Network Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Prohibited Network Traffic Allowed	Cisco Secure Firewall Threat Defense Connection Event	T1048	TTP	Prohibited Traffic Allowed or Protocol Mismatch, Command And Control, Ransomware, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
3CX Supply Chain Attack Network Indicators	Sysmon EventID 22	T1195.002	TTP	3CX Supply Chain Attack	2026-05-13
Windows Multi hop Proxy TOR Website Query	Sysmon EventID 22	T1071.003	Anomaly	AgentTesla, Interlock Ransomware	2026-05-13
Cisco Secure Firewall - Oracle E-Business Suite Correlation	Cisco Secure Firewall Threat Defense Intrusion Event	T1190	TTP	Oracle E-Business Suite Exploitation, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Internal Horizontal Port Scan NMAP Top 20	AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event	T1046	TTP	Scattered Lapsus$ Hunters, China-Nexus Threat Activity, Network Discovery, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
HTTP RMM User Agent	Suricata	T1071.001 T1219	Anomaly	Remote Monitoring and Management Software, Suspicious User Agents	2026-05-13
Windows Remote Desktop Network Bruteforce Attempt	Sysmon EventID 3, Cisco Secure Access Firewall	T1110.001	Anomaly	Windows RDP Artifacts and Defense Evasion, Cisco Secure Access Analytics, SamSam Ransomware, Ryuk Ransomware, Compromised User Account	2026-05-13
HTTP Malware User Agent	Suricata	T1071.001	TTP	Meduza Stealer, Crypto Stealer, Suspicious User Agents, Lumma Stealer, RedLine Stealer, Lokibot	2026-05-13
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt	Cisco Secure Firewall Threat Defense Intrusion Event	T1041 T1573.002	Anomaly	Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
DNS Query Length With High Standard Deviation	Sysmon EventID 22	T1048.003	Anomaly	Command And Control, Suspicious DNS Traffic, Hidden Cobra Malware	2026-05-13
Wermgr Process Connecting To IP Check Web Services	Sysmon EventID 22	T1590.005	TTP	Trickbot	2026-05-13
Cisco SD-WAN - Peering Activity	Cisco SD-WAN NTCE 1000001	T1190	Hunting	Cisco Catalyst SD-WAN Analytics	2026-05-13
Cisco Secure Firewall - Bits Network Activity	Cisco Secure Firewall Threat Defense Connection Event	N/A	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Remote Desktop Network Traffic	Zeek Conn	T1021.001	Anomaly	Windows RDP Artifacts and Defense Evasion, Ryuk Ransomware, SamSam Ransomware, Active Directory Lateral Movement, Hidden Cobra Malware	2026-05-13
Cisco Privileged Account Creation with HTTP Command Execution		T1021.004 T1078 T1136	Correlation	Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
HTTP C2 Framework User Agent	Suricata	T1071.001	TTP	Brute Ratel C4, BishopFox Sliver Adversary Emulation Framework, Cobalt Strike, Suspicious User Agents, Malicious PowerShell, Tuoni, Meterpreter, Spearphishing Attachments	2026-05-13
Detect Remote Access Software Usage DNS	Sysmon EventID 22	T1219	Anomaly	CISA AA24-241A, Ransomware, Insider Threat, Scattered Lapsus$ Hunters, Remote Monitoring and Management Software, Command And Control, Scattered Spider, Interlock Ransomware	2026-05-13
Cisco Secure Firewall - Blocked Connection	Cisco Secure Firewall Threat Defense Connection Event	T1018 T1046 T1110 T1203 T1595.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts	Cisco Secure Firewall Threat Defense Intrusion Event	T1027 T1105	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Detect Large ICMP Traffic	Palo Alto Network Traffic, Cisco Secure Access Firewall	T1095	TTP	Cisco Secure Access Analytics, Command And Control, Backdoor Pingpong, China-Nexus Threat Activity	2026-05-13
Cisco Secure Firewall - Privileged Command Execution via HTTP	Cisco Secure Firewall Threat Defense Intrusion Event	T1059 T1505.003	Anomaly	Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
HTTP PUA User Agent	Suricata	T1071.001	Anomaly	Local Privilege Escalation With KrbRelayUp, BlackSuit Ransomware, Suspicious User Agents, Cactus Ransomware	2026-05-13
Cisco Secure Firewall - React Server Components RCE Attempt	Cisco Secure Firewall Threat Defense Intrusion Event	T1190	TTP	React2Shell	2026-05-13
