Deployable detection rules
2,088 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 2,088
Splunk ESCU
SPL
Cisco Secure Firewall - Bits Network Activity
The following analytic detects the use of the Background Intelligent Transfer Service (BITS) client application in allowed outbound connections. It leverages logs from Cisco Secure Firewall Threat Defense devices and identifies instances where BITS is used to initiate downloads from non-standard or unexpected domains. While BITS is a legitimate Windows service used for downloading updates, it is also commonly abused by adversaries to stealthily retrieve payloads or tools. This analytic filters out known Microsoft Edge update URLs and focuses on connections that may indicate suspicious or unauthorized file transfers. If confirmed malicious, this could represent a command and control (C2) channel or a download of malware or tooling as part of an attack chain.
Show query
`cisco_secure_firewall` EventType=ConnectionEvent action IN ("Trust", "Allow", "allowed") ClientApplication="BITS" AND NOT url IN ("*://msedge.b.tlu.dl*")
| stats count min(_time) as firstTime max(_time) as lastTime by src, dest, dest_port, transport, rule, url, EVE_Process, ClientApplication, ClientApplicationVersion, action
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___bits_network_activity_filter`
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint
The following analytic detects the use of known suspicious SSL certificates in any observed event where the SSL_CertFingerprint field is present. It leverages Cisco Secure Firewall logs and compares the SSL certificate SHA1 fingerprint against a blacklist of certificates associated with malware distribution, command and control (C2) infrastructure, or phishing campaigns. This activity is significant as adversaries often reuse or self-sign certificates across malicious infrastructure, allowing defenders to track and detect encrypted sessions even when domains or IPs change. If confirmed malicious, this may indicate beaconing, malware download, or data exfiltration over TLS/SSL.
Show query
`cisco_secure_firewall` EventType=* SSL_CertFingerprint=*
| lookup sslbl_ssl_certificate_blacklist SHA1 as SSL_CertFingerprint OUTPUT Listingdate, Listingreason
| where isnotnull(Listingreason)
| stats min(_time) as firstTime max(_time) as lastTime
values(dest) as dest
values(dest_port) as dest_port
values(rule) as rule
values(url) as url
values(Listingreason) as Reasons
values(Listingdate) as "SSL Cert Listing Dates"
count by SSL_CertFingerprint src transport action
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___blacklisted_ssl_certificate_fingerprint_filter`
Cisco Secure Firewall - Blocked Connection
The following analytic detects a blocked connection event by identifying a "Block" value in the action field. It leverages logs from Cisco Secure Firewall Threat Defense devices. This activity is significant as it can identify attempts from users or applications initiating network connection to explicitly or implicitly blocked range or zones. If confirmed malicious, attackers could be attempting to perform a forbidden action on the network such as data exfiltration, lateral movement, or network disruption.
Show query
`cisco_secure_firewall` EventType=ConnectionEvent action IN ("Block with reset", "Block", "blocked")
| stats count min(_time) as firstTime max(_time) as lastTime by src, dest, dest_port, transport, rule, url, EVE_Process, action
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___blocked_connection_filter`
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt
This analytic detects exploitation activity of CVE-2025-5777 using Cisco Secure Firewall Intrusion Events.
It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 65118 (Citrix NetScaler memory overread attempt) is triggered
If confirmed malicious, this behavior is highly indicative of a potential exploitation of CVE-2025-5777.
Show query
`cisco_secure_firewall`
EventType=IntrusionEvent
signature_id = 65118
| fillnull
| stats min(_time) as firstTime
max(_time) as lastTime
values(signature_id) as signature_id
values(signature) as signature
values(class_desc) as class_desc
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(src) as src
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
by dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___citrix_netscaler_memory_overread_attempt_filter`
Cisco Secure Firewall - Communication Over Suspicious Ports
The following analytic detects potential reverse shell activity by identifying connections involving ports commonly associated with remote access tools, shell listeners, or tunneling utilities. It leverages Cisco Secure Firewall Threat Defense logs and monitors destination ports against a list of non-standard, high-risk port values often used in post-exploitation scenarios. Adversaries frequently configure tools like netcat, Meterpreter, or other backdoors to listen or connect over uncommon ports such as 4444, 2222, or 51820 to bypass standard monitoring and firewall rules. If confirmed malicious, this activity may represent command and control (C2) tunneling, lateral movement, or unauthorized remote access.
Show query
`cisco_secure_firewall` EventType=ConnectionEvent dest_port IN ("888", "999", "2200", "2222", "4000", "4444", "6789", "8531", "50501", "51820") | fillnull value="unknown" url
| stats min(_time) as firstTime max(_time) as lastTime
values(src_port) as src_port
values(url) as url
values(rule) as rule
count by src, dest, dest_port, transport, action
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___communication_over_suspicious_ports_filter`
Cisco Secure Firewall - Connection to File Sharing Domain
The following analytic detects outbound connections to commonly abused file sharing and pastebin-style hosting domains. It leverages Cisco Secure Firewall Threat Defense logs and focuses on allowed connections (action=Allow) where the url field matches a list of known data hosting or temporary storage services. While many of these platforms serve legitimate purposes, they are frequently leveraged by adversaries for malware delivery, data exfiltration, command and control (C2) beacons, or staging of encoded payloads. This analytic is valuable for identifying potential abuse of legitimate infrastructure as part of an attacker's kill chain. If confirmed malicious, this activity may indicate tool staging, credential dumping, or outbound data leaks over HTTP(S).
Show query
`cisco_secure_firewall` action IN ("Trust", "Allow", "allowed") EventType=ConnectionEvent url IN ("*//objects.githubusercontent.com*", "*anonfiles.com*", "*cdn.discordapp.com*", "*ddns.net*", "*dl.dropboxusercontent.com*", "*ghostbin.co*", "*glitch.me*", "*gofile.io*", "*hastebin.com*", "*mediafire.com*", "*mega.nz*", "*onrender.com*", "*pages.dev*", "*paste.ee*", "*pastebin.com*", "*pastebin.pl*", "*pastetext.net*", "*privatlab.com*", "*privatlab.net*", "*send.exploit.in*", "*sendspace.com*", "*storage.googleapis.com*", "*storjshare.io*", "*supabase.co*", "*temp.sh*", "*transfer.sh*", "*trycloudflare.com*", "*ufile.io*", "*w3spaces.com*", "*workers.dev*")
| stats count min(_time) as firstTime max(_time) as lastTime
Values(src_port) as src_port
Values(dest) as dest
Values(dest_port) as dest_port
Values(rule) as rule
Values(url) as url
Values(EVE_Process) as EVE_Process
by src, transport, action
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___connection_to_file_sharing_domain_filter`
Cisco Secure Firewall - File Download Over Uncommon Port
The following analytic detects file transfers flagged as malware that occurred over non-standard ports (other than 80 and 443). Adversaries may attempt to bypass protocol-based detection or use alternate ports to blend in with other traffic. This analytic identifies these non-conventional flows and surfaces potential evasion techniques. If confirmed malicious this indicate potential malware delivery or other nefarious activity.
