Cisco IOS
Overview
Cisco IOS is a network operating system for Cisco ASR routers and Cisco Catalyst switches.
Related Built-in Rules
Benefit from SEKOIA.IO built-in rules and upgrade Cisco IOS with the following detection capabilities out-of-the-box.
SEKOIA.IO x Cisco IOS on ATT&CK Navigator
RYUK Ransomeware - martinstevens Username
Detects user name "martinstevens". Wizard Spider is used to add the user name "martinstevens" to the AD of its victims. It was observed in several campaigns; in 2019 and 2020.
- Effort: elementary
SEKOIA.IO Intelligence Feed
Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
- Effort: elementary
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Host network interface |
every packets are logged and information on the outcome, the source/destination are extracted |
Network device logs |
ACL logs are examined in detail |
Network protocol analysis |
packets are fully analyzed |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | event |
| Category | host |
| Type | `` |
Event Samples
Find below few samples of events and how they are normalized by SEKOIA.IO.
{
"message": "FE03.LOCAL: Mar 6 2023 08:04:45.866 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to down",
"event": {
"kind": "event",
"category": [
"host"
],
"severity": 5,
"code": "UPDOWN",
"reason": "Line protocol on Interface GigabitEthernet1/0/13, changed state to down",
"action": "down",
"type": [
"info"
]
},
"@timestamp": "2023-03-06T07:04:45.866000Z",
"observer": {
"vendor": "Cisco",
"product": "ios"
},
"host": {
"name": "FE03.LOCAL"
},
"cisco": {
"ios": {
"event": {
"facility": "LINEPROTO"
},
"observer": {
"interface": {
"name": "GigabitEthernet1/0/13"
}
}
}
}
}
{
"message": "STN01.LOCAL: Mar 6 2023 08:04:45.866 CET: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/13, changed state to up",
"event": {
"kind": "event",
"category": [
"host"
],
"severity": 5,
"code": "UPDOWN",
"reason": "Line protocol on Interface GigabitEthernet1/0/13, changed state to up",
"action": "up",
"type": [
"info"
]
},
"@timestamp": "2023-03-06T07:04:45.866000Z",
"observer": {
"vendor": "Cisco",
"product": "ios"
},
"host": {
"name": "STN01.LOCAL"
},
"cisco": {
"ios": {
"event": {
"facility": "LINEPROTO"
},
"observer": {
"interface": {
"name": "GigabitEthernet1/0/13"
}
}
}
}
}
{
"message": "FE05: Mar 6 2023 08:04:45.866: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/13, changed state to down",
"event": {
"kind": "event",
"category": [
"host"
],
"severity": 3,
"code": "UPDOWN",
"reason": "Interface GigabitEthernet2/0/13, changed state to down",
"action": "down",
"type": [
"info"
]
},
"@timestamp": "2023-03-06T08:04:45.866000Z",
"observer": {
"vendor": "Cisco",
"product": "ios"
},
"host": {
"name": "FE05"
},
"cisco": {
"ios": {
"event": {
"facility": "LINK"
},
"observer": {
"interface": {
"name": "GigabitEthernet2/0/13"
}
}
}
}
}
{
"message": "FE05: Mar 6 2023 08:04:45.866: %LINK-3-UPDOWN: Interface GigabitEthernet2/0/25, changed state to up",
"event": {
"kind": "event",
"category": [
"host"
],
"severity": 3,
"code": "UPDOWN",
"reason": "Interface GigabitEthernet2/0/25, changed state to up",
"action": "up",
"type": [
"info"
]
},
"@timestamp": "2023-03-06T08:04:45.866000Z",
"observer": {
"vendor": "Cisco",
"product": "ios"
},
"host": {
"name": "FE05"
},
"cisco": {
"ios": {
"event": {
"facility": "LINK"
},
"observer": {
"interface": {
"name": "GigabitEthernet2/0/25"
}
}
}
}
}
{
"message": "FE08: Jan 13 2023 10:16:05.33: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: jdoe] [Source: 1.2.3.4] [localport: 22] at 10:16:05 GMT Fri Jan 13 2023",
"event": {
"kind": "event",
"category": [
"host"
],
"severity": 5,
"code": "LOGIN_SUCCESS",
"reason": "Login Success [user: jdoe] [Source: 1.2.3.4] [localport: 22] at 10:16:05 GMT Fri Jan 13 2023",
"type": [
"access",
"start"
]
},
"@timestamp": "2023-01-13T10:16:05.330000Z",
"observer": {
"vendor": "Cisco",
"product": "ios"
},
"host": {
"name": "FE08"
},
"source": {
"ip": "1.2.3.4",
"port": 22,
"address": "1.2.3.4"
},
"user": {
"name": "jdoe"
},
"cisco": {
"ios": {
"event": {
"facility": "SEC_LOGIN"
}
}
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"jdoe"
]
}
}
{
