LoFP / misconfigured applications or automated scripts may generate repeated blocked traffic, particularly if attempting to reach decommissioned or restricted resources. vulnerability scanners or penetration testing tools running in authorized environments may trigger this alert. tuning may be required to exclude known internal tools or scanner ips from detection.

Techniques

• T1018
• T1046
• T1110
• T1203
• T1595.002

Sample rules

Cisco Secure Firewall - Repeated Blocked Connections

• source: splunk
• technicques:
  • T1018
  • T1046
  • T1110
  • T1203
  • T1595.002

Description

The following analytic detects repeated blocked connection attempts from the same initiator to the same responder within a short time window. It leverages Cisco Secure Firewall Threat Defense logs and identifies connections where the action is set to Block, and the number of occurrences reaches or exceeds a threshold of ten within a one-minute span. This pattern may indicate a misconfigured application, unauthorized access attempts, or early stages of a brute-force or scanning operation. If confirmed malicious, this behavior may represent an attacker probing the network, attempting lateral movement, or testing firewall rules for weaknesses.

Detection logic

`cisco_secure_firewall` EventType=ConnectionEvent action=Block 

| bin _time span=1m 

| stats count min(_time) as firstTime max(_time) as lastTime
    Values(dest_port) as dest_port
    Values(url) as url
    by src_ip, dest, transport, rule, action

| where count >= 10

| `security_content_ctime(firstTime)`

| `security_content_ctime(lastTime)`

| `cisco_secure_firewall___repeated_blocked_connections_filter`