Show query
`cisco_secure_firewall` EventType=FileEvent FileDirection="Download" NOT dest_port IN (80, 443)
| lookup cisco_secure_firewall_filetype_lookup Name as FileType OUTPUT Description
| stats count min(_time) as firstTime max(_time) as lastTime
values(file_name) as file_name
values(uri) as uri
values(ClientApplication) as ClientApplication
values(file_hash) as file_hash
values(SHA_Disposition) as SHA_Disposition
by FileDirection FileType app ThreatName dest_port Description src dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime lastTime src dest dest_port FileDirection FileType Description uri ClientApplication file_name file_hash SHA_Disposition ThreatName
| `cisco_secure_firewall___file_download_over_uncommon_port_filter`
Cisco Secure Firewall - High EVE Threat Confidence
The following analytic detects connections with a high Encrypted Visibility Engine (EVE) threat confidence score, indicating potentially malicious behavior within encrypted traffic. It leverages Cisco Secure Firewall Threat Defense logs and evaluates the EVE_ThreatConfidencePct field, which reflects the system's confidence in classifying encrypted sessions as threats based on machine learning models and behavioral analysis. A score equal to or greater than 80 suggests the connection is highly likely to be associated with malware command and control (C2), remote access tools, or suspicious tunneling behavior. If confirmed malicious, this may indicate covert communication over TLS from compromised hosts.
Show query
`cisco_secure_firewall` EventType=ConnectionEvent EVE_ThreatConfidencePct >= 80
| stats count min(_time) as firstTime max(_time) as lastTime
Values(rule) as rule
Values(url) as url
by EVE_Process, EVE_ThreatConfidencePct, src, dest, dest_port, transport, action
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___high_eve_threat_confidence_filter`
Cisco Secure Firewall - High Priority Intrusion Classification
This analytic identifies high-severity intrusion events based on the classification assigned to Snort rules within Cisco Secure Firewall logs.
It leverages Cisco Secure Firewall Threat Defense logs and focuses on events classified as:
- A Network Trojan was Detected
- Successful Administrator Privilege Gain
- Successful User Privilege Gain
- Attempt to Login By a Default Username and Password
- Known malware command and control traffic
- Known malicious file or file based exploit
- Known client side exploit attempt
- Large Scale Information Leak"
These classifications typically represent significant threats such as remote code execution, credential theft, lateral movement, or malware communication. Detection of these classifications should be prioritized for immediate investigation.
Show query
`cisco_secure_firewall` EventType=IntrusionEvent
class_desc IN ("A Network Trojan was Detected", "Successful Administrator Privilege Gain", "Successful User Privilege Gain", "Attempt to Login By a Default Username and Password", "Known malware command and control traffic", "Known malicious file or file based exploit", "Known client side exploit attempt", "Large Scale Information Leak")
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
values(signature_id) as signature_id
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
by src, dest, signature, class_desc
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___high_priority_intrusion_classification_filter`
Cisco Secure Firewall - High Volume of Intrusion Events Per Host
The following analytic detects internal systems that generate an unusually high volume of intrusion detections within a 30-minute window. It leverages Cisco Secure Firewall Threat Defense logs, specifically focusing on the IntrusionEvent event type, to identify hosts that trigger more than 15 Snort-based signatures during that time. A sudden spike in intrusion alerts originating from a single host may indicate suspicious or malicious activity such as malware execution, command-and-control communication, vulnerability scanning, or lateral movement. In some cases, this behavior may also be caused by misconfigured or outdated software repeatedly tripping detection rules. Systems exhibiting this pattern should be triaged promptly, as repeated Snort rule matches from a single source are often early indicators of compromise, persistence, or active exploitation attempts.
Show query
`cisco_secure_firewall` EventType=IntrusionEvent
| bin _time span=30m
| stats count as TotalEvents values(signature_id) as signature_id
values(signature) as signature
values(dest) as dest
values(dest_port) as dest_port
min(_time) as firstTime max(_time) as lastTime
by src class_desc MitreAttackGroups InlineResult InlineResultReason rule transport app
| where TotalEvents >= 15
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___high_volume_of_intrusion_events_per_host_filter`
Cisco Secure Firewall - Intrusion Events by Threat Activity
This analytic detects intrusion events from known threat activity using Cisco Secure Firewall Intrusion Events.
It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where one or multiple Snort signatures
associated with a known threat or threat actor activity have been triggered within a one-hour time window. The detection uses a
lookup table (cisco_snort_ids_to_threat_mapping) to map Snort signature IDs to known threat actors and their techniques.
When multiple signatures associated with the same threat actor are triggered within the time window, and the count of
unique signatures matches or exceeds the expected number of signatures for that threat technique, an alert is generated.
This helps identify potential coordinated threat activity in your network environment by correlating related intrusion
events that occur in close temporal proximity.
Currently, this detection will alert on the following threat actors or malware families as defined in the cisco_snort_ids_to_threat_mapping lookup:
* AgentTesla
* Amadey
* ArcaneDoor
* AsyncRAT
* CastleRAT
* Chafer
* DCRAT
* LokiBot
* Lumma Stealer
* Nobelium
* Quasar
* Remcos
* Snake
* Static Tundra
* Xworm
To add or update threat actors, update the cisco_snort_ids_to_threat_mapping.csv lookup file with new or modified threat names and associated Snort signature IDs.
Show query
`cisco_secure_firewall` EventType=IntrusionEvent | stats count AS total_alerts, dc(signature_id) AS sig_count, values(SnortRuleGroups) AS snort_rule_groups, values(connection_id) AS connection_id, values(rule) AS rule, values(dest_port) AS dest_port, values(transport) AS transport, values(app) AS app, values(signature) AS signature, values(src) AS src BY _time dest signature_id | lookup cisco_snort_ids_to_threat_mapping signature_id OUTPUT threat, category, message | where isnotnull(threat) | bin _time span=1d | stats count AS Total_Alerts, dc(signature_id) AS sig_count, values(signature_id) AS signature_id, values(category) AS category, values(message) AS message, values(snort_rule_groups) AS snort_rule_groups, values(connection_id) AS connection_id, values(rule) AS rule, values(dest_port) AS dest_port, values(transport) AS transport, values(app) AS app, values(signature) AS signature, values(src) AS src BY _time dest threat | lookup threat_snort_count threat OUTPUT description, distinct_count_snort_ids | table _time, dest, src, threat, category, message, description, signature_id, signature, snort_rule_groups, sig_count, distinct_count_snort_ids, connection_id, rule, dest_port, transport, app | where sig_count >= distinct_count_snort_ids | `cisco_secure_firewall___intrusion_events_by_threat_activity_filter`
Cisco Secure Firewall - Lumma Stealer Activity
This analytic detects Lumma Stealer activity using Cisco Secure Firewall Intrusion Events.
