Secure Cloud Analytics Release Notes

Google Cloud Platform Integration Update: The Google Cloud Platform integration has been moved to Cisco XDR. Cisco XDR consumes network traffic data, including Virtual Private Cloud (VPC) flow logs, from your GCP public cloud network. It then performs dynamic entity modeling by running analytics on that data to detect threats and indicators of compromise. Cisco XDR consumes VPC flow logs directly from your GCP account using Workload Identity Federation (WIF) credentials. If you have an existing Google Cloud Platform integration, you will continue to ingest the configured Virtual Private Cloud (VPC) flow logs. However, you will not be able to update your GCP service account credentials using the Secure Cloud Analytics portal. We recommend moving your GCP integration configuration to Cisco XDR to take advantage of the Workload Identity Federation (WIF) credentials, and then deleting the integration in Secure Cloud Analytics to avoid duplicate data ingestion. For more information, see the Google Cloud Platform Integration topic.

Potential Data Exfiltration using curl Alert: This new alert indicates the curl application was observed being used in a suspicious way. While curl is a legitimate tool for transferring data over HTTP, HTTPS, or FTP, it is often abused by attackers to send files or sensitive information externally. This behavior may suggest unauthorized data transfer. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

SSH Remote Port Forwarding Alert: This new alert indicates a Secure Shell (SSH) connection established remote port forwarding with an external remote host. SSH remote port forwarding, also known as reverse tunneling, allows a remote host to connect to a port on the client establishing the connection, effectively tunneling traffic back through the SSH connection to the client. This can be used to create a backdoor into a network, bypassing firewalls and allowing the remote host to access internally networked systems through the client. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Use of a System Text Editor for Execution Alert: This new alert indicates a system text editor was detected utilizing an executable and making a network connection which is not normal behavior. Notepad is a legitimate tool commonly used to edit text files, but not to run binaries, scripts, or other executables. Threat actors have been known to rename legitimate utilities to perform to evade detection. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.

Web Browser Initiated Script Execution with an External IP Alert: This new alert indicates a web browser has initiated a script execution process that is communicating with a remote host. While web browsers are equipped to execute scripts, the launch of a script execution process that connects to a remote host is considered atypical. This unusual activity is sometimes leveraged by threat actors for execution purposes. This alert requires Cisco AnyConnect Secure Mobility Client Network Visibility Module (NVM) and is disabled by default.