Detects unauthorized or anomalous use of command-line interfaces (CLI) on network devices. Focuses on remote access sessions (e.g., SSH/Telnet), privilege escalation within CLI sessions, execution of high-risk commands (e.g., config replace, terminal monitor, no logging), and configuration changes outside of approved windows.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | networkdevice:syslog | command_exec |
| Network Traffic Content (DC0085) | NSM:Flow | remote CLI session detection |
| User Account Authentication (DC0002) | networkdevice:syslog | authorization/accounting logs |
| Field | Description |
|---|---|
| TimeWindow | Config changes made outside of maintenance windows are more suspicious. |
| UserContext | Unexpected CLI activity by service accounts or users not assigned to manage network devices. |
| CommandPattern | Regex or keyword match on dangerous or unusual commands (e.g., 'no logging', 'reload', 'copy tftp', 'config replace'). |
| SourceIP | Remote CLI sessions originating from untrusted networks or jump hosts. |
| SessionDuration | Abnormally short or long SSH/Telnet CLI sessions compared to baseline. |