Techniques
Sample rules
Cisco Secure Firewall - High Priority Intrusion Classification
- source: splunk
- technicques:
- T1203
- T1003
- T1071
- T1190
- T1078
Description
This analytic identifies high-severity intrusion events based on the classification assigned to Snort rules within Cisco Secure Firewall logs. It leverages Cisco Secure Firewall Threat Defense logs and focuses on events classified as:
- A Network Trojan was Detected
- Successful Administrator Privilege Gain
- Successful User Privilege Gain
- Attempt to Login By a Default Username and Password
- Known malware command and control traffic
- Known malicious file or file based exploit
- Known client side exploit attempt
- Large Scale Information Leak"
These classifications typically represent significant threats such as remote code execution, credential theft, lateral movement, or malware communication. Detection of these classifications should be prioritized for immediate investigation.
Detection logic
`cisco_secure_firewall` EventType=IntrusionEvent
class_desc IN ("A Network Trojan was Detected", "Successful Administrator Privilege Gain", "Successful User Privilege Gain", "Attempt to Login By a Default Username and Password", "Known malware command and control traffic", "Known malicious file or file based exploit", "Known client side exploit attempt", "Large Scale Information Leak")
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
values(signature_id) as signature_id
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
by src_ip, dest_ip, signature, class_desc
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___high_priority_intrusion_classification_filter`