Techniques
Sample rules
Cisco Secure Firewall - Potential Data Exfiltration
- source: splunk
- technicques:
- T1041
- T1567.002
- T1048.003
Description
The following analytic detects potentially suspicious large volumes of data sent by the connection initiator on flows from internal to external networks. It leverages Cisco Secure Firewall Threat Defense ConnectionEvent logs and thresholds on InitiatorBytes (bytes transmitted by the initiator), which for typical inside-initiated client sessions approximates upload or outbound payload from the internal host and avoids flagging large downloads where most bytes appear in ResponderBytes. Connections where the initiator sent at least 100 MB are flagged, as these may indicate unauthorized data exfiltration, especially if associated with unusual users, hosts, or processes. This analytic is scoped to inside-to-outside flows using a macro (cisco_secure_firewall_inside_to_outside) to abstract environment-specific zone definitions. If confirmed malicious, this behavior may reflect data staging and exfiltration over an encrypted or stealthy transport.
Detection logic
`cisco_secure_firewall` EventType=ConnectionEvent `cisco_secure_firewall_inside_to_outside`
| eval initiator_mb = round(InitiatorBytes / 1024 / 1024, 2)
| where initiator_mb >= 100
| eval Potentially_Exfiltrated = initiator_mb + " MB"
| stats min(_time) as firstTime max(_time) as lastTime
Values(url) as url
Values(rule) as rule
Values(dest_port) as dest_port
by src, dest, Potentially_Exfiltrated, transport, action
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___potential_data_exfiltration_filter`