| ID | Technique | Tactic |
|---|---|---|
| T1203 | Exploitation for Client Execution | Execution |
| T1003 | OS Credential Dumping | Credential Access |
| T1071 | Application Layer Protocol | Command And Control |
| T1190 | Exploit Public-Facing Application | Initial Access |
| T1078 | Valid Accounts | Defense Evasion |
Detection: Cisco Secure Firewall - High Priority Intrusion Classification
Description
This analytic identifies high-severity intrusion events based on the classification assigned to Snort rules within Cisco Secure Firewall logs. It leverages Cisco Secure Firewall Threat Defense logs and focuses on events classified as:
- A Network Trojan was Detected
- Successful Administrator Privilege Gain
- Successful User Privilege Gain
- Attempt to Login By a Default Username and Password
- Known malware command and control traffic
- Known malicious file or file based exploit
- Known client side exploit attempt
- Large Scale Information Leak"
These classifications typically represent significant threats such as remote code execution, credential theft, lateral movement, or malware communication. Detection of these classifications should be prioritized for immediate investigation.
Search
1`cisco_secure_firewall` EventType=IntrusionEvent
2 class_desc IN ("A Network Trojan was Detected", "Successful Administrator Privilege Gain", "Successful User Privilege Gain", "Attempt to Login By a Default Username and Password", "Known malware command and control traffic", "Known malicious file or file based exploit", "Known client side exploit attempt", "Large Scale Information Leak")
3
4| fillnull
5
6| stats count min(_time) as firstTime max(_time) as lastTime
7 values(signature_id) as signature_id
8 values(MitreAttackGroups) as MitreAttackGroups
9 values(InlineResult) as InlineResult
10 values(InlineResultReason) as InlineResultReason
11 values(dest_port) as dest_port
12 values(rule) as rule
13 values(transport) as transport
14 values(app) as app
15 by src_ip, dest_ip, signature, class_desc
16
17| `security_content_ctime(firstTime)`
18
19| `security_content_ctime(lastTime)`
20
21| `cisco_secure_firewall___high_priority_intrusion_classification_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco Secure Firewall Threat Defense Intrusion Event | N/A | 'cisco:sfw:estreamer' |
'not_applicable' |
Macros Used
| Name | Value |
|---|---|
| cisco_secure_firewall | sourcetype="cisco:sfw:estreamer" |
| cisco_secure_firewall___high_priority_intrusion_classification_filter | search * |
cisco_secure_firewall___high_priority_intrusion_classification_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Command and Control
Delivery
Exploitation
Installation
DE.CM
CIS 13
APT18
APT28
APT29
APT3
APT32
APT33
APT37
APT39
APT41
APT5
Agrius
Akira
Andariel
Aoqin Dragon
Axiom
BITTER
BRONZE BUTLER
BackdoorDiplomacy
BlackByte
BlackTech
Blue Mockingbird
Carbanak
Chimera
Cinnamon Tempest
Cobalt Group
Confucius
Darkhotel
Dragonfly
EXOTIC LILY
Earth Lusca
Elderwood
Ember Bear
FIN10
FIN13
FIN4
FIN5
FIN6
FIN7
FIN8
Fox Kitten
GALLIUM
GOLD SOUTHFIELD
HAFNIUM
Higaisa
INC Ransom
Inception
Indrik Spider
Ke3chang
Kimsuky
LAPSUS$
Lazarus Group
Leviathan
Magic Hound
Moses Staff
MuddyWater
Mustang Panda
OilRig
POLONIUM
Patchwork
PittyTiger
Play
Poseidon Group
Rocke
Saint Bear
Salt Typhoon
Sandworm Team
Sea Turtle
Sidewinder
Silence
Silent Librarian
Sowbug
Star Blizzard
Suckfly
TA459
TeamTNT
The White Company
Threat Group-3390
ToddyCat
Tonto Team
Transparent Tribe
Tropic Trooper
Velvet Ant
Volatile Cedar
Volt Typhoon
Winter Vivern
Wizard Spider
admin@338
menuPass
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Notable | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Risk Event | True |
This configuration file applies to all detections of type TTP. These detections will use Risk Based Alerting and generate Notable Events.
Implementation
This search requires Cisco Secure Firewall Threat Defense Logs, which
includes the IntrusionEvent EventType. This search uses an input macro named cisco_secure_firewall.
We strongly recommend that you specify your environment-specific configurations
(index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
with configurations for your Splunk environment. The search also uses a post-filter
macro designed to filter out known false positives.
The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
The intrusion access policy must also be configured.
Known False Positives
Some intrusion events that are linked to these classifications might be noisy in certain environments. Apply a combination of filters for specific snort IDs and other indicators.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message:
A high priority intrusion event with classification ($class_desc$) was detected from $src_ip$ to $dest_ip$, indicating potential suspicious activity.
| Risk Object | Risk Object Type | Risk Score | Threat Objects |
|---|---|---|---|
| dest_ip | system | 25 | src_ip, signature |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | not_applicable |
cisco:sfw:estreamer |
| Integration | ✅ Passing | Dataset | not_applicable |
cisco:sfw:estreamer |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 1