Detection: Cisco SD-WAN - Low Frequency Rogue Peer

Updated Date: 2026-03-02 ID: 0fe052a5-07b8-48e7-9fc8-d6a3957eb914 Author: Nasreddine Bencherchali, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

This analytic identifies low-frequency Cisco SD-WAN control peering activity from control-connection-state-change events where "new-state:up".

It extracts "peer-type" and "peer-system-ip", groups events by these two fields, and counts how often each combination appears within the selected time window.

Combinations whose count is less than or equal to the defined threshold (currently <=3 occurrences in the search window) are flagged as rare.

Analysts should prioritize peer identities that are rarely observed in the environment, particularly those involving unexpected peer-type roles or unfamiliar peer-system-ip values. Rare control-plane peers may indicate misconfiguration, unauthorized SD-WAN components, infrastructure drift, or potentially malicious control-plane connection attempts.

Findings might indicate the potential exploitation of CVE-2026-20127.

Note that the threshold setting is set to "3", but its highly recommended that this should be adapted to the environment before deploying this search.

Search

 1`cisco_sd_wan_syslog`
 2TERM("*control-connection-state-change*")
 3TERM("*new-state:up*")
 4TERM("*peer-system-ip:*")
 5TERM("*public-ip:*")
 6
 7| rex field=_raw "^(?<event_timestamp>(?:[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}(?:\.\d{3})?
 8|[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(?:\.\d{1,6})?(?:Z
 9|[+-][0-9]{2}:[0-9]{2})))\s*:?"
10
11| rex field=_raw "^(?:[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}(?:\.\d{3})?\s*:?\s+)(?<prefix_host>[^\s:]+)\s+\S+(?:\[\d+\])?:\s+%"
12
13| eval dest=coalesce(prefix_host, legacy_host, device_name, host)
14
15| rex field=_raw "new-state:(?<new_state>\S+)"
16
17| rex field=_raw "peer-type:(?<peer_type>\S+)"
18
19| rex field=_raw "peer-system-ip:(?<peer_system_ip>\S+)"
20
21| rex field=_raw "public-ip:(?<public_ip>\S+)"
22
23| rex field=_raw "public-port:(?<public_port>\d+)"
24
25
26| where isnotnull(peer_type) AND isnotnull(peer_system_ip)
27
28
29| stats count
30        values(dest) as dest
31        values(public_ip) as public_ips
32        values(public_port) as public_ports
33  by peer_type peer_system_ip
34
35| where count <= 3
36
37| sort 0 count asc
38
39| table dest peer_type peer_system_ip public_ips
40        public_ports count
41
42| `cisco_sd_wan___low_frequency_rogue_peer_filter`

Data Source

Name	Platform	Sourcetype	Source
Cisco SD-WAN NTCE 1000001	Other	`'cisco:sdwan:syslog'`	`'/var/log/vsyslog'`

Macros Used

Name	Value
cisco_sd_wan_syslog	`sourcetype=cisco:sdwan:syslog`
cisco_sd_wan___low_frequency_rogue_peer_filter	`search *`

cisco_sd_wan___low_frequency_rogue_peer_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1190	Exploit Public-Facing Application	Initial Access

Delivery

DE.AE

CIS 13

CVE

CVE-2026-20127

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	True

This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

This analytic requires Cisco SD-WAN/vSmart logs in Splunk and assumes control peering status messages are searchable via the cisco_sd_wan_syslog macro. Update that macro with your environment-specific index and sourcetype settings. Build a known-good baseline (lookup or macro conditions) for expected peer-system-ip, public-ip, and peer-type relationships, then tune the cisco_sd_wan_rogue_peer_outlier_filter macro to suppress approved peers and transport sources. The threshold (<=3) is a starting point and should be adjusted for your environment size and log volume. Follow the documentation https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/system-interface/ios-xe-17/systems-interfaces-book-xe-sdwan/configure-logging.html to start ingesting these logs.

Known False Positives

New controller onboarding, topology expansion, controller failover, maintenance windows, and temporary transport. Path changes can create rare peer/public-IP combinations. Validate outliers against change records and known SD-WAN inventory before escalating.

Associated Analytic Story

Cisco Catalyst SD-WAN Analytics

Risk Based Analytics (RBA)

Risk Message:

The SD-WAN device $dest$ established a rare control connection to peer-system-ip $peer_system_ip$ with peer-type $peer_type$ (observed $count$ times).

Risk Object	Risk Object Type	Risk Score	Threat Objects
dest	system	20	No Threat Objects

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`/var/log/vsyslog`	`cisco:sdwan:syslog`
Integration	✅ Passing	Dataset	`/var/log/vsyslog`	`cisco:sdwan:syslog`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1