Detection: Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity

Updated Date: 2026-03-09 ID: 201022d7-a35c-470a-93ff-ae335c42e69d Author: Nasreddine Bencherchali, Splunk Type: Hunting Product: Splunk Enterprise Security

Description

This hunting search is designed to surface source IP activity using uncommon HTTP user-agents across multiple URI paths in Cisco SD-WAN Manager serviceproxy access logs. It looks for source and user-agent combinations that access more than one distinct URI, then keeps only low-volume behavior (requests<=50) to reduce noise from normal high-volume traffic. Use this hunt to pivot on http_user_agent and src and identify possible automation, scripted reconnaissance, or exploitation attempts.

Search

 1`cisco_sd_wan_service_proxy_access`
 2
 3| rex field=_raw "^\[.*?\]\s+\"(?<http_method>\S+)\s+(?<uri>\S+)\s+(?<http_protocol>[^\"]+)\"\s+(?<http_response_code>\S+)\s+(?<response_flags>\S+)\s+(?<bytes_in>\S+)\s+(?<bytes_out>\S+)\s+(?<duration>\S+)\s+(?<upstream_service_time>\S+)\s+\"(?<src>[^\"]+)\"\s+\"(?<http_user_agent>[^\"]+)\"\s+\"(?<x_request_id>[^\"]+)\"\s+\"(?<dest>[^\"]+)\"\s+\"(?<upstream_host>[^\"]+)\""
 4
 5| rex field=uri "(?<uri_path>[^\?]+)(?<uri_query>\?.*)?"
 6
 7| bin _time span=5m
 8
 9| stats count as requests
10        min(_time) as firstTime
11        max(_time) as lastTime
12        values(uri) as uri
13        dc(uri) as uri_count
14by src http_user_agent
15
16| where requests<=50 AND uri_count>1
17
18| `security_content_ctime(firstTime)`
19
20| `security_content_ctime(lastTime)`
21
22| sort 0 +requests
23
24| `cisco_sd_wan___uncommon_user_agent_multi_uri_activity_filter`

Data Source

Name	Platform	Sourcetype	Source
Cisco SD-WAN Service Proxy Access Logs	Other	`'cisco:sdwan:access'`	`'/var/log/nms/containers/service-proxy/serviceproxy-access.log'`

Macros Used

Name	Value
cisco_sd_wan_service_proxy_access	`sourcetype=cisco:sdwan:access`
cisco_sd_wan___uncommon_user_agent_multi_uri_activity_filter	`search *`

cisco_sd_wan___uncommon_user_agent_multi_uri_activity_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1595	Active Scanning	Reconnaissance

Reconnaissance

DE.AE

CIS 13

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	False

This configuration file applies to all detections of type hunting.

Implementation

This detection requires Cisco SD-WAN Manager Envoy access logs to be ingested into Splunk. These logs are located in "/var/log/nms/containers/service-proxy/serviceproxy-access.log".

Known False Positives

No false positives have been identified at this time.

Associated Analytic Story

Cisco Catalyst SD-WAN Analytics

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`/var/log/nms/containers/service-proxy/serviceproxy-access.log`	`cisco:sdwan:access`
Integration	✅ Passing	Dataset	`/var/log/nms/containers/service-proxy/serviceproxy-access.log`	`cisco:sdwan:access`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1