Analytics Story: Cisco Catalyst SD-WAN Analytics

Description

This analytic story provides a suite of detections designed to analyze logs collected from Cisco Catalyst SD-WAN devices. The included analytics focus on identifying anomalous control connections, unexpected peer relationships, rare peer-type and system-IP combinations, suspicious public IP associations, and other deviations from established SD-WAN topology behavior. These detections help security teams surface unauthorized devices, misconfigurations, infrastructure drift, and potential exploitation attempts targeting SD-WAN components.

Why it matters

Cisco Catalyst SD-WAN provides centralized orchestration and policy-driven connectivity through control-plane communications between vManage, vSmart, and edge devices. The platform generates logs related to control-connection state changes, peer identity, public IP associations, and system roles, etc. This analytic story leverages that telemetry to detect behavioral anomalies within SD-WAN control relationships, highlighting rare or unexpected peer interactions that may indicate configuration errors, unauthorized infrastructure, or adversary activity.

Detections

Data Sources

References

• https://www.cisa.gov/news-events/directives/supplemental-direction-ed-26-03-hunt-and-hardening-guidance-cisco-sd-wan-systems
• https://blog.talosintelligence.com/uat-8616-sd-wan/
• https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/Monitor-And-Maintain/monitor-maintain-book/m-alarms-events-logs.html
• https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/system-interface/ios-xe-17/systems-interfaces-book-xe-sdwan/configure-logging.html
• https://sec.cloudapps.cisco.com/security/center/resources/Cisco-Catalyst-SD-WAN-HardeningGuide
• https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwan-rpa-EHchtZk

Source: GitHub | Version: 1