Cisco AnyConnect NVM

  • Updated on Mar 6, 2025
  • Published on May 14, 2023
Prev Next

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Cisco NVM Endpoint

cisco_nvm_endpoint

NDJSON

S3

Cisco NVM Interface

cisco_nvm_interface

NDJSON

S3

Cisco NVM Flow

cisco_nvm_flow

NDJSON

S3

Overview

imageCisco AnyConnect NVM (Network Visibility Module) is an endpoint product by Cisco, used for monitoring network activity. It is used as an endpoint agent, gathers information about the network activity of the endpoint and integrates it with information about the processes that were involved.

Supported data types

Cisco NVM Endpoint

Table name: cisco_nvm_endpoint

Cisco NVM (Network Visibility Module) Endpoint logs provide insights into network traffic and endpoint behavior, detailing network connections, application usage, and potential security threats detected at the endpoint level. These logs are crucial for understanding network activity, enhancing security, and troubleshooting issues.

Learn more here.

📘Note

These logs can be exported in JSON format from Cisco NVM up to version 5.1.4.67. More advanced versions are not supported and will require you to open a new integration request with Hunters Support.

Cisco NVM Interface

Table name: cisco_nvm_interface

These logs capture data related to the operation and status of network interfaces on devices equipped with Cisco's Network Visibility Module. These logs include information on interface performance, status changes, and any errors or anomalies detected, aiding in network monitoring and troubleshooting.

Learn more here.

Cisco NVM Flow

Table name: cisco_nvm_flow

Cisco NVM Flow logs collect and detail information about network traffic flows captured by the Cisco Network Visibility Module. These logs are used for monitoring network performance, security analysis, and troubleshooting, providing detailed insights into the traffic patterns, volumes, and potential security threats within networked environments.

Learn more here.

Send data to Hunters

Hunters supports the integration of Cisco AnyConnect NVM logs using an intermediary S3 bucket.

To send Cisco AnyConnect NVM logs to Hunters:

  1. Contact Cisco support to learn how to route your Cisco AnyConnect logs to S3.

  2. Follow this guide to learn how to complete the process.

Expected format

The expected format of the logs is a NDJSON format as exported by the Cisco NVM Collector.

Cisco NVM Endpoint NDJSON format example

📘Note

These logs can be exported in JSON format from Cisco NVM up to version 5.1.4.67. More advanced versions are not supported and will require you to open a new integration request with Hunters Support.

{
  "last_time": "2022-10-03 15:43:13",
  "system_type": "x64",
  "agent_version": "0.1.23456",
  "virtual_station_name": "virtual_station_name",
  "os_name": "Mac OS X",
  "udid": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
  "os_version": "10.14.6",
  "system_manufacturer": "Apple Inc.",
  "os_edition": "Mojave"
}

Cisco NVM Interface NDJSON format example

{
  "interface_uid": 123,
  "interface_details_list": "¦aSDf=ASfsfASDFSFd¦AsdF2=AsdfASDFsdf¦",
  "udid": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
  "interface_index": 10,
  "last_time": "2022-10-03 15:43:13",
  "interface_mac_address": "FF:FF:FF:FF:FF:FF",
  "interface_type": 2,
  "interface_name": "en0"
}

Cisco NVM Flow NDJSON format example

{
  "logged_in_user_account_type": 12345,
  "process_name": "svchost.exe",
  "parent_process_name": "services.exe",
  "interface_uid": 12,
  "src_ip_address": "10.10.123.123",
  "dst_ip_address": "100.200.200.100",
  "parent_process_account_type": 2,
  "process_account_type": 1,
  "module_hash_list": "¦dd191a5b23df92e12a8852291f9fb5ed594b76a28a5a464418442584afd1e048¦",
  "dns_suffix": "AaaaA.aAA",
  "udid": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
  "start_time": "2022-10-03 15:46:00",
  "dst_port": 53,
  "parent_process_hash": "dfbea9e8c316d9bc118b454b0c722cd674c30d0a256340200e2c3a7480cba674",
  "parent_process_args": "-",
  "bytes_in": 0,
  "src_port": 12345,
  "process_hash": "dd191a5b23df92e12a8852291f9fb5ed594b76a28a5a464418442584afd1e048",
  "dst_host_name": "asdf123",
  "protocol": 17,
  "process_id": 1234,
  "logged_in_user": "domain\\user.name",
  "bytes_out": 37,
  "last_time": "2022-10-03 15:46:00",
  "parent_process_path": "-",
  "parent_process_account": "ur urururur8585\\hfhf334",
  "process_args": "-",
  "module_name_list": "¦dnsrslvr.dll¦",
  "parent_process_id": 123,
  "process_account": "LI LIlilili\\Lilili LILILILI",
  "process_path": "-"
}