Cisco Secure Firewall - Intrusion Events by Threat Activity	Cisco Secure Firewall Threat Defense Intrusion Event	T1041 T1573.002	Anomaly	ArcaneDoor, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - Communication Over Suspicious Ports	Cisco Secure Firewall Threat Defense Connection Event	T1021 T1055 T1059.001 T1105 T1219 T1571	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Detect DNS Query to Decommissioned S3 Bucket	Sysmon EventID 22	T1485	Anomaly	Data Destruction, AWS S3 Bucket Security Monitoring	2026-05-13
Detect ARP Poisoning	Cisco IOS Logs	T1200 T1498 T1557.002	TTP	Router and Infrastructure Security	2026-05-13
Internal Horizontal Port Scan	AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event	T1046	TTP	Scattered Lapsus$ Hunters, China-Nexus Threat Activity, Network Discovery, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - Repeated Blocked Connections	Cisco Secure Firewall Threat Defense Connection Event	T1018 T1046 T1110 T1203 T1595.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Smart Install Oversized Packet Detection	Splunk Stream TCP	T1190	TTP	Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Cisco Smart Install Port Discovery and Status	Splunk Stream TCP	T1190	TTP	Scattered Lapsus$ Hunters, Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Cisco Secure Firewall - Potential Data Exfiltration	Cisco Secure Firewall Threat Defense Connection Event	T1041 T1048.003 T1567.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
TOR Traffic	Palo Alto Network Traffic, Cisco Secure Firewall Threat Defense Connection Event	T1090.003	TTP	Ransomware, Interlock Ransomware, Command And Control, Prohibited Traffic Allowed or Protocol Mismatch, NOBELIUM Group, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco TFTP Server Configuration for Data Exfiltration	Cisco IOS Logs	T1005 T1567	TTP	Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Zeek x509 Certificate with Punycode		T1573	Hunting	OpenSSL CVE-2022-3602	2026-05-13
Cisco SD-WAN - Arbitrary File Overwrite Exploitation Activity	Cisco SD-WAN Service Proxy Access Logs	T1190	TTP	Cisco Catalyst SD-WAN Analytics	2026-05-13
SSL Certificates with Punycode		T1573	Hunting	OpenSSL CVE-2022-3602	2026-05-13
Detect Software Download To Network Device		T1542.005	TTP	Router and Infrastructure Security	2026-05-13
Cisco SD-WAN - Low Frequency Rogue Peer	Cisco SD-WAN NTCE 1000001	T1190	Anomaly	Cisco Catalyst SD-WAN Analytics	2026-05-13
Detect Zerologon via Zeek		T1190	TTP	Rhysida Ransomware, Black Basta Ransomware, Detect Zerologon Attack	2026-05-13
Detect SNICat SNI Exfiltration		T1041	TTP	Data Exfiltration	2026-05-13
Cisco Secure Firewall - Remote Access Software Usage Traffic	Cisco Secure Firewall Threat Defense Connection Event	T1219	Anomaly	Ransomware, Insider Threat, Interlock Ransomware, Scattered Lapsus$ Hunters, Remote Monitoring and Management Software, Command And Control, Scattered Spider, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Protocols passing authentication in cleartext	Cisco Secure Firewall Threat Defense Connection Event	N/A	Anomaly	Scattered Lapsus$ Hunters, Use of Cleartext Protocols, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
F5 BIG-IP iControl REST Vulnerability CVE-2022-1388	Palo Alto Network Threat	T1133 T1190	TTP	F5 BIG-IP Vulnerability CVE-2022-1388, CISA AA24-241A	2026-05-13
Cisco Secure Firewall - Malware File Downloaded	Cisco Secure Firewall Threat Defense File Event	T1105 T1203	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Internal Vulnerability Scan		T1046 T1595.002	TTP	Scattered Lapsus$ Hunters, Network Discovery	2026-05-13
Windows DNS Query Request by Telegram Bot API	Sysmon EventID 22	T1071.004 T1102.002	Anomaly	Crypto Stealer, 0bj3ctivity Stealer, BlankGrabber Stealer, VIP Keylogger	2026-05-13
Cisco Secure Firewall - Static Tundra Smart Install Abuse	Cisco Secure Firewall Threat Defense Intrusion Event	T1190 T1210 T1499	TTP	Cisco Smart Install Remote Code Execution CVE-2018-0171, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Suspicious Process With Discord DNS Query	Sysmon EventID 22	T1059.005	Anomaly	WhisperGate, PXA Stealer, Cactus Ransomware, Data Destruction, BlankGrabber Stealer	2026-05-13
