LoFP / false positives can occur in environments where vulnerability scanners or malware sandboxes are actively generating simulated attacks. additionally, noisy or overly aggressive snort rules may produce bursts of alerts from legitimate applications. review host context before escalating.

Techniques

• T1059
• T1071
• T1595.002

Sample rules

Cisco Secure Firewall - High Volume of Intrusion Events Per Host

• source: splunk
• technicques:
  • T1059
  • T1071
  • T1595.002

Description

The following analytic detects internal systems that generate an unusually high volume of intrusion detections within a 30-minute window. It leverages Cisco Secure Firewall Threat Defense logs, specifically focusing on the IntrusionEvent event type, to identify hosts that trigger more than 15 Snort-based signatures during that time. A sudden spike in intrusion alerts originating from a single host may indicate suspicious or malicious activity such as malware execution, command-and-control communication, vulnerability scanning, or lateral movement. In some cases, this behavior may also be caused by misconfigured or outdated software repeatedly tripping detection rules. Systems exhibiting this pattern should be triaged promptly, as repeated Snort rule matches from a single source are often early indicators of compromise, persistence, or active exploitation attempts.

Detection logic

`cisco_secure_firewall` EventType=IntrusionEvent

| bin _time span=30m

| stats count as TotalEvents values(signature_id) as signature_id
        values(signature) as signature
        values(dest) as dest
        values(dest_port) as dest_port
        min(_time) as firstTime max(_time) as lastTime 
        by src_ip class_desc MitreAttackGroups InlineResult InlineResultReason rule transport app

| where TotalEvents >= 15

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_secure_firewall___high_volume_of_intrusion_events_per_host_filter`