - CrowdStrike ProcessRollup2
 search: |-
-    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
-      WHERE Processes.parent_process_name="cmd.exe" (Processes.process_name=cscript.exe
-        OR
-        Processes.process_name =wscript.exe)
-      BY Processes.action Processes.dest Processes.original_file_name
-         Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
-         Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
-         Processes.process Processes.process_exec Processes.process_guid
-         Processes.process_hash Processes.process_id Processes.process_integrity_level
-         Processes.process_name Processes.process_path Processes.user
-         Processes.user_id Processes.vendor_product
+    | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
+    FROM datamodel=Endpoint.Processes
+    WHERE Processes.parent_process_name="cmd.exe"
+      AND (Processes.process_name="cscript.exe" OR Processes.process_name="wscript.exe")
+    BY Processes.action Processes.dest Processes.original_file_name
+      Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
+      Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
+      Processes.process Processes.process_exec Processes.process_guid
+      Processes.process_hash Processes.process_id Processes.process_integrity_level
+      Processes.process_name Processes.process_path Processes.user
+      Processes.user_id Processes.vendor_product
     | `drop_dm_object_name("Processes")`
+
+    | where like(process, "%\\Users\\%")
+      OR like(process, "%\\AppData\\%")
+      OR like(process, "%\\Temp\\%")
+
+    | where NOT like(process, "%\\Windows\\System32\\%")
+    | where NOT like(process, "%\\Program Files\\%")
+
+    | where NOT match(user, ".*\\$$")
+
     | `security_content_ctime(firstTime)`
     | `security_content_ctime(lastTime)`
     | `detect_use_of_cmd_exe_to_launch_script_interpreters_filter`
@@ -41,12 +51,14 @@ drilldown_searches:
       earliest_offset: $info_min_time$
       latest_offset: $info_max_time$
 rba:
-    message: cmd.exe launching script interpreters $process_name$ on $dest$
+    message: cmd.exe launching script interpreters [$process_name$] with commandline [$process$] on [$dest$]
     risk_objects:
         - field: dest
           type: system
           score: 50
-    threat_objects: []
+    threat_objects:
+        - field: process
+          type: process
 tags:
     analytic_story:
         - Emotet Malware DHS Report TA18-201A

detections/network/detect_large_icmp_traffic.yml

@@ -1,16 +1,17 @@
 name: Detect Large ICMP Traffic
 id: 9cd6d066-94d5-4ccd-a8b9-28c03ca91be8
-version: 4
-date: '2026-03-10'
+version: 5
+date: '2026-03-25'
 author: Rico Valdez, Dean Luxton, Bhavin Patel, Splunk
 status: production
 type: TTP
 description: The following analytic identifies ICMP traffic to external IP addresses with total bytes (sum of bytes in and bytes out) greater than 1,000 bytes. It leverages the Network_Traffic data model to detect large ICMP packet that aren't blocked and are directed toward external networks. We use  All_Traffic.bytes in the detection to capture variations in inbound versus outbound traffic sizes, as significant discrepancies or unusually large ICMP exchanges can indicate information smuggling, covert communication, or command-and-control (C2) activities. If validated as malicious, this could signal ICMP tunneling, unauthorized data transfer, or compromised endpoints requiring immediate investigation.
 data_source:
     - Palo Alto Network Traffic
+    - Cisco Secure Access Firewall
 search: |-
     | tstats `security_content_summariesonly` count earliest(_time) as firstTime latest(_time) as lastTime values(All_Traffic.action) as action
-        from datamodel=Network_Traffic where All_Traffic.bytes > 1000 AND All_Traffic.action != blocked AND (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16")
+        from datamodel=Network_Traffic where All_Traffic.bytes > 1000 AND All_Traffic.action != blocked AND (All_Traffic.protocol=icmp OR All_Traffic.transport=icmp) AND NOT All_Traffic.dest_ip IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16") AND NOT All_Traffic.dest IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16")
         by All_Traffic.src_ip, All_Traffic.dest_ip, All_Traffic.protocol, All_Traffic.bytes, All_Traffic.app, All_Traffic.bytes_in, All_Traffic.bytes_out, All_Traffic.dest_port, All_Traffic.dvc, All_Traffic.protocol_version,
         All_Traffic.src_port, All_Traffic.user, All_Traffic.vendor_product
     | `drop_dm_object_name("All_Traffic")`
@@ -59,3 +60,8 @@ tests:
         - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1095/palologs/large_icmp.log
           sourcetype: pan:traffic
           source: pan:traffic
+    - name: True Positive Test - Cisco Secure Access Firewall
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/firewall/large_icmp.log
+          source: not_applicable
+          sourcetype: cisco:secure_access:firewall

detections/network/detect_outbound_ldap_traffic.yml

@@ -1,7 +1,7 @@
 name: Detect Outbound LDAP Traffic
 id: 5e06e262-d7cd-4216-b2f8-27b437e18458
-version: 10
-date: '2026-02-25'
+version: 11
+date: '2026-03-25'
 author: Bhavin Patel, Johan Bjerke, Splunk
 status: production
 type: Hunting
@@ -61,3 +61,8 @@ tests:
         - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/connection_event/connection_events.log
           source: not_applicable
           sourcetype: cisco:sfw:estreamer
+    - name: Cisco Secure Access Firewall True Positive Test
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/firewall/ldap.log
+          source: not_applicable
+          sourcetype: cisco:secure_access:firewall

detections/network/windows_remote_desktop_network_bruteforce_attempt.yml

@@ -1,7 +1,7 @@
 name: Windows Remote Desktop Network Bruteforce Attempt
 id: 908bf0d5-0983-4afd-b6a4-e9eb5d361a7d
-version: 7
-date: '2026-03-10'
+version: 8
+date: '2026-03-29'
 author: Jose Hernandez, Bhavin Patel, Splunk
 status: production
 type: Anomaly
@@ -69,3 +69,8 @@ tests:
         - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.001/rdp_brute_sysmon/sysmon.log
           source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
           sourcetype: XmlWinEventLog
+    - name: True Positive Test - Cisco Secure Access Firewall
+      attack_data:
+        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_access/firewall/rdp_brute_force.log
+          source: not_applicable
+          sourcetype: cisco:cloud_security:firewall

stories/cisco_secure_access_analytics.yml

@@ -0,0 +1,24 @@
+name: Cisco Secure Access Analytics
+id: 5ba62cae-0757-497c-9226-771e3bf37eb8
+version: 1
+date: '2026-02-25'
+author: Bhavin Patel, Splunk
+status: production
+description: |
+  This analytic story provides a suite of detections built to analyze network and access logs from Cisco Secure Access.
+  The included analytics focus on uncovering suspicious and potentially malicious behavior such as unauthorized access attempts, anomalous authentication patterns, policy violations, and indicators of compromised credentials.
+  These detections help security teams identify threats that may bypass traditional perimeter defenses, offering deeper insight into user access behavior, device posture anomalies, and adversary abuse of legitimate access pathways.
+narrative: |
+  Cisco Secure Access is a cloud-delivered security service edge (SSE) solution that provides secure connectivity and access control for users, devices, and applications regardless of location.
+  It combines zero trust network access (ZTNA), secure web gateway (SWG), cloud access security broker (CASB), and firewall-as-a-service capabilities into a unified platform.
+  This analytic story leverages the rich telemetry generated by Cisco Secure Access to detect behaviors commonly associated with advanced threats and adversary techniques across multiple ATT&CK tactics, including Initial Access, Credential Access, Lateral Movement, and Exfiltration.
+references:
+- https://www.cisco.com/site/us/en/products/security/secure-access/index.html
+tags:
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection