false positives are directly related to their snort rules triggering and the firewall scoring. apply additional filters if the rules are too noisy by disabling them or simply ignoring certain ip ranges that trigger it.

Techniques

Sample rules

Cisco Secure Firewall - Possibly Compromised Host

source: splunk
technicques:
- T1203
- T1059
- T1587.001

Description

The following analytic highlights high-impact intrusion events assigned by Cisco Secure Firewall. This detection leverages Cisco Secure Firewall Threat Defense logs and specifically the IntrusionEvent event type and Impact field assigned by Cisco Secure Firewall looking for an impact score of 1 or 2. If confirmed malicious this may indicate a potential compromised host.

Detection logic

`cisco_secure_firewall` EventType=IntrusionEvent Impact IN (1,2)

| stats count as TotalDetections values(signature_id) as signature_id 
        values(signature) as signature 
        values(rule) as rule 
        min(_time) as firstTime max(_time) as lastTime 
        by src_ip dest dest_port transport Impact app impact_desc class_desc MitreAttackGroups InlineResult InlineResultReason

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_secure_firewall___possibly_compromised_host_filter`