It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where four of the following Snort signature IDs 64793, 64794, 64797, 64798, 64799, 64800, 64801, 62709, 64167, 64168, 64169, 64796, 62710, 62711, 62712, 62713, 62714, 62715, 62716, 62717, 64812, 64810, 64811 occurs in the span of 15 minutes from the same host.
If confirmed malicious, this behavior is highly indicative of a successful infection of Lumma Stealer.
Show query
`cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (64793, 64794, 64797, 64798, 64799, 64800, 64801, 62709, 64167, 64168, 64169, 64796, 62710, 62711, 62712, 62713, 62714, 62715, 62716, 62717, 64812, 64810, 64811)
| bin _time span=15m
| fillnull
| stats dc(signature_id) as unique_signature_count
values(signature_id) as signature_id
values(signature) as signature
values(class_desc) as class_desc
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(dest) as dest
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
min(_time) as firstTime
max(_time) as lastTime
by src
| where unique_signature_count >= 3
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___lumma_stealer_activity_filter`
Cisco Secure Firewall - Lumma Stealer Download Attempt
This analytic detects Lumma Stealer download attempts using Cisco Secure Firewall Intrusion Events.
It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signatures with IDs 64797, 64798, 64799, 64800, 64801, 64167, 64168, 64169 have been triggered. If confirmed malicious, this behavior could indicate an active infection of Lumma Stealer.
Show query
`cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (62710, 62711, 62712, 62713, 62714, 62715, 62716, 62717, 64810, 64811)
| fillnull
| stats min(_time) as firstTime max(_time) as lastTime
by src dest dest_port transport signature_id signature class_desc MitreAttackGroups rule InlineResult InlineResultReason app
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___lumma_stealer_download_attempt_filter`
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt
This analytic detects Lumma Stealer outbound connection attempts using Cisco Secure Firewall Intrusion Events.
It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signatures with IDs 64797, 64798, 64799, 64800, 64801, 64167, 64168, 64169, 62709 have been triggered. If confirmed malicious, this behavior could indicate an active infection of Lumma Stealer.
Show query
`cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (64797, 64798, 64799, 64800, 64801, 64167, 64168, 64169, 62709)
| fillnull
| stats min(_time) as firstTime max(_time) as lastTime
by src dest dest_port transport signature_id signature class_desc MitreAttackGroups rule InlineResult InlineResultReason app
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___lumma_stealer_outbound_connection_attempt_filter`
Cisco Secure Firewall - Malware File Downloaded
The following analytic detects file downloads that were classified as malware by Cisco Secure Firewall Threat Defense. It relies on the `SHA_Disposition` field with a value of "Malware" and includes metadata such as file name, file_hash hash, and threat classification. This analytic is critical for surfacing file-based threats that are identified via Cisco's AMP or Threat Grid integrations. If confirmed malicious, this could indicate delivery of malware.
Show query
`cisco_secure_firewall` EventType=FileEvent SHA_Disposition="Malware" FileDirection="Download"
| lookup cisco_secure_firewall_filetype_lookup Name as FileType OUTPUT Description
| stats count min(_time) as firstTime max(_time) as lastTime
values(uri) as uri
values(ClientApplication) as ClientApplication
values(file_hash) as file_hash
by FileDirection dest src dest_port FileType app file_name ThreatName Description
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime lastTime src dest dest_port FileDirection FileType Description uri file_name file_hash app ClientApplication ThreatName SHA_Disposition
| `cisco_secure_firewall___malware_file_downloaded_filter`
Cisco Secure Firewall - Oracle E-Business Suite Correlation
This correlation rule identifies potential exploitation attempts of Oracle E-Business Suite vulnerabilities (CVE-2025-61882 and CVE-2025-61884) by correlating multiple intrusion signatures from Cisco Secure Firewall Threat Defense logs.
The detection looks for specific signatures that indicate attempts to exploit the TemplatePreview functionality and vulnerable SyncServlet endpoints as well as post compromise activity involving Cl0p.
By correlating these signatures, the analytic aims to identify coordinated exploitation attempts that may indicate an attacker is targeting Oracle E-Business Suite installations.
Security teams should investigate any instances of these correlated signatures, especially if they are found in conjunction with other suspicious network activity or on systems that should not be exposed to such threats.
Show query
`cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (65454, 65455, 65377, 65378, 65413, 65414, 65415, 65456)
| bin _time span=5m
| fillnull
| stats dc(signature_id) as unique_signature_count
values(signature_id) as signature_id
values(signature) as signature
values(class_desc) as class_desc
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
min(_time) as firstTime
max(_time) as lastTime
sum(eval(signature_id==65454)) as sig_template_preview
sum(eval(signature_id==65455)) as sig_sync_servlet
sum(eval(signature_id IN (65377,65378,65413,65414,65415,65456))) as sig_exploit_activity
by src dest
| where (
(
sig_exploit_activity >= 1
AND
(
sig_template_preview >= 1
OR
sig_sync_servlet >= 1
)
)
OR
(
sig_template_preview >= 1
AND
sig_sync_servlet >= 1
)
OR
unique_signature_count >= 2
)
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___oracle_e_business_suite_correlation_filter`
Cisco Secure Firewall - Oracle E-Business Suite Exploitation
This analytic detects vulnerability exploitation and post-compromise activity associated with Oracle E-Business Suite web-application vulnerabilities, CVE-2025-61882 and CVE-2025-61884.
SIDs 65413-65415 detect detect Java.Backdoor.Cl0p variant payload downloads and Java.Backdoor.Cl0p outbound
command-and-control connection attempts.
SIDs 65456, 65377 and 65378 detect attempts to exploit these vulnerabilities.
Security teams should investigate any instances of these signatures, especially if they are found in conjunction with other suspicious network activity or on systems that should not be exposed to such threats.
Show query
`cisco_secure_firewall`
EventType=IntrusionEvent
signature_id IN (65377, 65378, 65413, 65414, 65415, 65456)
| fillnull
| stats values(signature_id) as signature_id
values(signature) as signature
values(class_desc) as class_desc
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
min(_time) as firstTime
max(_time) as lastTime
by src dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___oracle_e_business_suite_exploitation_filter`
Cisco Secure Firewall - Possibly Compromised Host
The following analytic highlights high-impact intrusion events assigned by Cisco Secure Firewall.
This detection leverages Cisco Secure Firewall Threat Defense logs and specifically the IntrusionEvent event type and `Impact` field assigned by Cisco Secure Firewall looking for an impact score of 1 or 2. If confirmed malicious this may indicate a potential compromised host.
