From 2cb7eedfabf15ddd971c27ecf3009d5d22324fd6 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 6 May 2026 16:15:20 +0530 Subject: [PATCH 1/4] adding new datasets --- .../cisco_secure_access/dns/anonymizer_dns.log | 3 +++ datasets/cisco_secure_access/dns/dns_proxy.yml | 15 +++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 datasets/cisco_secure_access/dns/anonymizer_dns.log create mode 100644 datasets/cisco_secure_access/dns/dns_proxy.yml diff --git a/datasets/cisco_secure_access/dns/anonymizer_dns.log b/datasets/cisco_secure_access/dns/anonymizer_dns.log new file mode 100644 index 00000000..2a16b608 --- /dev/null +++ b/datasets/cisco_secure_access/dns/anonymizer_dns.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:8b4e0a095cc188323267f1129a2862972a6bb6d84d47205006df60f1aa783411 +size 794 diff --git a/datasets/cisco_secure_access/dns/dns_proxy.yml b/datasets/cisco_secure_access/dns/dns_proxy.yml new file mode 100644 index 00000000..aaa3dddb --- /dev/null +++ b/datasets/cisco_secure_access/dns/dns_proxy.yml @@ -0,0 +1,15 @@ +author: Bhavin Patel, Splunk +id: 9ac78446-a25a-42a5-b022-a01de06752e7 +date: '2026-05-06' +description: | + Sample Cisco Secure Access DNS events representing access to proxy-evasion / anonymizer destinations (lab-generated). + Events include URL categorization values that contain "Anonymizer" for validation of Cisco SA content aligned to MITRE ATT&CK T1562.001. +environment: custom +directory: cisco_secure_access/dns +mitre_technique: + - T1562.001 +datasets: + - name: anonymizer_dns + path: /datasets/cisco_secure_access/dns/anonymizer_dns.log + source: cisco_cloud_security_addon + sourcetype: cisco:cloud_security:dns From 0b94bd7a85b2a8447104c48ebafeedfa48f42613 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Wed, 6 May 2026 16:25:52 +0530 Subject: [PATCH 2/4] updating file name --- datasets/cisco_secure_access/dns/{dns_proxy.yml => dns.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename datasets/cisco_secure_access/dns/{dns_proxy.yml => dns.yml} (100%) diff --git a/datasets/cisco_secure_access/dns/dns_proxy.yml b/datasets/cisco_secure_access/dns/dns.yml similarity index 100% rename from datasets/cisco_secure_access/dns/dns_proxy.yml rename to datasets/cisco_secure_access/dns/dns.yml From ecd82b653e65d67cf7a82f4ad0a0184cf60a5a55 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Fri, 8 May 2026 12:22:41 +0530 Subject: [PATCH 3/4] adding web recon datasets --- .../proxy/automated_web_recon_http_errors.log | 3 +++ datasets/cisco_secure_access/proxy/proxy.yml | 15 +++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 datasets/cisco_secure_access/proxy/automated_web_recon_http_errors.log create mode 100644 datasets/cisco_secure_access/proxy/proxy.yml diff --git a/datasets/cisco_secure_access/proxy/automated_web_recon_http_errors.log b/datasets/cisco_secure_access/proxy/automated_web_recon_http_errors.log new file mode 100644 index 00000000..a141a0ec --- /dev/null +++ b/datasets/cisco_secure_access/proxy/automated_web_recon_http_errors.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9d54995b5a8189243e2579996f95cc75fa3ef15e20997f4ddc08f24f76f431c2 +size 277033 diff --git a/datasets/cisco_secure_access/proxy/proxy.yml b/datasets/cisco_secure_access/proxy/proxy.yml new file mode 100644 index 00000000..9a7e7709 --- /dev/null +++ b/datasets/cisco_secure_access/proxy/proxy.yml @@ -0,0 +1,15 @@ +author: Bhavin Patel, Splunk +id: b25742dd-1536-4173-a3fa-19f1583c834f +date: '2026-05-08' +description: | + Sample Cisco Secure Access proxy events representing automated web reconnaissance behavior. + The dataset includes high-volume HTTP 401/403/404 access errors across many unique URLs from a single source, consistent with directory and content enumeration tooling. +environment: custom +directory: cisco_secure_access/proxy +mitre_technique: + - T1595 +datasets: + - name: automated_web_recon_http_errors + path: /datasets/cisco_secure_access/proxy/automated_web_recon_http_errors.log + source: cisco_cloud_security_addon + sourcetype: cisco:cloud_security:proxy From e15982e0cc742950685b51d01ad7bef7b04ec0b7 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Fri, 8 May 2026 16:21:43 +0530 Subject: [PATCH 4/4] updating author --- datasets/cisco_secure_access/dns/dns.yml | 2 +- datasets/cisco_secure_access/proxy/proxy.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/datasets/cisco_secure_access/dns/dns.yml b/datasets/cisco_secure_access/dns/dns.yml index aaa3dddb..6b9e0b8a 100644 --- a/datasets/cisco_secure_access/dns/dns.yml +++ b/datasets/cisco_secure_access/dns/dns.yml @@ -1,4 +1,4 @@ -author: Bhavin Patel, Splunk +author: Mahamudul Chowdhury, Bhavin Patel, Splunk id: 9ac78446-a25a-42a5-b022-a01de06752e7 date: '2026-05-06' description: | diff --git a/datasets/cisco_secure_access/proxy/proxy.yml b/datasets/cisco_secure_access/proxy/proxy.yml index 9a7e7709..4f4456c6 100644 --- a/datasets/cisco_secure_access/proxy/proxy.yml +++ b/datasets/cisco_secure_access/proxy/proxy.yml @@ -1,4 +1,4 @@ -author: Bhavin Patel, Splunk +author: Mahamudul Chowdhury, Bhavin Patel, Splunk id: b25742dd-1536-4173-a3fa-19f1583c834f date: '2026-05-08' description: |