Cisco Configuration Archive Logging Analysis	Cisco IOS Logs	T1098 T1505.003 T1685	Hunting	Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint	Cisco Secure Firewall Threat Defense Connection Event	T1071.001 T1573.002 T1587.002 T1588.004	TTP	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Rundll32 DNSQuery	Sysmon EventID 22	T1218.011	TTP	Living Off The Land, IcedID	2026-05-13
Detect Remote Access Software Usage Traffic	Palo Alto Network Traffic	T1219	Anomaly	Ransomware, Insider Threat, Scattered Lapsus$ Hunters, Remote Monitoring and Management Software, Command And Control, Scattered Spider, Interlock Ransomware	2026-05-13
Cisco Secure Firewall - Citrix NetScaler Memory Overread Attempt	Cisco Secure Firewall Threat Defense Intrusion Event	T1059 T1203	TTP	Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Privileged Account Creation with Suspicious SSH Activity		T1021.004 T1078 T1136	Correlation	Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Detect Rogue DHCP Server	Cisco IOS Logs	T1200 T1498 T1557	TTP	Scattered Lapsus$ Hunters, Router and Infrastructure Security	2026-05-13
Cisco Secure Firewall - Lumma Stealer Download Attempt	Cisco Secure Firewall Threat Defense Intrusion Event	T1041 T1573.002	Anomaly	Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - High Priority Intrusion Classification	Cisco Secure Firewall Threat Defense Intrusion Event	T1003 T1071 T1078 T1190 T1203	TTP	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - Rare Snort Rule Triggered	Cisco Secure Firewall Threat Defense Intrusion Event	T1583.006 T1598	Hunting	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Windows Gather Victim Network Info Through Ip Check Web Services	Sysmon EventID 22	T1590.005	Anomaly	Water Gamayun, Snake Keylogger, Meduza Stealer, Castle RAT, Handala Wiper, VIP Keylogger, PXA Stealer, Void Manticore, 0bj3ctivity Stealer, Quasar RAT, Azorult, Phemedrone Stealer, DarkCrystal RAT, BlankGrabber Stealer	2026-05-13
Internal Vertical Port Scan	AWS CloudWatchLogs VPCflow, Cisco Secure Firewall Threat Defense Connection Event	T1046	TTP	Scattered Lapsus$ Hunters, China-Nexus Threat Activity, Network Discovery, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco IOS Suspicious Privileged Account Creation	Cisco IOS Logs	T1078 T1136	Anomaly	Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Suspicious Process DNS Query Known Abuse Web Services	Sysmon EventID 22	T1059.005	TTP	WhisperGate, Braodo Stealer, Meduza Stealer, Phemedrone Stealer, PXA Stealer, Malicious Inno Setup Loader, Data Destruction, Cactus Ransomware, Remcos, Snake Keylogger, BlankGrabber Stealer, RedLine Stealer	2026-05-13
Cisco Secure Firewall - High EVE Threat Confidence	Cisco Secure Firewall Threat Defense Connection Event	T1041 T1071.001 T1105 T1573.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - Repeated Malware Downloads	Cisco Secure Firewall Threat Defense File Event	T1027 T1105	Anomaly	Hellcat Ransomware, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Windows AD Replication Service Traffic		T1003.006 T1207	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Cisco Secure Firewall - SSH Connection to Non-Standard Port	Cisco Secure Firewall Threat Defense Intrusion Event	T1021.004	Anomaly	Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Windows AD Rogue Domain Controller Network Activity		T1207	TTP	Sneaky Active Directory Persistence Tricks	2026-05-13
Cisco Network Interface Modifications	Cisco IOS Logs	T1021 T1133 T1556	Anomaly	Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Cisco Secure Firewall - Wget or Curl Download	Cisco Secure Firewall Threat Defense Connection Event	T1053.003 T1059 T1071.001 T1105	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Windows Abused Web Services	Sysmon EventID 22	T1102	Anomaly	NjRAT, BlankGrabber Stealer, CISA AA24-241A, Malicious Inno Setup Loader	2026-05-13
Detect Port Security Violation	Cisco IOS Logs	T1200 T1498 T1557.002	TTP	Router and Infrastructure Security	2026-05-13
Large Volume of DNS ANY Queries		T1498.002	Anomaly	DNS Amplification Attacks	2026-05-13
Ngrok Reverse Proxy on Network	Sysmon EventID 22	T1090 T1102 T1572	Anomaly	CISA AA22-320A, CISA AA24-241A, Reverse Network Proxy	2026-05-13
