Techniques
Sample rules
Cisco Secure Firewall - Malware File Downloaded
- source: splunk
- technicques:
- T1203
- T1105
Description
The following analytic detects file downloads that were classified as malware by Cisco Secure Firewall Threat Defense. It relies on the SHA_Disposition field with a value of “Malware” and includes metadata such as file name, file_hash hash, and threat classification. This analytic is critical for surfacing file-based threats that are identified via Cisco’s AMP or Threat Grid integrations. If confirmed malicious, this could indicate delivery of malware.
Detection logic
`cisco_secure_firewall` EventType=FileEvent SHA_Disposition="Malware" FileDirection="Download"
| lookup cisco_secure_firewall_filetype_lookup Name as FileType OUTPUT Description
| stats count min(_time) as firstTime max(_time) as lastTime
values(uri) as uri
values(ClientApplication) as ClientApplication
values(file_hash) as file_hash
by FileDirection dest src_ip dest_port FileType app file_name ThreatName Description
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime lastTime src_ip dest dest_port FileDirection FileType Description uri file_name file_hash app ClientApplication ThreatName SHA_Disposition
| `cisco_secure_firewall___malware_file_downloaded_filter`