false positives should be very unlikely.

Techniques

Sample rules

Cisco Secure Firewall - Oracle E-Business Suite Correlation

source: splunk
technicques:
- T1190

Description

This correlation rule identifies potential exploitation attempts of Oracle E-Business Suite vulnerabilities (CVE-2025-61882 and CVE-2025-61884) by correlating multiple intrusion signatures from Cisco Secure Firewall Threat Defense logs. The detection looks for specific signatures that indicate attempts to exploit the TemplatePreview functionality and vulnerable SyncServlet endpoints as well as post compromise activity involving Cl0p. By correlating these signatures, the analytic aims to identify coordinated exploitation attempts that may indicate an attacker is targeting Oracle E-Business Suite installations. Security teams should investigate any instances of these correlated signatures, especially if they are found in conjunction with other suspicious network activity or on systems that should not be exposed to such threats.

Detection logic

`cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (65454, 65455, 65377, 65378, 65413, 65414, 65415, 65456)

| bin _time span=5m

| fillnull

| stats dc(signature_id) as unique_signature_count 
        values(signature_id) as signature_id 
        values(signature) as signature 
        values(class_desc) as class_desc 
        values(MitreAttackGroups) as MitreAttackGroups 
        values(InlineResult) as InlineResult 
        values(InlineResultReason) as InlineResultReason 
        values(dest_port) as dest_port 
        values(rule) as rule 
        values(transport) as transport 
        values(app) as app 
        min(_time) as firstTime 
        max(_time) as lastTime 
        sum(eval(signature_id==65454)) as sig_template_preview
        sum(eval(signature_id==65455)) as sig_sync_servlet
        sum(eval(signature_id IN (65377,65378,65413,65414,65415,65456))) as sig_exploit_activity
  by src_ip dest_ip

| where (
          (
            sig_exploit_activity >= 1 
            AND 
            (
              sig_template_preview >= 1 
              OR 
              sig_sync_servlet >= 1
            )
          )
        OR
          (
            sig_template_preview >= 1
            AND 
            sig_sync_servlet >= 1
          )
        OR
          unique_signature_count >= 2
        )

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_secure_firewall___oracle_e_business_suite_correlation_filter`

Cisco Secure Firewall - Lumma Stealer Activity

source: splunk
technicques:
- T1190
- T1210
- T1027
- T1204

Description

This analytic detects Lumma Stealer activity using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where four of the following Snort signature IDs 64793, 64794, 64797, 64798, 64799, 64800, 64801, 62709, 64167, 64168, 64169, 64796, 62710, 62711, 62712, 62713, 62714, 62715, 62716, 62717, 64812, 64810, 64811 occurs in the span of 15 minutes from the same host. If confirmed malicious, this behavior is highly indicative of a successful infection of Lumma Stealer.

Detection logic

`cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (64793, 64794, 64797, 64798, 64799, 64800, 64801, 62709, 64167, 64168, 64169, 64796, 62710, 62711, 62712, 62713, 62714, 62715, 62716, 62717, 64812, 64810, 64811)

| bin _time span=15m

| fillnull

| stats dc(signature_id) as unique_signature_count 
        values(signature_id) as signature_id 
        values(signature) as signature 
        values(class_desc) as class_desc 
        values(MitreAttackGroups) as MitreAttackGroups 
        values(InlineResult) as InlineResult 
        values(InlineResultReason) as InlineResultReason 
        values(dest_ip) as dest_ip 
        values(dest_port) as dest_port 
        values(rule) as rule 
        values(transport) as transport 
        values(app) as app 
        min(_time) as firstTime 
        max(_time) as lastTime 
        by src_ip

| where unique_signature_count >= 3

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_secure_firewall___lumma_stealer_activity_filter`

Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity

source: splunk
technicques:
- T1190
- T1210
- T1059.001
- T1003.001

Description

This analytic detects exploitation activity of CVE-2023-27532 using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 61514 (Veeam Backup and Replication credential dump attempt) is followed within a 5-minute window by 64795 (Veeam Backup and Replication xp_cmdshell invocation attempt), which detects the use of xp_cmdshell, a common post-exploitation technique. If confirmed malicious, this behavior is highly indicative of a successful exploitation of CVE-2023-27532, followed by remote command execution or credential dumping.

Detection logic

`cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (61514, 64795)

| bin _time span=5m

| fillnull

| stats dc(signature_id) as unique_signature_count 
        values(signature_id) as signature_id 
        values(signature) as signature 
        values(class_desc) as class_desc 
        values(MitreAttackGroups) as MitreAttackGroups 
        values(InlineResult) as InlineResult 
        values(InlineResultReason) as InlineResultReason 
        values(src_ip) as src_ip 
        values(dest_port) as dest_port 
        values(rule) as rule 
        values(transport) as transport 
        values(app) as app 
        min(_time) as firstTime 
        max(_time) as lastTime 
        by dest_ip

| where unique_signature_count = 2

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity_filter`