Techniques
Sample rules
Cisco SD-WAN - Peering Activity
- source: splunk
- technicques:
- T1190
Description
This analytic detects Cisco SD-WAN control-connection-state-change events where a control connection transitions.
It extracts and highlights key triage fields including peer-type, peer-system-ip, public-ip, and public-port.
Analysts should manually validate whether the peer-system-ip matches the expected SD-WAN addressing schema and
device inventory, whether the event timing aligns with known operational activity (maintenance, failover, or
planned changes), and whether the public-ip is an expected source for control peering in the environment.
Treat peer-type:vmanage events with higher scrutiny, especially when peer or source IP values are previously
unseen.
Detection logic
`cisco_sd_wan_syslog`
TERM("*control-connection-state-change*")
TERM("*peer-system-ip:*")
TERM("*public-ip:*")
TERM("*new-state:up*")
| rex field=_raw "^(?<event_timestamp>(?:[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}(?:\.\d{3})?
|[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(?:\.\d{1,6})?(?:Z
|[+-][0-9]{2}:[0-9]{2})))\s*:?"
| rex field=_raw "^(?:[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}(?:\.\d{3})?\s*:?\s+)(?<prefix_host>[^\s:]+)\s+\S+(?:\[\d+\])?:\s+%"
| eval dest=coalesce(prefix_host, legacy_host, device_name, host)
| rex field=_raw "new-state:(?<new_state>\S+)"
| rex field=_raw "peer-type:(?<peer_type>\S+)"
| rex field=_raw "peer-system-ip:(?<peer_system_ip>\S+)"
| rex field=_raw "public-ip:(?<public_ip>\S+)"
| rex field=_raw "public-port:(?<public_port>\d+)"
| where isnotnull(peer_type) AND isnotnull(peer_system_ip)
| stats count max(event_timestamp) as event_time
values(public_ip) as public_ips
values(public_port) as public_ports
by peer_type peer_system_ip dest new_state
| table event_time dest peer_type peer_system_ip
public_ips public_ports count
| `cisco_sd_wan___peering_activity_filter`
Cisco SD-WAN - Low Frequency Rogue Peer
- source: splunk
- technicques:
- T1190
Description
This analytic identifies low-frequency Cisco SD-WAN control peering activity from control-connection-state-change events where “new-state:up”.
It extracts “peer-type” and “peer-system-ip”, groups events by these two fields, and counts how often each combination appears within the selected time window.
Combinations whose count is less than or equal to the defined threshold (currently <=3 occurrences in the search window) are flagged as rare.
Analysts should prioritize peer identities that are rarely observed in the environment, particularly those involving unexpected peer-type roles or unfamiliar peer-system-ip values. Rare control-plane peers may indicate misconfiguration, unauthorized SD-WAN components, infrastructure drift, or potentially malicious control-plane connection attempts.
Findings might indicate the potential exploitation of CVE-2026-20127.
Note that the threshold setting is set to “3”, but its highly recommended that this should be adapted to the environment before deploying this search.
Detection logic
`cisco_sd_wan_syslog`
TERM("*control-connection-state-change*")
TERM("*new-state:up*")
TERM("*peer-system-ip:*")
TERM("*public-ip:*")
| rex field=_raw "^(?<event_timestamp>(?:[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}(?:\.\d{3})?
|[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(?:\.\d{1,6})?(?:Z
|[+-][0-9]{2}:[0-9]{2})))\s*:?"
| rex field=_raw "^(?:[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}(?:\.\d{3})?\s*:?\s+)(?<prefix_host>[^\s:]+)\s+\S+(?:\[\d+\])?:\s+%"
| eval dest=coalesce(prefix_host, legacy_host, device_name, host)
| rex field=_raw "new-state:(?<new_state>\S+)"
| rex field=_raw "peer-type:(?<peer_type>\S+)"
| rex field=_raw "peer-system-ip:(?<peer_system_ip>\S+)"
| rex field=_raw "public-ip:(?<public_ip>\S+)"
| rex field=_raw "public-port:(?<public_port>\d+)"
| where isnotnull(peer_type) AND isnotnull(peer_system_ip)
| stats count
values(dest) as dest
values(public_ip) as public_ips
values(public_port) as public_ports
by peer_type peer_system_ip
| where count <= 3
| sort 0 count asc
| table dest peer_type peer_system_ip public_ips
public_ports count
| `cisco_sd_wan___low_frequency_rogue_peer_filter`