LoFP / false positives should be minimal. simultaneous vulnerability scanning across multiple internal hosts might trigger this, as well as some snort rules that are noisy. disable those if necessary or increase the threshold.

Techniques

• T1027
• T1105

Sample rules

Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts

• source: splunk
• technicques:
  • T1105
  • T1027

Description

This analytic identifies Snort intrusion signatures that have been triggered by ten or more distinct internal IP addresses within a one-hour window. It leverages Cisco Secure Firewall Threat Defense logs and focuses on the IntrusionEvent event type to detect activity that may indicate broad targeting or mass exploitation attempts. This behavior is often associated with opportunistic scanning, worm propagation, or automated exploitation of known vulnerabilities across multiple systems. If confirmed malicious, this could represent the early phase of a coordinated attack aiming to gain a foothold on several hosts or move laterally across the environment.

Detection logic

`cisco_secure_firewall` EventType=IntrusionEvent

| bin _time span=1h

| stats dc(src_ip) as unique_src_ips, values(src_ip) as src_ip 
        min(_time) as firstTime max(_time) as lastTime
        Values(dest) as dest
        Values(dest_port) as dest_port
        Values(rule) as rule
        Values(transport) as transport
        Values(app) as app
        by signature_id, signature class_desc MitreAttackGroups InlineResult InlineResultReason 

| where unique_src_ips >= 10

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_secure_firewall___snort_rule_triggered_across_multiple_hosts_filter`