Network Visibility Module Detection Migration Guide
Network Visibility Module (NVM) alerts are migrating from Secure Cloud Analytics to Cisco XDR. You can now configure your NVM detections, view NVM telemetry and generated detections, and configure notifications in Cisco XDR. This guide provides information on the updated NVM detection names, deprecated NVM alerts, and how to view NVM data in Cisco XDR.
Note: After the migration, you will not be able to view new NVM alert data in Secure Cloud Analytics. To view similar data in Cisco XDR, use the Detections and Activities pages.
Renamed NVM Detections
The following NVM alerts have been renamed in Cisco XDR:
|
NVM Alert Name in Secure Cloud Analytics |
New NVM Detection Name in Cisco XDR |
|---|---|
|
ADExplorer Domain Discovery |
Windows Sysinternals Utility Active Directory Explorer Network Connection |
|
Base64 Encoding Detected |
Windows PowerShell Arguments Contained Base64 Encoded String macOS Terminal Command Included Base64 Encoded String |
|
Certify Active Directory CS Enumeration |
Windows Utility Certify Executed |
|
Cloud Metadata Service Credential Access |
Cloud Instance Metadata Service Request |
|
Command-Line Arguments Associated with AdFind Execution |
Windows Command-Line Arguments Associated with AdFind |
|
Connection to Raw Public IP Address |
Windows Utility PowerShell Hidden Connection to Public IP |
|
Connection to TOR IP Address |
Windows Device Connected to TOR Exit Node macOS Device Connected to TOR Exit Node |
|
Content Download Using Powershell |
Windows PowerShell Used To Download and Execute File |
|
Data Exfiltration using rclone |
Windows Application Rclone Transferred Data Outbound |
|
DC Sync Attack Behavior |
Windows Technique DC Sync Executed |
|
DLL File Connected to a Raw IP Address |
Windows Process Executing a DLL File Connected to a Raw IP Address |
|
Download of Executable Files using WebDAV |
Windows Download of Executable Files using WebDAV |
|
Email Attachment Tool Transfer |
Windows Email Attachment Tool Transfer |
|
Endpoint Exfiltration of AWS Credentials |
Windows Endpoint Amazon Web Services Credential Access |
|
Execution of AdFind Binary for Discovery |
Windows Application AdFind Executed |
|
Exploitation of Web Shell through CVE-2025-31324 |
Windows Shell Executed via SAP NetWeaver Web Paths |
|
GoodSync Utilized for Outbound File Transfer |
Windows Application GoodSync Utilized for Outbound File Transfer |
|
Installation of NinjaRMM through MSI Package |
Windows MSI Package Used to Install NinjaRMM |
|
Kerberos Relay Attempt Using KrbRelayUp |
Windows Kerberos Relay Attempt Using KrbRelayUp |
|
LDAP Connection from Anomalous Process |
Windows Device Communicated on LDAP Port |
|
Long Lasting Network Connection from a System Binary |
Windows Long Lasting Network Connection from a System Binary |
|
Malicious Process Detected |
Implemented outside the Sigma rule repo as an engine capability |
|
MSIExec Quiet Content Download |
Windows Utility Msiexec Ran Quiet Install from Remote Host |
|
Network Connection made by NetCat on macOS |
macOS Network Connection made by NetCat |
|
Network Connection made by NetCat on Windows |
Windows Utility NetCat Initiated a Network Connection |
|
Network Traffic Observed from Service Host Child Process |
Windows Network Traffic Observed from Service Host Child Process |
|
New Active Directory Hidden User Account Added |
Windows Active Directory Hidden User Added |
|
NinjaRMM Spawning an Interactive Shell |
Windows Interactive Shell Spawned Via NinjaRMM |
|
NSCurl Download Activity |
macOS Utility NSCurl Download Activity |
|
NTLM Relay Exploitation via Inveigh |
Windows Network Connection Initiated by Inveigh |
|
Outbound File Transfer using Renamed Rclone |
Windows Utility Not Named RClone Executed with RClone Arguments |
|
Outbound File Transfer using S3 Browser |
Windows Process S3Browser Transferred Data Outbound |
|
Pass the Hash Attempt |
Windows Utility Impacket Command Line Parameters Executed |
|
Potential AWS CLI Exfiltration |
Windows Device Used to Transfer Data to Amazon S3 |
|
Potential Data Exfiltration using curl |
Windows Process curl Transferred Data Outbound macOS Process curl Transferred Data Outbound |
|
Potential Discord Command and Control |
Windows Process Connected to Discord |
|
Potential Enterprise Chat Command and Control |
Windows Unusual Client Communicated with Slack API Windows Unusual Client Communicated with Webex API |
|
Potential Exfiltration to Azure Storage |
Windows Device Transferred Data to Azure Storage |
|
Potential Lateral Movement through PsExec |
Windows Sysinternals Utility PsExec Network Connection |
|
Potential Lateral Movement through Runas |
Windows Service RunAs Spawned a Process with a Different User |
|
Potential Lateral Movement via DCOM MMC Execution |
Windows Utility Microsoft Management Console Remotely Spawned |
|
Potential LOLBin Download Activity |
Windows System Utility Transferred Data Inbound |
|
Potential Misuse of the PuTTY Secure Copy Client |
Windows Application PuTTY Secure Copy Client Transferred Data |
|
Potential Windows Management Instrumentation Lateral Movement |
Windows Management Instrumentation Spawned a Process Windows Management Instrumentation Command-line Initiated Connection |
|
PowerSharpPack Activity |
Windows Network Connection Initiated by SharpView Windows Network Connection Initiated by Group3r Windows Network Connection Initiated by Seatbelt Windows Network Connection Initiated by Rubeus Windows Network Connection Initiated by SharpSpray Windows Network Connection Initiated by SharpShares Windows Network Connection Initiated by SharpSniper |
|
Powershell Commands Executed in Non-PowerShell Parent Process |
Windows PowerShell Commands Executed in Non-PowerShell Parent Process |
