Defenders may observe adversary attempts to extract configuration data from management repositories by monitoring for anomalous SNMP queries, API calls, or protocol requests (e.g., NETCONF, RESTCONF) that enumerate system configuration. Suspicious sequences include repeated queries from untrusted IPs, abnormal query types requesting sensitive configuration data, or repository access occurring outside of normal administrative maintenance windows. Abnormal authentication attempts, sudden enumeration of device inventory, or bulk data transfer of configuration files may also be observed.
| Data Component | Name | Channel |
|---|---|---|
| Network Connection Creation (DC0082) | NSM:Flow | Unexpected or unauthorized inbound connections to SNMP, NETCONF, or RESTCONF services |
| Network Traffic Content (DC0085) | networkdevice:syslog | Authentication failures or unusual community string usage in SNMP queries |
| Field | Description |
|---|---|
| AuthorizedAdminIPs | Expected IP ranges or hosts permitted to query configuration repositories; deviations may indicate compromise. |
| NormalAccessTimeWindow | Time periods when configuration queries normally occur; anomalies outside these windows may be suspicious. |
| QueryVolumeThreshold | Number of queries allowed within a given period before an anomaly is triggered. |
| ProtocolUsageBaseline | Expected usage of SNMP, NETCONF, or RESTCONF; deviations from baseline patterns may indicate misuse. |