title: Cisco Sniffing
id: b9e1f193-d236-4451-aaae-2f3d2102120d
status: experimental
description: Show when a monitor or a span/rspan is setup or modified
references:
    - https://attack.mitre.org/techniques/T1040
author: Austin Clark
date: 2019/08/11
tags:
    - attack.credential_access
    - attack.discovery
    - attack.t1040
logsource:
    product: cisco
    service: aaa
    category: accounting
fields:
    - CmdSet
detection:
    keywords:
        - 'monitor capture point'
        - 'set span'
        - 'set rspan'
    condition: keywords
falsepositives:
    - Admins may setup new or modify old spans, or use a monitor for troubleshooting.
level: medium