Techniques
Sample rules
Cisco Secure Firewall - Possibly Compromised Host
- source: splunk
- technicques:
- T1203
- T1059
- T1587.001
Description
The following analytic highlights high-impact intrusion events assigned by Cisco Secure Firewall.
This detection leverages Cisco Secure Firewall Threat Defense logs and specifically the IntrusionEvent event type and Impact
field assigned by Cisco Secure Firewall looking for an impact score of 1 or 2. If confirmed malicious this may indicate a potential compromised host.
Detection logic
`cisco_secure_firewall` EventType=IntrusionEvent Impact IN (1,2)
| stats count as TotalDetections values(signature_id) as signature_id
values(signature) as signature
values(rule) as rule
min(_time) as firstTime max(_time) as lastTime
by src_ip dest dest_port transport Impact app impact_desc class_desc MitreAttackGroups InlineResult InlineResultReason
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___possibly_compromised_host_filter`