false positives may occur due to legitimate security testing or research activities.

Techniques

Sample rules

Cisco Secure Firewall - Intrusion Events by Threat Activity

source: splunk
technicques:
- T1041
- T1573.002

Description

This analytic detects intrusion events from known threat activity using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where one or multiple Snort signatures associated with a known threat or threat actor activity have been triggered within a one-hour time window. The detection uses a lookup table (cisco_snort_ids_to_threat_mapping.csv) to map Snort signature IDs to known threat actors and their techniques. When multiple signatures associated with the same threat actor are triggered within the time window, and the count of unique signatures matches or exceeds the expected number of signatures for that threat technique, an alert is generated. This helps identify potential coordinated threat activity in your network environment by correlating related intrusion events that occur in close temporal proximity.

Detection logic

`cisco_secure_firewall` EventType=IntrusionEvent

| stats count AS total_alerts, dc(signature_id) AS sig_count, values(SnortRuleGroups) AS snort_rule_groups, values(connection_id) AS connection_id, values(rule) AS rule, values(dest_port) AS dest_port, values(transport) AS transport, values(app) AS app, values(signature) AS signature, values(src_ip) AS src_ip BY _time dest_ip signature_id

| lookup cisco_snort_ids_to_threat_mapping signature_id OUTPUT threat, category, message

| where isnotnull(threat)

| bin _time span=1d

| stats count AS Total_Alerts, dc(signature_id) AS sig_count, values(signature_id) AS signature_id, values(category) AS category, values(message) AS message, values(snort_rule_groups) AS snort_rule_groups, values(connection_id) AS connection_id, values(rule) AS rule, values(dest_port) AS dest_port, values(transport) AS transport, values(app) AS app, values(signature) AS signature, values(src_ip) AS src_ip BY _time dest_ip threat

| lookup threat_snort_count threat OUTPUT description, distinct_count_snort_ids

| table _time, dest_ip, src_ip, threat, category, message, description, signature_id, signature, snort_rule_groups, sig_count, distinct_count_snort_ids, connection_id, rule, dest_port, transport, app

| where sig_count >= distinct_count_snort_ids

| `cisco_secure_firewall___intrusion_events_by_threat_activity_filter`