Analytics Story: Cisco Secure Access Analytics
Description
This analytic story provides a suite of detections built to analyze network and access logs from Cisco Secure Access. The included analytics focus on uncovering suspicious and potentially malicious behavior such as unauthorized access attempts, anomalous authentication patterns, policy violations, and indicators of compromised credentials. These detections help security teams identify threats that may bypass traditional perimeter defenses, offering deeper insight into user access behavior, device posture anomalies, and adversary abuse of legitimate access pathways.
Why it matters
Cisco Secure Access is a cloud-delivered security service edge (SSE) solution that provides secure connectivity and access control for users, devices, and applications regardless of location. It combines zero trust network access (ZTNA), secure web gateway (SWG), cloud access security broker (CASB), and firewall-as-a-service capabilities into a unified platform. This analytic story leverages the rich telemetry generated by Cisco Secure Access to detect behaviors commonly associated with advanced threats and adversary techniques across multiple ATT&CK tactics, including Initial Access, Credential Access, Lateral Movement, and Exfiltration.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco Secure Access Firewall | Other | cisco:cloud_security:firewall |
cisco_secure_access:firewall |
| Cisco Secure Firewall Threat Defense Connection Event | Other | cisco:sfw:estreamer |
not_applicable |
| Palo Alto Network Traffic |  Network |
pan:traffic |
not_applicable |
| Sysmon EventID 3 |  Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
References
Source: GitHub | Version: 1