"message": "FE08: Jan 13 2023 10:16:05.33: %SYS-3-LOGGINGHOST_FAIL: Logging to host 3.2.4.5 port 514 failed",
"event": {
"kind": "event",
"category": [
"host"
],
"severity": 3,
"code": "LOGGINGHOST_FAIL",
"reason": "Logging to host 3.2.4.5 port 514 failed",
"type": [
"access",
"end"
]
},
"@timestamp": "2023-01-13T10:16:05.330000Z",
"observer": {
"vendor": "Cisco",
"product": "ios"
},
"host": {
"name": "FE08"
},
"destination": {
"ip": "3.2.4.5",
"port": 514,
"address": "3.2.4.5"
},
"cisco": {
"ios": {
"event": {
"facility": "SYS"
}
}
},
"related": {
"ip": [
"3.2.4.5"
]
}
}
{
"message": "FE08: Jan 13 2023 10:16:05.33: %SYS-6-LOGOUT: User jdoe has exited tty session 2(1.2.3.4)",
"event": {
"kind": "event",
"category": [
"host"
],
"severity": 6,
"code": "LOGOUT",
"reason": "User jdoe has exited tty session 2(1.2.3.4)",
"type": [
"access",
"end"
]
},
"@timestamp": "2023-01-13T10:16:05.330000Z",
"observer": {
"vendor": "Cisco",
"product": "ios"
},
"host": {
"name": "FE08"
},
"source": {
"ip": "1.2.3.4",
"address": "1.2.3.4"
},
"user": {
"name": "jdoe"
},
"cisco": {
"ios": {
"event": {
"facility": "SYS"
},
"observer": {
"terminal": "2"
}
}
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"jdoe"
]
}
}
{
"message": "DN04.LOCAL: Feb 21 06:59:55.692: %SW_MATM-4-MACFLAP_NOTIF: Host 0011.2233.4455 in vlan 20 is flapping between port Gi1/0/9 and port Gi2/0/9",
"event": {
"kind": "event",
"category": [
"host"
],
"severity": 4,
"code": "MACFLAP_NOTIF",
"reason": "Host 0011.2233.4455 in vlan 20 is flapping between port Gi1/0/9 and port Gi2/0/9",
"type": [
"info"
]
},
"@timestamp": "2023-02-21T06:59:55.692000Z",
"observer": {
"vendor": "Cisco",
"product": "ios"
},
"host": {
"name": "DN04.LOCAL"
},
"source": {
"mac": "00:11:22:33:44:55"
},
"network": {
"vlan": {
"id": "20"
}
},
"cisco": {
"ios": {
"event": {
"facility": "SW_MATM"
},
"observer": {
"interface": {
"ports": [
"Gi1/0/9",
"Gi2/0/9"
]
}
}
}
}
}
{
"message": "FE08: Jan 13 2023 10:16:05.33: %SYS-6-TTY_EXPIRE_TIMER: (exec timer expired, tty 2 (1.2.3.4)), user jdoe",
"event": {
"kind": "event",
"category": [
"host"
],
"severity": 6,
"code": "TTY_EXPIRE_TIMER",
"reason": "(exec timer expired, tty 2 (1.2.3.4)), user jdoe",
"type": [
"info"
]
},
"@timestamp": "2023-01-13T10:16:05.330000Z",
"observer": {
"vendor": "Cisco",
"product": "ios"
},
"host": {
"name": "FE08"
},
"source": {
"ip": "1.2.3.4",
"address": "1.2.3.4"
},
"user": {
"name": "jdoe"
},
"cisco": {
"ios": {
"event": {
"facility": "SYS"
},
"observer": {
"terminal": "2"
}
}
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"jdoe"
]
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
@timestamp |
date |
Date/time when the event originated. |
cisco.ios.event.facility |
keyword |
The facility of the event |
cisco.ios.observer.interface.name |
keyword |
The name of the interface |
cisco.ios.observer.interface.ports |
array |
The list of ports associated to the interface |
cisco.ios.observer.terminal |
keyword |
The identifier of the terminal used for the action |
destination.ip |
ip |
IP address of the destination. |
destination.port |
long |
Port of the destination. |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.code |
keyword |
Identification code for this event. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.severity |
long |
Numeric severity of the event. |
host.name |
keyword |
Name of the host. |
network.vlan.id |
keyword |
VLAN ID as reported by the observer. |
observer.product |
keyword |
The product name of the observer. |
observer.vendor |
keyword |
Vendor name of the observer. |
source.ip |
ip |
IP address of the source. |
source.mac |
keyword |
MAC address of the source. |
source.port |
long |
Port of the source. |
user.name |
keyword |
Short name or login of the user. |
Configure
Prerequisites
An internal log concentrator is required to collect and forward events to SEKOIA.IO.
Enable Syslog forwarding
Log on your Cisco appliance and follow this guide to enable syslog forwarding.
Create the intake
Go to the intake page and create a new intake from the format Cisco IOS.
Transport to SEKOIA.IO
Please consult the Syslog Forwarding documentation to forward these logs to SEKOIA.IO.