Techniques
Sample rules
Cisco Secure Firewall - Rare Snort Rule Triggered
- source: splunk
- technicques:
- T1598
- T1583.006
Description
This analytic identifies Snort signatures that have triggered only once in the past 7 days across all Cisco Secure Firewall IntrusionEvent logs. While these rules typically do not trigger in day-to-day network activity, their sudden appearance may indicate early-stage compromise, previously unseen malware, or reconnaissance activity against less commonly exposed services. Investigating these outliers can provide valuable insight into new or low-noise adversary behaviors.
Detection logic
`cisco_secure_firewall` EventType=IntrusionEvent earliest=-7d
| stats dc(_time) as TriggerCount min(_time) as firstTime max(_time) as lastTime
values(signature) as signature
values(src_ip) as src_ip
values(dest) as dest
values(dest_port) as dest_port
values(transport) as transport
values(app) as app
values(rule) as rule
by signature_id class_desc MitreAttackGroups InlineResult InlineResultReason
| where TriggerCount = 1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___rare_snort_rule_triggered_filter`