From c534049be0ffb0c91fec2caee174719ea3a63fc9 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 27 Apr 2026 20:52:34 +0530 Subject: [PATCH 1/2] adding new events --- datasets/cisco_secure_access/firewall/firewall.yml | 2 +- datasets/cisco_secure_access/ravpn/ravpn.yml | 14 ++++++++++++++ .../ravpn/ravpn_high_auth_failures.log | 3 +++ 3 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 datasets/cisco_secure_access/ravpn/ravpn.yml create mode 100644 datasets/cisco_secure_access/ravpn/ravpn_high_auth_failures.log diff --git a/datasets/cisco_secure_access/firewall/firewall.yml b/datasets/cisco_secure_access/firewall/firewall.yml index b701f0e3..b3fc3364 100644 --- a/datasets/cisco_secure_access/firewall/firewall.yml +++ b/datasets/cisco_secure_access/firewall/firewall.yml @@ -30,4 +30,4 @@ datasets: - name: smb path: /datasets/cisco_secure_access/firewall/smb.log source: cisco_cloud_security_addon - sourcetype: cisco:cloud_security:firewall + sourcetype: cisco:cloud_security:firewall \ No newline at end of file diff --git a/datasets/cisco_secure_access/ravpn/ravpn.yml b/datasets/cisco_secure_access/ravpn/ravpn.yml new file mode 100644 index 00000000..13d74df7 --- /dev/null +++ b/datasets/cisco_secure_access/ravpn/ravpn.yml @@ -0,0 +1,14 @@ +author: Bhavin Patel, Splunk +id: 8b2f4c1e-9a0d-4e8b-b7c3-1d2e3f4a5b6c +date: '2026-04-27' +description: | + Synthetic RAVPN authentication failure events (same client public IP) for detection testing. +environment: custom +directory: cisco_secure_access/ravpn +mitre_technique: + - T1110 +datasets: + - name: ravpn_high_auth_failures + path: /datasets/cisco_secure_access/ravpn/ravpn_high_auth_failures.log + source: not_applicable + sourcetype: cisco:secure_access:security_events_ravpn diff --git a/datasets/cisco_secure_access/ravpn/ravpn_high_auth_failures.log b/datasets/cisco_secure_access/ravpn/ravpn_high_auth_failures.log new file mode 100644 index 00000000..4c2dbb84 --- /dev/null +++ b/datasets/cisco_secure_access/ravpn/ravpn_high_auth_failures.log @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:97ad279dd45620c84cd4e51e25a5158c65d0d7a034e5f532bfc611fcff17391d +size 47899 From dc1bb39352e6590f0479a42b2c0d6c937c7b907d Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Mon, 27 Apr 2026 20:54:22 +0530 Subject: [PATCH 2/2] updating dataset --- datasets/cisco_secure_access/ravpn/ravpn.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/datasets/cisco_secure_access/ravpn/ravpn.yml b/datasets/cisco_secure_access/ravpn/ravpn.yml index 13d74df7..cdb5484e 100644 --- a/datasets/cisco_secure_access/ravpn/ravpn.yml +++ b/datasets/cisco_secure_access/ravpn/ravpn.yml @@ -2,7 +2,7 @@ author: Bhavin Patel, Splunk id: 8b2f4c1e-9a0d-4e8b-b7c3-1d2e3f4a5b6c date: '2026-04-27' description: | - Synthetic RAVPN authentication failure events (same client public IP) for detection testing. + This dataset is based on the Cisco Secure Access RAVPN security event schema and the data here is generated from various simulated activities in a controlled lab environment. environment: custom directory: cisco_secure_access/ravpn mitre_technique: