6 URL indicator(s).
KQL Query Preview
Read-only — detection query only
// Threat: Cisco Catalyst SD-WAN Manager: Two Additional CVEs Confirmed Exploited, Campaign
let malicious_urls = dynamic(["/dataservice/disasterrecovery/download/token", "/dataservice/client/server", "/dataservice/", "/dataservice/settings/configuration/", "/dataservice/template/", "/dataservice/admin/user"]);
DeviceNetworkEvents
| where Timestamp > ago(30d)
| where RemoteUrl has_any (malicious_urls)
| project Timestamp, DeviceName, RemoteUrl, RemoteIP,
InitiatingProcessFileName, InitiatingProcessCommandLine
| sort by Timestamp desc