Show query
`cisco_secure_firewall` EventType=IntrusionEvent Impact IN (1,2)
| stats count as TotalDetections values(signature_id) as signature_id
values(signature) as signature
values(rule) as rule
min(_time) as firstTime max(_time) as lastTime
by src dest dest_port transport Impact app impact_desc class_desc MitreAttackGroups InlineResult InlineResultReason
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___possibly_compromised_host_filter`
Cisco Secure Firewall - Potential Data Exfiltration
The following analytic detects potentially suspicious large volumes of data sent by the connection initiator on flows from internal to external networks. It leverages Cisco Secure Firewall Threat Defense ConnectionEvent logs and thresholds on InitiatorBytes (bytes transmitted by the initiator), which for typical inside-initiated client sessions approximates upload or outbound payload from the internal host and avoids flagging large downloads where most bytes appear in ResponderBytes. Connections where the initiator sent at least 100 MB are flagged, as these may indicate unauthorized data exfiltration, especially if associated with unusual users, hosts, or processes. This analytic is scoped to inside-to-outside flows using a macro (cisco_secure_firewall_inside_to_outside) to abstract environment-specific zone definitions. If confirmed malicious, this behavior may reflect data staging and exfiltration over an encrypted or stealthy transport.
Show query
`cisco_secure_firewall` EventType=ConnectionEvent `cisco_secure_firewall_inside_to_outside`
| eval initiator_mb = round(InitiatorBytes / 1024 / 1024, 2)
| where initiator_mb >= 100
| eval Potentially_Exfiltrated = initiator_mb + " MB"
| stats min(_time) as firstTime max(_time) as lastTime
Values(url) as url
Values(rule) as rule
Values(dest_port) as dest_port
by src, dest, Potentially_Exfiltrated, transport, action
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___potential_data_exfiltration_filter`
Cisco Secure Firewall - Privileged Command Execution via HTTP
This analytic detects HTTP requests to privileged execution paths on Cisco routers, specifically targeting the `/level/15/exec/-/*` endpoint using Cisco Secure Firewall Intrusion Events.
This detection leverages Snort signature 65370 to identify requests to these sensitive endpoints, which when combined with other indicators may signal active exploitation or post-compromise activity.
Show query
`cisco_secure_firewall`
EventType=IntrusionEvent
signature_id=65370
| fillnull
| stats dc(signature_id) as unique_signature_count
values(signature_id) as signature_id
values(signature) as signature
values(class_desc) as class_desc
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(src) as src
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
min(_time) as firstTime
max(_time) as lastTime
by dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___privileged_command_execution_via_http_filter`
Cisco Secure Firewall - Rare Snort Rule Triggered
This analytic identifies Snort signatures that have triggered only once in the past 7 days across all Cisco Secure Firewall IntrusionEvent logs. While these rules typically do not trigger in day-to-day network activity, their sudden appearance may indicate early-stage compromise, previously unseen malware, or reconnaissance activity against less commonly exposed services. Investigating these outliers can provide valuable insight into new or low-noise adversary behaviors.
Show query
`cisco_secure_firewall` EventType=IntrusionEvent earliest=-7d
| stats dc(_time) as TriggerCount min(_time) as firstTime max(_time) as lastTime
values(signature) as signature
values(src) as src
values(dest) as dest
values(dest_port) as dest_port
values(transport) as transport
values(app) as app
values(rule) as rule
by signature_id class_desc MitreAttackGroups InlineResult InlineResultReason
| where TriggerCount = 1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___rare_snort_rule_triggered_filter`
Cisco Secure Firewall - React Server Components RCE Attempt
This analytic detects exploitation activity of CVE-2025-55182 using Cisco Secure Firewall Intrusion Events.
It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 65554 (React Server Components remote code execution attempt) is triggered
If confirmed malicious, this behavior could be indicative of a potential exploitation of CVE-2025-55182.
Show query
`cisco_secure_firewall`
EventType=IntrusionEvent
signature_id = 65554
| fillnull
| stats min(_time) as firstTime
max(_time) as lastTime
values(signature_id) as signature_id
values(signature) as signature
values(class_desc) as class_desc
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(src) as src
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
by dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___react_server_components_rce_attempt_filter`
Cisco Secure Firewall - Remote Access Software Usage Traffic
The following analytic detects network traffic associated with known remote access software applications
that are covered by Cisco Secure Firewall Application Detectors, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer.
It leverages Cisco Secure Firewall Threat Defense Connection Event.
This activity is significant because adversaries often use remote access tools to maintain unauthorized access to compromised environments.
If confirmed malicious, this activity could allow attackers to control systems remotely, exfiltrate
data, or deploy additional malware, posing a severe threat to the organization's security.
Show query
`cisco_secure_firewall` EventType=ConnectionEvent
| stats min(_time) as firstTime max(_time) as lastTime
values(dest_port) as dest_port
values(dest) as dest
values(transport) as transport
values(url) as url
values(rule) as rule
count by src ClientApplication action
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| lookup cisco_secure_firewall_appid_remote_mgmt_and_desktop_tools appName AS ClientApplication OUTPUT category, appDescription as Description
| search category IN ("remote administration", "remote desktop control")
| `remote_access_software_usage_exceptions`
| `cisco_secure_firewall___remote_access_software_usage_traffic_filter`
Cisco Secure Firewall - Repeated Blocked Connections
The following analytic detects repeated blocked connection attempts from the same initiator to the same responder within a short time window. It leverages Cisco Secure Firewall Threat Defense logs and identifies connections where the action is set to Block, and the number of occurrences reaches or exceeds a threshold of ten within a one-minute span. This pattern may indicate a misconfigured application, unauthorized access attempts, or early stages of a brute-force or scanning operation. If confirmed malicious, this behavior may represent an attacker probing the network, attempting lateral movement, or testing firewall rules for weaknesses.
Show query
`cisco_secure_firewall` EventType=ConnectionEvent action IN ("Block with reset", "Block", "blocked")
| bin _time span=1m
| stats count min(_time) as firstTime max(_time) as lastTime
Values(dest_port) as dest_port
Values(url) as url
by src, dest, transport, rule, action
| where count >= 10
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___repeated_blocked_connections_filter`
Cisco Secure Firewall - Repeated Malware Downloads
The following analytic detects repeated malware file downloads initiated by the same internal host (src) within a short time window. It leverages Cisco Secure Firewall Threat Defense logs and identifies `FileEvent` events with a `SHA_Disposition` of "Malware" and `FileDirection` set to "Download". If ten or more such events occur from the same host within five minutes, this analytic will trigger. This activity may indicate the host is compromised and repeatedly retrieving malicious content either due to command-and-control, malware staging, or automation. If confirmed malicious, this behavior may represent an infection in progress, persistence mechanism, or a malicious downloader.
Show query
`cisco_secure_firewall` EventType=FileEvent SHA_Disposition="Malware" FileDirection="Download"
| lookup cisco_secure_firewall_filetype_lookup Name as FileType OUTPUT Description
| bin _time span=5m
| stats count min(_time) as firstTime max(_time) as lastTime
values(uri) as uri
values(ClientApplication) as ClientApplication
values(app) as app
values(file_hash) as file_hash
values(SHA_Disposition) as SHA_Disposition
values(file_name) as file_name
values(ThreatName) as ThreatName
values(dest) as dest
values(dest_port) as dest_port
by src FileDirection FileType Description
| where count >= 10
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime lastTime src dest dest_port FileDirection FileType Description uri file_name file_hash app ClientApplication ThreatName SHA_Disposition
| `cisco_secure_firewall___repeated_malware_downloads_filter`
Cisco Secure Firewall - SSH Connection to Non-Standard Port
This analytic detects inbound SSH connections to non-standard ports on network devices using Cisco Secure Firewall Intrusion Events. APT actors have been observed enabling SSH servers on high, non-default TCP ports to maintain encrypted remote access to compromised network infrastructure.
