Detection: Cisco SD-WAN - Peering Activity

Description

This analytic detects Cisco SD-WAN control-connection-state-change events where a control connection transitions. It extracts and highlights key triage fields including peer-type, peer-system-ip, public-ip, and public-port. Analysts should manually validate whether the peer-system-ip matches the expected SD-WAN addressing schema and device inventory, whether the event timing aligns with known operational activity (maintenance, failover, or planned changes), and whether the public-ip is an expected source for control peering in the environment. Treat peer-type:vmanage events with higher scrutiny, especially when peer or source IP values are previously unseen.

Search

 1`cisco_sd_wan_syslog`
 2TERM("*control-connection-state-change*")
 3TERM("*peer-system-ip:*")
 4TERM("*public-ip:*")
 5TERM("*new-state:up*")
 6
 7| rex field=_raw "^(?<event_timestamp>(?:[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}(?:\.\d{3})?
 8|[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}(?:\.\d{1,6})?(?:Z
 9|[+-][0-9]{2}:[0-9]{2})))\s*:?"
10
11| rex field=_raw "^(?:[A-Z][a-z]{2}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2}(?:\.\d{3})?\s*:?\s+)(?<prefix_host>[^\s:]+)\s+\S+(?:\[\d+\])?:\s+%"
12
13| eval dest=coalesce(prefix_host, legacy_host, device_name, host)
14
15| rex field=_raw "new-state:(?<new_state>\S+)"
16
17| rex field=_raw "peer-type:(?<peer_type>\S+)"
18
19| rex field=_raw "peer-system-ip:(?<peer_system_ip>\S+)"
20
21| rex field=_raw "public-ip:(?<public_ip>\S+)"
22
23| rex field=_raw "public-port:(?<public_port>\d+)"
24
25
26| where isnotnull(peer_type) AND isnotnull(peer_system_ip)
27
28
29| stats count max(event_timestamp) as event_time
30              values(public_ip) as public_ips
31              values(public_port) as public_ports
32  by peer_type peer_system_ip dest new_state
33
34
35| table event_time dest peer_type peer_system_ip
36        public_ips public_ports count
37
38| `cisco_sd_wan___peering_activity_filter`

Data Source

Macros Used

Annotations

CVE

• CVE-2026-20127

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Implementation

This analytic requires Cisco SD-WAN/vSmart logs in Splunk and assumes control peering status messages are searchable via the cisco_sd_wan_syslog macro. Update that macro with your environment-specific index and sourcetype settings. Follow the documentation https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/system-interface/ios-xe-17/systems-interfaces-book-xe-sdwan/configure-logging.html to start ingesting these logs.

Known False Positives

New controller onboarding, topology expansion, controller failover, maintenance windows, and temporary transport. Path changes can create rare peer/public-IP combinations. Validate outliers against change records and known SD-WAN inventory before escalating.

Associated Analytic Story

• Cisco Catalyst SD-WAN Analytics

References

• https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems

• https://blog.talosintelligence.com/uat-8616-sd-wan/

• https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/Monitor-And-Maintain/monitor-maintain-book/m-alarms-events-logs.html

• https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/system-interface/ios-xe-17/systems-interfaces-book-xe-sdwan/configure-logging.html

• https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide

• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

Detection Testing

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1