heroui logo

Cisco Discovery

Sigma Rules

View Source
Summary
The Cisco Discovery rule is designed to identify and log attempts to gather information about network devices that may not be available in standard configuration files. This type of reconnaissance is a known technique in attack frameworks, allowing adversaries to gather valuable insights into network topology, services, and user configurations by executing various Cisco CLI commands. The core detection logic is based on monitoring specific keywords associated with commonly used commands that administrative personnel might invoke during device management. Given that legitimate users often perform these commands for troubleshooting, this rule registers a low detection level for potential false positives when such queries are executed. Keywords tracked by this rule include commands like 'show version', 'show ip route', and 'show users', among others, which provide details about device performance and user access.
Categories
  • Network
  • Infrastructure
Data Sources
  • Network Traffic
  • Process
Created: 2019-08-12