What's new

Here's a summary of the major changes:

• Cisco Secure Access Threat Detection: Introduced new analytics for Cisco Secure Access to identify access to anonymizer and privacy-focused services as well as automated web reconnaissance activity. New detections — Cisco Secure Access Access to Anonymizer Services and Cisco Secure Access Automated Web Reconnaissance via HTTP Access Errors — help uncover attempts to obscure attacker infrastructure, evade attribution, and perform large-scale web application discovery through patterns of abnormal HTTP error responses and suspicious outbound connectivity.

• BlueHammer & RedSun: Added new analytic stories and detections covering the BlueHammer and RedSun exploit families, which abuse Microsoft Defender functionality to achieve privilege escalation and credential access. New analytics detect suspicious Defender engine and signature update activity, non-administrative password changes, abnormal password reset bursts, unauthorized Defender file modifications, and processes interacting with Defender update components, while also introducing support for Windows Security Event ID 4723 (password change attempts) to improve visibility into credential theft and privilege escalation tradecraft associated with these emerging attack techniques.

• Linux Copy Fail Analytics: Expanded Linux detection coverage for Copy Fail (CVE-2026-31431) and related post-exploitation activity with new analytics targeting malformed authentication entries, PF_ALG registration outside normal boot windows, suspicious namespace creation, and process execution with null argv values—behaviors associated with privilege escalation, stealthy execution, and kernel abuse. This release also introduces support for Linux kern.log telemetry through a new data source, providing deeper visibility into low-level system activity and emerging Linux exploitation techniques.

• Salt Typhoon Tradecraft on Cisco IOS XE: Added a new set of analytics focused on Salt Typhoon-style activity targeting Cisco IOS XE devices, providing coverage for reconnaissance, persistence, defense evasion, and unauthorized remote access techniques observed in network infrastructure compromises. New detections identify behaviors such as Guestshell activation and destruction, log clearing sequences, VTY access control tampering, tunnel interface creation, WebUI abuse, remote access probing, and suspicious platform package shell interactions, helping defenders detect adversaries attempting to establish persistence, evade logging, and manipulate Cisco networking infrastructure.

• Cisco SD-WAN Authentication Analytics: Added new analytics to identify suspicious authentication patterns in Cisco SD-WAN environments, including multiple source IPs authenticating to vManage via SSH and repeated SSH key-based authentications from a single source, helping detect potential credential sharing, unauthorized administrative access, and distributed brute-force or persistence activity targeting SD-WAN management infrastructure.

• TC Windchill Exploitation Detection Coverage: Added a new analytic story for PTC Windchill Exploitation along with detections for gateway command execution and GW READY/OK probing activity, providing visibility into exploitation attempts targeting Windchill environments. This release also introduces a new Windchill Log4j data source and supporting macro to help defenders identify reconnaissance, command execution, and post-exploitation behaviors against enterprise product lifecycle management (PLM) infrastructure.

Breaking changes