Detect Windows DNS SIGRed via Zeek		T1203	TTP	Windows DNS SIGRed CVE-2020-1350	2026-05-13
Detect hosts connecting to dynamic domain providers	Sysmon EventID 22	T1189	TTP	Suspicious DNS Traffic, Dynamic DNS, DNS Hijacking, Command And Control, Data Protection, Prohibited Traffic Allowed or Protocol Mismatch	2026-05-13
Cisco Secure Firewall - File Download Over Uncommon Port	Cisco Secure Firewall Threat Defense File Event	T1105 T1571	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity	Cisco Secure Firewall Threat Defense Intrusion Event	T1003.001 T1059.001 T1190 T1210	TTP	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Protocol or Port Mismatch	Cisco Secure Firewall Threat Defense Connection Event	T1048.003	Anomaly	Prohibited Traffic Allowed or Protocol Mismatch, Command And Control, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Detect Outbound SMB Traffic	Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event	T1071.002	TTP	DHS Report TA18-074A, Cisco Secure Access Analytics, Hidden Cobra Malware, NOBELIUM Group, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Detect Unauthorized Assets by MAC address		N/A	TTP	Asset Tracking	2026-05-13
Cisco Secure Firewall - Oracle E-Business Suite Exploitation	Cisco Secure Firewall Threat Defense Intrusion Event	T1190	TTP	Oracle E-Business Suite Exploitation, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - Binary File Type Download	Cisco Secure Firewall Threat Defense File Event	T1059 T1203	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Detect Traffic Mirroring	Cisco IOS Logs	T1020.001 T1200 T1498	TTP	Router and Infrastructure Security	2026-05-13
DNS Kerberos Coercion	Sysmon EventID 22, Suricata	T1071.004 T1187 T1557.001	TTP	Suspicious DNS Traffic, Compromised Windows Host, Local Privilege Escalation With KrbRelayUp, Kerberos Coercion with DNS	2026-05-13
Cisco Secure Firewall - Possibly Compromised Host	Cisco Secure Firewall Threat Defense Intrusion Event	T1059 T1203 T1587.001	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - Connection to File Sharing Domain	Cisco Secure Firewall Threat Defense Connection Event	T1071.001 T1090.002 T1105 T1567.002 T1588.002	Anomaly	Scattered Lapsus$ Hunters, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Excessive DNS Failures		T1071.004	Anomaly	Command And Control, Suspicious DNS Traffic	2026-05-13
Cisco SNMP Community String Configuration Changes	Cisco IOS Logs	T1040 T1552 T1685	Anomaly	Cisco Smart Install Remote Code Execution CVE-2018-0171	2026-05-13
Cisco Secure Firewall - Lumma Stealer Activity	Cisco Secure Firewall Threat Defense Intrusion Event	T1027 T1190 T1204 T1210	TTP	Lumma Stealer, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Windows Spearphishing Attachment Connect To None MS Office Domain	Sysmon EventID 22	T1566.001	Hunting	MuddyWater, Spearphishing Attachments, AsyncRAT	2026-05-13
Cisco SD-WAN - Uncommon User-Agent Multi-URI Activity	Cisco SD-WAN Service Proxy Access Logs	T1595	Hunting	Cisco Catalyst SD-WAN Analytics	2026-05-13
SMB Traffic Spike		T1021.002	Anomaly	Ransomware, DHS Report TA18-074A, Emotet Malware DHS Report TA18-201A, Hidden Cobra Malware	2026-05-13
Cisco Secure Firewall - High Volume of Intrusion Events Per Host	Cisco Secure Firewall Threat Defense Intrusion Event	T1059 T1071 T1595.002	Anomaly	Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Detect IPv6 Network Infrastructure Threats	Cisco IOS Logs	T1200 T1498 T1557.002	TTP	Scattered Lapsus$ Hunters, Router and Infrastructure Security	2026-05-13
Hosts receiving high volume of network traffic from email server		T1114.002	Anomaly	Collection and Staging	2026-05-13
Detect Windows DNS SIGRed via Splunk Stream		T1203	TTP	Windows DNS SIGRed CVE-2020-1350	2026-05-13
Detect Outbound LDAP Traffic	Palo Alto Network Traffic, Cisco Secure Access Firewall, Cisco Secure Firewall Threat Defense Connection Event	T1059 T1190	Hunting	Cisco Secure Access Analytics, Log4Shell CVE-2021-44228, Cisco Secure Firewall Threat Defense Analytics	2026-05-13
Cisco Secure Firewall - SSH Connection to sshd_operns	Cisco Secure Firewall Threat Defense Intrusion Event	T1021.004	Anomaly	Salt Typhoon, Cisco Secure Firewall Threat Defense Analytics	2026-05-13