This detection leverages Snort signature 65369 to identify SSH protocol traffic on unusual ports, which may indicate persistence mechanisms or backdoor access established by threat actors.
Show query
`cisco_secure_firewall`
EventType=IntrusionEvent
signature_id=65369
| fillnull
| stats dc(signature_id) as unique_signature_count
values(signature_id) as signature_id
values(signature) as signature
values(class_desc) as class_desc
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(src) as src
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
min(_time) as firstTime
max(_time) as lastTime
by dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___ssh_connection_to_non_standard_port_filter`
Cisco Secure Firewall - SSH Connection to sshd_operns
This analytic detects inbound SSH connections to the sshd_operns service on network devices using Cisco Secure Firewall Intrusion Events.
APT actors have been observed enabling sshd_operns and opening it on non-standard ports to maintain encrypted remote access to compromised network infrastructure.
This detection leverages Snort signature 65368 to identify connections to this service, which when combined with other indicators may signal persistent access mechanisms established by threat actors.
Show query
`cisco_secure_firewall`
EventType=IntrusionEvent
signature_id=65368
| fillnull
| stats dc(signature_id) as unique_signature_count
values(signature_id) as signature_id
values(signature) as signature
values(class_desc) as class_desc
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(src) as src
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
min(_time) as firstTime
max(_time) as lastTime
by dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___ssh_connection_to_sshd_operns_filter`
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts
This analytic identifies Snort intrusion signatures that have been triggered by ten or more distinct internal IP addresses within a one-hour window. It leverages Cisco Secure Firewall Threat Defense logs and focuses on the IntrusionEvent event type to detect activity that may indicate broad targeting or mass exploitation attempts. This behavior is often associated with opportunistic scanning, worm propagation, or automated exploitation of known vulnerabilities across multiple systems. If confirmed malicious, this could represent the early phase of a coordinated attack aiming to gain a foothold on several hosts or move laterally across the environment.
Show query
`cisco_secure_firewall` EventType=IntrusionEvent
| bin _time span=1h
| stats dc(src) as unique_src_ips, values(src) as src
min(_time) as firstTime max(_time) as lastTime
Values(dest) as dest
Values(dest_port) as dest_port
Values(rule) as rule
Values(transport) as transport
Values(app) as app
by signature_id, signature class_desc MitreAttackGroups InlineResult InlineResultReason
| where unique_src_ips >= 10
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___snort_rule_triggered_across_multiple_hosts_filter`
Cisco Secure Firewall - Static Tundra Smart Install Abuse
This analytic detects activity associated with "Static Tundra" threat actor abuse of the Cisco Smart Install (SMI) protocol
using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to
identify occurrences of Smart Install exploitation and protocol abuse, including denial-of-service and buffer overflow
attempts. The detection triggers when multiple Cisco Smart Install-related Snort signatures are observed in a short period from the
same source, which is indicative of active exploitation or reconnaissance against Cisco devices that expose SMI.
Show query
`cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (46468, 46096, 41722, 41723, 41724, 41725)
| bin _time span=15m
| fillnull
| stats dc(signature_id) as unique_signature_count
values(signature_id) as signature_id
values(signature) as signature
values(class_desc) as class_desc
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(dest) as dest
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
min(_time) as firstTime
max(_time) as lastTime
by src
| where unique_signature_count >= 2
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___static_tundra_smart_install_abuse_filter`
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity
This analytic detects exploitation activity of CVE-2023-27532 using Cisco Secure Firewall Intrusion Events.
It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where Snort signature 61514 (Veeam Backup and Replication credential dump attempt)
is followed within a 5-minute window by 64795 (Veeam Backup and Replication xp_cmdshell invocation attempt), which detects the use of `xp_cmdshell`, a common post-exploitation technique.
If confirmed malicious, this behavior is highly indicative of a successful exploitation of CVE-2023-27532, followed by remote command execution or credential dumping.
Show query
`cisco_secure_firewall` EventType=IntrusionEvent signature_id IN (61514, 64795)
| bin _time span=5m
| fillnull
| stats dc(signature_id) as unique_signature_count
values(signature_id) as signature_id
values(signature) as signature
values(class_desc) as class_desc
values(MitreAttackGroups) as MitreAttackGroups
values(InlineResult) as InlineResult
values(InlineResultReason) as InlineResultReason
values(src) as src
values(dest_port) as dest_port
values(rule) as rule
values(transport) as transport
values(app) as app
min(_time) as firstTime
max(_time) as lastTime
by dest
| where unique_signature_count = 2
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___veeam_cve_2023_27532_exploitation_activity_filter`
Cisco Secure Firewall - Wget or Curl Download
The following analytic detects outbound connections initiated by command-line tools such as curl or wget. It leverages Cisco Secure Firewall Threat Defense logs and identifies allowed connections (action=Allow) where either the EVE_Process or ClientApplication fields indicate use of these utilities. While curl and wget are legitimate tools commonly used for software updates and scripting, adversaries often abuse them to download payloads, retrieve additional tools, or establish staging infrastructure from compromised systems. If confirmed malicious, this behavior may indicate the download phase of an attack chain or a command-and-control utility retrieval.
Show query
`cisco_secure_firewall` EventType=ConnectionEvent action IN ("Trust", "Allow", "allowed") AND
( EVE_Process IN ("*curl*", "*wget*") OR ClientApplication IN ("cURL", "Wget") )
| stats count min(_time) as firstTime max(_time) as lastTime
Values(rule) as rule
Values(url) as url
Values(dest_port) as dest_port
Values(ClientApplicationVersion) as ClientApplicationVersion
Values(src_port) as src_port
by src, dest, transport, EVE_Process, ClientApplication, action
| table src src_port dest dest_port transport url EVE_Process ClientApplication ClientApplicationVersion rule firstTime lastTime
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_secure_firewall___wget_or_curl_download_filter`
Cisco Smart Install Oversized Packet Detection
This analytic detects oversized Cisco Smart Install (SMI) protocol messages by inspecting traffic to TCP port 4786
within the Network_Traffic data model. Abnormally large SMI payloads have been associated with exploitation and
protocol abuse (e.g., CVE-2018-0171; activity reported by the "Static Tundra" threat actor). Monitoring message
sizes over time can help identify possible attempts at remote code execution, denial of service, or reconnaissance
against Cisco devices exposing Smart Install.