|
Powershell Commands Executed in Non-PowerShell Processes |
Windows PowerShell Commands Executed in Non-PowerShell Process |
|
Powershell RDP Connection |
Windows PowerShell RDP Connection |
|
Powershell WinRM Connection |
Windows PowerShell WinRM Connection |
|
Quick Assist Executed via Uniform Resource Indicator |
Windows Quick Assist Executed via Uniform Resource Indicator |
|
Renamed Command Prompt Execution on Windows |
Windows Command Prompt Renamed |
|
Residential Proxy Application Utilized |
Windows Application Infatica Internal Network Connection Windows Application Infatica Control Channel Network Connection |
|
SharpShares Network Discovery |
Windows Network Connection Initiated by SharpShares |
|
Silent Uninstalling of Security Tools |
Windows Security Tool Uninstalled using Silent Command Line Arguments |
|
SMB Traffic Initiated From a Command Interpreter |
Windows Command Line Interpreter Connected on Port 445 |
|
SSH Remote Port Forwarding |
Windows SSH Remote Port Forwarding |
|
Suspicious Active Directory Certificate Request |
Windows Device Requested an Active Directory Certificate |
|
Suspicious AnyDesk Execution |
Windows Utility AnyDesk Executed macOS Utility AnyDesk Executed |
|
Suspicious Download from Temporary File Service |
Windows Device Connected to Temporary Sharing Site |
|
Suspicious File Download Observed on Process Arguments |
Windows File Download Observed on Process Arguments macOS File Download Observed on Process Arguments |
|
Suspicious MSHTA Activity |
Windows Utility MSHTA Executed Interactively |
|
Suspicious Process Executed |
Windows Third Party Tool Metasploit Executed |
|
Suspicious Process Path |
Windows Process Executed in Non-Executable Directory |
|
Suspicious Request to Telegram |
Windows Application other than Telegram Connected to Telegram |
|
Suspicious Shared Library Load Locations |
Windows Shared Library Executed Outside Standard Locations |
|
Suspicious Use of Discovery Tools |
Windows Network Discovery Utility Executed macOS Network Discovery Utility Executed |
|
Suspicious Use of the ADWS Protocol |
Windows Network Traffic via Active Directory Web Services Port |
|
Unusual Encoding on Command Line |
Windows PowerShell Arguments Contained Base64 Encoded String macOS Terminal Command Included Base64 Encoded String |
|
Use of a System Text Editor for Execution |
Windows System Text Editor Initiated a Network Connection |
|
Use of Environment Variables for Payload Execution |
Windows PowerShell Environment Variable Utilized |
|
VBS Script Connected to a Raw Public IP |
Windows VBS Script Connected to Public IP Address |
|
Web Browser Initiated Script Execution with an External IP |
Windows Browser Spawned Script With External Network Connection macOS Browser Spawned Script With External Network Connection |
|
WinRM Connection |
Windows Device Connected via WinRM |
Deprecated NVM Detections
The following NVM alerts have been deprecated in Cisco XDR:
-
Executions of File from Recycle Bin
-
Potential Gamaredon C2 Callout
-
Potential GhostPulse Malware C2
-
Potential System Process Impersonation
-
Suspicious Curl Behavior
-
System Binary Executed from an Unusual Location
-
Cloud Spreadsheet API C2 Channel
-
Potential Misuse of the Dropbox API for Exfiltration
-
LDAP Brute Force Attempt
Configure NVM Detections
The ability to view and configure NVM Alert priorities in Secure Cloud Analytics has moved to Cisco XDR. To configure NVM Detections in Cisco XDR, choose Administration > Detection Settings in the navigation menu to view the detection settings from Cisco XDR native sources. Click the Telemetry source drop-down list and check the Cisco NVM check box to filter the detections displayed in the table. You can then enable or disable the detection from being included in incident correlation or from being automatically promoted as an incident. For more information, go to the Detection Settings topic.
Note: Existing settings configured for NVM alerts on the Alert Priorities page in Secure Cloud Analytics have been migrated to the Detection settings page. As the detections are migrated from Secure Cloud Analytics, the Detection Settings page may appear empty.
View NVM Network Activity
The ability to view NVM flows in the Secure Cloud Analytics Event Viewer has moved to Cisco XDR. To view NVM network activity in Cisco XDR, choose Investigate > Activities. Click Filters, then click the Source drop-down list and check the Cisco NVM check box to filter the network activities by NVM. In the table, you will be able to see start and end time, IP addresses, ports, and more data related the NVM telemetry. For more information, go to the Activities topic.
View Generated NVM Detections
The ability to view generated NVM alerts in Secure Cloud Analytics has moved to Cisco XDR. To view NVM detections generated by Cisco XDR, choose Incidents > Detections in the navigation menu to view the security events from Cisco XDR native sources and integrated products. Click the Source drop-down list and check the Cisco XDR check box to filter the detections by Cisco XDR native sources. You can also use the Search field to filter by specific NVM detection names. For more information, go to the Detections topic.
Create Notifications
The ability to create webhook notifications in Secure Cloud Analytics for NVM has moved to Cisco XDR. To set up similar notifications, use the Export XDR Detection Findings workflow in Automate. To install the workflow, choose Automate > Exchange in the navigation menu and search for the specific workflow that exports to your external product. You can also duplicate and customize the workflow for your specific requirements. For more information, go to Exporting XDR Detection Findings in the Cisco XDR API documentation.