text code block:`cisco_ios` facility IN ("AAA", "HA_EM") mnemonic IN ("AAA_ACCOUNTING_MESSAGE", "LOG") message_text IN ("*ssh *", "*telnet *", "*ping *") | rex field=message_text "^\w+:(?<aaa_src>[^:@]+)(?:@[^:]*)?:(?<aaa_user>[^:]*):(?<aaa_command>.*?)(?:\s+\((?<aaa_result>SUCCESS|FAILURE)\))?$" | rex field=message_text "^(?:[^:]+:\s+)?(?:catchall:\s+)?(?<eem_command>.+?)\s*$" | eval command=lower(trim(coalesce(aaa_command, eem_command, ""))) | where match(command, "^(ssh|telnet|ping)\s+") | rex field=command "(?i)^(?:ssh(?:\s+-l\s+\S+)?|telnet|ping)\s+(?<target_ip>\d{1,3}(?:\.\d{1,3}){3})" | eval command_type=case(match(command, "^ssh\s+"), "ssh", match(command, "^telnet\s+"), "telnet", match(command, "^ping\s+"), "ping") | eval user=coalesce(aaa_user, user, "unknown") | eval src_ip=coalesce(aaa_src, src_ip, "unknown") | eval dest=coalesce(host, dvc, dest, "unknown") | bin _time span=10m | stats count as command_count min(_time) as firstTime max(_time) as lastTime dc(target_ip) as distinct_targets values(target_ip) as target_ips values(command_type) as command_types values(command) as commands by _time dest user src_ip | where command_count >= 8 OR distinct_targets >= 5 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_ios_xe_remote_access_probe_burst_filter`
View this rule on Splunk
This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).