🚀 Key Highlights
- 🤖 Cisco Catalyst SD-WAN Analytics:
Introduced a new analytic story for Cisco Catalyst SD-WAN focused on identifying anomalous control-plane relationships across vManage, vSmart, and edge devices. By leveraging telemetry related to control-connection state changes, peer identity, public IP associations, and system roles, this release detects rare or unexpected peer interactions that may signal misconfigurations, unauthorized infrastructure, or adversary presence within SD-WAN environments. New detections — Cisco SD-WAN Low Frequency Rogue Peer and Cisco SD-WAN Peering Activity — provide visibility into suspicious control-plane communications and abnormal peering patterns that deviate from established network baselines.
New Analytic Story - [1]
New Analytics - [3]
- Cisco SD-WAN - Low Frequency Rogue Peer
- Cisco SD-WAN - Peering Activity
- Curl Execution with Percent Encoded URL
Other Updates
- Added end-to-end YAML formatting/validation (yamlfmt + yamllint) via a new pre-commit hook and CI “YAML Validation” job (validate_yaml.py), updates docs, and auto-formats all detections/analytics (including initial SPL beautification using |- for readability).
- Updates multiple detections to better cover calc-related binaries by adding CalculatorApp.exe/win32calc.exe entries, fixing a LOLBAS network-traffic filter bug (All_Traffic.dest_ip), and enhancing calc DLL side-loading rule metadata (including explicit WindowsCodecs.dll) to address issue #3916.