Overview

Cisco AnyConnect NVM (Network Visibility Module) is an endpoint product by Cisco, used for monitoring network activity. It is used as an endpoint agent, gathers information about the network activity of the endpoint and integrates it with information about the processes that were involved.

Supported Data Types

  • Cisco NVM Endpoint - Provides information about the endpoint such as OS name, version, manufacture, type, etc.

  • Cisco NVM Interface - Provided information about the network interfaces of the endpoint.

  • Cisco NVM Flow - Flow information logging all session information including IPs, user, process, hashes, etc.

Cisco NVM Endpoint JSON Format Example
{
  "last_time": "2022-10-03 15:43:13",
  "system_type": "x64",
  "agent_version": "0.1.23456",
  "virtual_station_name": "virtual_station_name",
  "os_name": "Mac OS X",
  "udid": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
  "os_version": "10.14.6",
  "system_manufacturer": "Apple Inc.",
  "os_edition": "Mojave"
}
JSON
Cisco NVM Interface JSON Format Example
{
  "interface_uid": 123,
  "interface_details_list": "¦aSDf=ASfsfASDFSFd¦AsdF2=AsdfASDFsdf¦",
  "udid": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
  "interface_index": 10,
  "last_time": "2022-10-03 15:43:13",
  "interface_mac_address": "FF:FF:FF:FF:FF:FF",
  "interface_type": 2,
  "interface_name": "en0"
}
JSON
Cisco NVM Flow JSON Format Example
{
  "logged_in_user_account_type": 12345,
  "process_name": "svchost.exe",
  "parent_process_name": "services.exe",
  "interface_uid": 12,
  "src_ip_address": "10.10.123.123",
  "dst_ip_address": "100.200.200.100",
  "parent_process_account_type": 2,
  "process_account_type": 1,
  "module_hash_list": "¦AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA¦",
  "dns_suffix": "AaaaA.aAA",
  "udid": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
  "start_time": "2022-10-03 15:46:00",
  "dst_port": 53,
  "parent_process_hash": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
  "parent_process_args": "-",
  "bytes_in": 0,
  "src_port": 12345,
  "process_hash": "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
  "dst_host_name": "asdf123",
  "protocol": 17,
  "process_id": 1234,
  "logged_in_user": "AsdfA\\ASdASd",
  "bytes_out": 37,
  "last_time": "2022-10-03 15:46:00",
  "parent_process_path": "-",
  "parent_process_account": "ur urururur8585\\hfhf334",
  "process_args": "-",
  "module_name_list": "¦dnsrslvr.dll¦",
  "parent_process_id": 123,
  "process_account": "LI LIlilili\\Lilili LILILILI",
  "process_path": "-"
}
JSON

Hunters Integration

In order to integrate your Cisco NVM logs into Hunters, the logs need to be collected from your network to a an S3 bucket shared with Hunters.

The expected format of the logs is a JSON format as exported by the Cisco NVM Collector.