Show query
| tstats `security_content_summariesonly`
avg(All_Traffic.packets) as avg_packets,
max(All_Traffic.bytes) as max_bytes
from datamodel=Network_Traffic
where All_Traffic.dest_port=4786 AND All_Traffic.transport=tcp
by All_Traffic.src_ip, All_Traffic.dest_ip, _time span=1h
| `drop_dm_object_name("All_Traffic")`
| where max_bytes > 500
| eval severity=case(max_bytes>1400, "critical", max_bytes>1000, "high", 1=1, "medium")
| `cisco_smart_install_oversized_packet_detection_filter`
Cisco Smart Install Port Discovery and Status
This analytic detects network traffic to TCP port 4786, which is used by the Cisco Smart Install protocol. Smart Install is a plug-and-play configuration and image-management feature that helps customers to deploy Cisco switches. This protocol has been exploited via CVE-2018-0171, a vulnerability that allows unauthenticated remote attackers to execute arbitrary code or cause denial of service conditions. Recently, Cisco Talos reported that a Russian state-sponsored threat actor called "Static Tundra" has been actively exploiting this vulnerability to compromise unpatched and end-of-life network devices. Monitoring for traffic to this port can help identify potential exploitation attempts or unauthorized Smart Install activity.
Show query
| tstats `security_content_summariesonly` count values(All_Traffic.src_ip) as src_ip values(All_Traffic.src_port) as src_port values(All_Traffic.dest_ip) as dest_ip earliest(_time) as firstTime latest(_time) as lastTime FROM datamodel=Network_Traffic
WHERE All_Traffic.dest_port=4786
AND
All_Traffic.transport=tcp
BY All_Traffic.dest_ip All_Traffic.dest_port
| `drop_dm_object_name("All_Traffic")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_smart_install_port_discovery_and_status_filter`Cisco TFTP Server Configuration for Data Exfiltration
This analytic detects the configuration of TFTP services on Cisco IOS devices that could be used to exfiltrate sensitive configuration files. Threat actors like Static Tundra have been observed configuring TFTP servers to make device configuration files accessible for exfiltration after gaining initial access. The detection specifically looks for commands that expose critical configuration files such as startup-config, running-config, and other sensitive system information through TFTP. This activity is particularly concerning as it may represent an attempt to steal credentials, network topology information, and other sensitive data stored in device configurations.
Show query
| tstats `security_content_summariesonly` count values(All_Changes.command) as command min(_time) as firstTime max(_time) as lastTime FROM datamodel=Change.All_Changes
WHERE (
All_Changes.command="*tftp-server*"
)
AND ( All_Changes.command="*nvram:startup-config*" OR All_Changes.command="*bootflash:running-config*" OR All_Changes.command="*system:running-config*" OR All_Changes.command="*bootflash:info*" OR All_Changes.command="*startup-config*" OR All_Changes.command="*running-config*" )
BY All_Changes.dvc All_Changes.user
| `drop_dm_object_name("All_Changes")`
| rename dvc as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cisco_tftp_server_configuration_for_data_exfiltration_filter`Citrix ADC Exploitation CVE-2023-3519
The following analytic identifies potential exploitation attempts against Citrix ADC related to CVE-2023-3519. It detects POST requests to specific web endpoints associated with this vulnerability by leveraging the Web datamodel.
This activity is significant as CVE-2023-3519 involves a SAML processing overflow issue that can lead to memory corruption, posing a high risk.
If confirmed malicious, attackers could exploit this to execute arbitrary code, escalate privileges, or disrupt services, making it crucial for SOC analysts to monitor and investigate these alerts promptly.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Web WHERE
Web.http_method=POST
Web.url IN (
"*/cgi/logout",
"*/saml/activelogin",
"*/saml/login",
"/cgi/samlart?samlart=*",
"/cgi/samlauth",
"/gwtest/formssso?event=start&target=*",
"/netscaler/ns_gui/vpn/*"
)
BY Web.http_user_agent, Web.status
Web.http_method Web.url Web.url_length
Web.src Web.dest
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `citrix_adc_exploitation_cve_2023_3519_filter`Citrix ADC and Gateway CitrixBleed 2 Memory Disclosure
This detection identifies potential exploitation attempts of CVE-2025-5777 (CitrixBleed 2), a memory disclosure vulnerability in Citrix NetScaler ADC and Gateway.
The vulnerability is triggered by sending POST requests with incomplete form data to the /p/u/doAuthentication.do endpoint, causing the device to leak memory contents including session tokens and authentication materials.
This search looks for POST requests to the vulnerable endpoint that may indicate scanning or exploitation attempts.
Show query
| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where
Web.url IN ("*/p/u/doAuthentication.do*")
Web.http_method="POST"
Web.status=200
by Web.http_user_agent, Web.status, Web.http_method,
Web.url, Web.url_length, Web.src, Web.dest, sourcetype
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `citrix_adc_and_gateway_citrixbleed_2_memory_disclosure_filter`
Citrix ADC and Gateway Unauthorized Data Disclosure
The following analytic detects attempts to exploit the Citrix Bleed vulnerability (CVE-2023-4966), which can lead to the leaking of session tokens. It identifies HTTP requests with a 200 status code targeting the /oauth/idp/.well-known/openid-configuration URL endpoint. By parsing web traffic and filtering based on user agent details, HTTP method, source and destination IPs, and sourcetype, it aims to identify potentially malicious requests. This activity is significant for a SOC because successful exploitation can allow attackers to impersonate legitimate users, bypass authentication, and access sensitive data. If confirmed malicious, it could lead to unauthorized data access, network propagation, and critical information exfiltration.
