Cisco SD-WAN - Low Frequency Rogue Peer

This analytic identifies low-frequency Cisco SD-WAN control peering activity from control-connection-state-change events where "new-state:up". It extracts "peer-type" and "peer-system-ip", groups events by these two fields, and counts how often each combination appears within the selected time window. Combinations whose count is less than or equal to the defined threshold (currently <=3 occurrences in the search window) are flagged as rare. Analysts should prioritize peer identities that are rarely observed in the environment, particularly those involving unexpected peer-type roles or unfamiliar peer-system-ip values. Rare control-plane peers may indicate misconfiguration, unauthorized SD-WAN components, infrastructure drift, or potentially malicious control-plane connection attempts. Findings might indicate the potential exploitation of CVE-2026-20127. Note that the threshold setting is set to "3", but its highly recommended that this should be adapted to the environment before deploying this search.