Show query
| tstats count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Web
WHERE Web.url IN ("*/oauth/idp/.well-known/openid-configuration*") Web.status=200
BY Web.http_user_agent, Web.status Web.http_method,
Web.url, Web.url_length, Web.src,
Web.dest, sourcetype
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `citrix_adc_and_gateway_unauthorized_data_disclosure_filter`Citrix ShareFile Exploitation CVE-2023-24489
The following analytic detects potentially malicious file upload attempts to Citrix ShareFile via specific suspicious URLs and the HTTP POST method. It leverages the Web datamodel to identify URL patterns such as "/documentum/upload.aspx?parentid=", "/documentum/upload.aspx?filename=", and "/documentum/upload.aspx?uploadId=*", combined with the HTTP POST method. This activity is significant for a SOC as it may indicate an attempt to upload harmful scripts or content, potentially compromising the Documentum application. If confirmed malicious, this could lead to unauthorized access, data breaches, and operational disruptions.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
FROM datamodel=Web WHERE
Web.url="*/documentum/upload.aspx?*"
Web.url IN (
"*parentid=*",
"*filename=*",
"*uploadId=*"
)
Web.url IN (
"*unzip=*",
"*raw=*"
)
Web.http_method=POST
BY Web.http_user_agent Web.status Web.http_method
Web.url Web.url_length Web.src Web.dest
| `drop_dm_object_name("Web")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `citrix_sharefile_exploitation_cve_2023_24489_filter`Clear Unallocated Sector Using Cipher App
The following analytic detects the execution of `cipher.exe` with the `/w` flag to clear unallocated sectors on a disk. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names, command-line arguments, and parent processes. This activity is significant because it is a technique used by ransomware to prevent forensic recovery of deleted files. If confirmed malicious, this action could hinder incident response efforts by making it impossible to recover critical data, thereby complicating the investigation and remediation process.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name = "cipher.exe" Processes.process = "*/w:*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `clear_unallocated_sector_using_cipher_app_filter`Clop Common Exec Parameter
The following analytic identifies the execution of CLOP ransomware variants using specific arguments ("runrun" or "temp.dat") to trigger their malicious activities. This detection leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and command-line arguments. Monitoring this activity is crucial as it indicates potential ransomware behavior, which can lead to file encryption on network shares or local machines. If confirmed malicious, this activity could result in significant data loss and operational disruption due to encrypted files, highlighting the need for immediate investigation and response.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE Processes.process_name != "*temp.dat*" Processes.process = "*runrun*"
OR
Processes.process = "*temp.dat*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `clop_common_exec_parameter_filter`Clop Ransomware Known Service Name
The following analytic identifies the creation of a service with a known name used by CLOP ransomware for persistence and high-privilege code execution. It detects this activity by monitoring Windows Event Logs (EventCode 7045) for specific service names ("SecurityCenterIBM", "WinCheckDRVs"). This activity is significant because the creation of such services is a common tactic used by ransomware to maintain control over infected systems. If confirmed malicious, this could allow attackers to execute code with elevated privileges, maintain persistence, and potentially disrupt or encrypt critical data.
Show query
`wineventlog_system` EventCode=7045 ServiceName IN ("SecurityCenterIBM", "WinCheckDRVs")
| stats count min(_time) as firstTime max(_time) as lastTime
BY Computer EventCode ServiceName
StartType ServiceType
| rename Computer as dest
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `clop_ransomware_known_service_name_filter`Cloud API Calls From Previously Unseen User Roles
The following analytic detects cloud API calls executed by user roles that have not previously run these commands. It leverages the Change data model in Splunk to identify commands executed by users with the user_type of AssumedRole and a status of success. This activity is significant because new commands from different user roles can indicate potential malicious activity or unauthorized actions. If confirmed malicious, this behavior could lead to unauthorized access, data breaches, or other damaging outcomes by exploiting new or unmonitored commands within the cloud environment.
Show query
| tstats earliest(_time) as firstTime, latest(_time) as lastTime FROM datamodel=Change
WHERE All_Changes.user_type=AssumedRole
AND
All_Changes.status=success
BY All_Changes.user, All_Changes.command All_Changes.object
| `drop_dm_object_name("All_Changes")`
| lookup previously_seen_cloud_api_calls_per_user_role user as user, command as command OUTPUT firstTimeSeen, enough_data
| eventstats max(enough_data) as enough_data
| where enough_data=1
| eval firstTimeSeenUserApiCall=min(firstTimeSeen)
| where isnull(firstTimeSeenUserApiCall) OR firstTimeSeenUserApiCall > relative_time(now(),"-24h@h")
| table firstTime, user, object, command
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cloud_api_calls_from_previously_unseen_user_roles_filter`Cloud Compute Instance Created By Previously Unseen User
The following analytic identifies the creation of cloud compute instances by users who have not previously created them. It leverages data from the Change data model, focusing on 'create' actions by users, and cross-references with a baseline of known user activities. This activity is significant as it may indicate unauthorized access or misuse of cloud resources by new or compromised accounts. If confirmed malicious, attackers could deploy unauthorized compute instances, leading to potential data exfiltration, increased costs, or further exploitation within the cloud environment.
Show query
| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object) as dest FROM datamodel=Change
WHERE All_Changes.action=created
BY All_Changes.user All_Changes.vendor_region
| `drop_dm_object_name("All_Changes")`
| lookup previously_seen_cloud_compute_creations_by_user user as user OUTPUTNEW firstTimeSeen, enough_data
| eventstats max(enough_data) as enough_data
| where enough_data=1
| eval firstTimeSeenUser=min(firstTimeSeen)
| where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h")
| table firstTime, user, dest, count vendor_region
| `security_content_ctime(firstTime)`
| `cloud_compute_instance_created_by_previously_unseen_user_filter`Cloud Compute Instance Created In Previously Unused Region
The following analytic detects the creation of a cloud compute instance in a region that has not been previously used within the last hour. It leverages cloud infrastructure logs and compares the regions of newly created instances against a lookup file of historically used regions. This activity is significant because the creation of instances in new regions can indicate unauthorized or suspicious activity, such as an attacker attempting to evade detection or establish a foothold in a less monitored area. If confirmed malicious, this could lead to unauthorized resource usage, data exfiltration, or further compromise of the cloud environment.
Show query
| tstats earliest(_time) as firstTime latest(_time) as lastTime values(All_Changes.object_id) as dest, count FROM datamodel=Change
WHERE All_Changes.action=created
BY All_Changes.vendor_region, All_Changes.user
| `drop_dm_object_name("All_Changes")`
| lookup previously_seen_cloud_regions vendor_region as vendor_region OUTPUTNEW firstTimeSeen, enough_data
| eventstats max(enough_data) as enough_data
| where enough_data=1
| eval firstTimeSeenRegion=min(firstTimeSeen)
| where isnull(firstTimeSeenRegion) OR firstTimeSeenRegion > relative_time(now(), "-24h@h")
| table firstTime, user, dest, count , vendor_region
| `security_content_ctime(firstTime)`
| `cloud_compute_instance_created_in_previously_unused_region_filter`
Splunk ESCU
SPL
Cloud Compute Instance Created With Previously Unseen Image
The following analytic detects the creation of cloud compute instances using previously unseen image IDs. It leverages cloud infrastructure logs to identify new image IDs that have not been observed before. This activity is significant because it may indicate unauthorized or suspicious activity, such as the deployment of malicious payloads or unauthorized access to sensitive information. If confirmed malicious, this could lead to data breaches, unauthorized access, or further compromise of the cloud environment. Immediate investigation is required to determine the legitimacy of the instance creation and to mitigate potential threats.
Show query
| tstats count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as dest FROM datamodel=Change
WHERE All_Changes.action=created
BY All_Changes.Instance_Changes.image_id, All_Changes.user
| `drop_dm_object_name("All_Changes")`
| `drop_dm_object_name("Instance_Changes")`
| where image_id != "unknown"
| lookup previously_seen_cloud_compute_images image_id as image_id OUTPUT firstTimeSeen, enough_data
| eventstats max(enough_data) as enough_data
| where enough_data=1
| eval firstTimeSeenImage=min(firstTimeSeen)
| where isnull(firstTimeSeenImage) OR firstTimeSeenImage > relative_time(now(), "-24h@h")
| table firstTime, user, image_id, count, dest
| `security_content_ctime(firstTime)`
| `cloud_compute_instance_created_with_previously_unseen_image_filter`Cloud Compute Instance Created With Previously Unseen Instance Type
The following analytic detects the creation of EC2 instances with previously unseen instance types.
It leverages Splunk's tstats command to analyze data from the Change data model, identifying instance types that have not been previously recorded.
This activity is significant for a SOC because it may indicate unauthorized or suspicious activity, such as an attacker attempting to create instances for malicious purposes.
If confirmed malicious, this could lead to unauthorized access, data exfiltration, system compromise, or service disruption. Immediate investigation is required to determine the legitimacy of the instance creation.
Show query
| tstats count earliest(_time) as firstTime
latest(_time) as lastTime
values(All_Changes.object_id) as dest
FROM datamodel=Change WHERE
All_Changes.action=created
BY All_Changes.Instance_Changes.instance_type All_Changes.user
| `drop_dm_object_name("All_Changes")`
| `drop_dm_object_name("Instance_Changes")`
| where instance_type != "unknown"
| lookup previously_seen_cloud_compute_instance_types instance_type as instance_type OUTPUTNEW firstTimeSeen, enough_data
| eventstats max(enough_data) as enough_data
| where enough_data=1
| eval firstTimeSeenInstanceType=min(firstTimeSeen)
| where isnull(firstTimeSeenInstanceType) OR firstTimeSeenInstanceType > relative_time(now(), "-24h@h")
| table firstTime, user, dest, count, instance_type
| `security_content_ctime(firstTime)`
| `cloud_compute_instance_created_with_previously_unseen_instance_type_filter`Cloud Instance Modified By Previously Unseen User
The following analytic identifies cloud instances being modified by users who have not previously modified them. It leverages data from the Change data model, focusing on successful modifications of EC2 instances. This activity is significant because it can indicate unauthorized or suspicious changes by potentially compromised or malicious users. If confirmed malicious, this could lead to unauthorized access, configuration changes, or potential disruption of cloud services, posing a significant risk to the organization's cloud infrastructure.
Show query
| tstats `security_content_summariesonly` count earliest(_time) as firstTime, latest(_time) as lastTime values(All_Changes.object_id) as object_id values(All_Changes.command) as command FROM datamodel=Change
WHERE All_Changes.action=modified All_Changes.change_type=EC2 All_Changes.status=success
BY All_Changes.user
| `drop_dm_object_name("All_Changes")`
| lookup previously_seen_cloud_instance_modifications_by_user user as user OUTPUTNEW firstTimeSeen, enough_data
| eventstats max(enough_data) as enough_data
| where enough_data=1
| eval firstTimeSeenUser=min(firstTimeSeen)
| where isnull(firstTimeSeenUser) OR firstTimeSeenUser > relative_time(now(), "-24h@h")
| table firstTime user command object_id count
| `security_content_ctime(firstTime)`
| `cloud_instance_modified_by_previously_unseen_user_filter`Cloud Provisioning Activity From Previously Unseen City
The following analytic detects cloud provisioning activities originating from previously unseen cities. It leverages cloud infrastructure logs and compares the geographic location of the source IP address against a baseline of known locations. This activity is significant as it may indicate unauthorized access or misuse of cloud resources from an unexpected location. If confirmed malicious, this could lead to unauthorized resource creation, potential data exfiltration, or further compromise of cloud infrastructure.
Show query
| tstats earliest(_time) as firstTime, latest(_time) as lastTime FROM datamodel=Change
WHERE (
All_Changes.action=started
OR
All_Changes.action=created
)
All_Changes.status=success
BY All_Changes.src, All_Changes.user, All_Changes.object,
All_Changes.command
| `drop_dm_object_name("All_Changes")`
| iplocation src
| where isnotnull(City)
| lookup previously_seen_cloud_provisioning_activity_sources City as City OUTPUT firstTimeSeen, enough_data
| eventstats max(enough_data) as enough_data
| where enough_data=1
| eval firstTimeSeenCity=min(firstTimeSeen)
| where isnull(firstTimeSeenCity) OR firstTimeSeenCity > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`)
| `security_content_ctime(firstTime)`
| table firstTime, src, City, user, object, command
| `cloud_provisioning_activity_from_previously_unseen_city_filter`Cloud Provisioning Activity From Previously Unseen Country
The following analytic detects cloud provisioning activities originating from previously unseen countries. It leverages cloud infrastructure logs and compares the geographic location of the source IP address against a baseline of known locations. This activity is significant as it may indicate unauthorized access or potential compromise of cloud resources. If confirmed malicious, an attacker could gain control over cloud assets, leading to data breaches, service disruptions, or further infiltration into the network.
Show query
| tstats earliest(_time) as firstTime, latest(_time) as lastTime FROM datamodel=Change
WHERE (
All_Changes.action=started
OR
All_Changes.action=created
)
All_Changes.status=success
BY All_Changes.src, All_Changes.user, All_Changes.object,
All_Changes.command
| `drop_dm_object_name("All_Changes")`
| iplocation src
| where isnotnull(Country)
| lookup previously_seen_cloud_provisioning_activity_sources Country as Country OUTPUT firstTimeSeen, enough_data
| eventstats max(enough_data) as enough_data
| where enough_data=1
| eval firstTimeSeenCountry=min(firstTimeSeen)
| where isnull(firstTimeSeenCountry) OR firstTimeSeenCountry > relative_time(now(), "-24h@h")
| `security_content_ctime(firstTime)`
| table firstTime, src, Country, user, object, command
| `cloud_provisioning_activity_from_previously_unseen_country_filter`Cloud Provisioning Activity From Previously Unseen IP Address
The following analytic detects cloud provisioning activities originating from previously unseen IP addresses. It leverages cloud infrastructure logs to identify events where resources are created or started, and cross-references these with a baseline of known IP addresses. This activity is significant as it may indicate unauthorized access or potential misuse of cloud resources. If confirmed malicious, an attacker could gain unauthorized control over cloud resources, leading to data breaches, service disruptions, or increased operational costs.
Show query
| tstats earliest(_time) as firstTime, latest(_time) as lastTime, values(All_Changes.object_id) as object_id FROM datamodel=Change
WHERE (
All_Changes.action=started
OR
All_Changes.action=created
)
All_Changes.status=success
BY All_Changes.src, All_Changes.user, All_Changes.command
| `drop_dm_object_name("All_Changes")`
| lookup previously_seen_cloud_provisioning_activity_sources src as src OUTPUT firstTimeSeen, enough_data
| eventstats max(enough_data) as enough_data
| where enough_data=1
| eval firstTimeSeenSrc=min(firstTimeSeen)
| where isnull(firstTimeSeenSrc) OR firstTimeSeenSrc > relative_time(now(), `previously_unseen_cloud_provisioning_activity_window`)
| `security_content_ctime(firstTime)`
| table firstTime, src, user, object_id, command
| `cloud_provisioning_activity_from_previously_unseen_ip_address_filter`Showing 251-300 of 2,088