Analytics Story: Cisco Secure Firewall Threat Defense Analytics

Date: 2025-04-03 ID: b40110f3-6471-46a6-a6f7-4db817f80a86 Author: Nasreddine Bencherchali, Splunk Product: Splunk Enterprise Security

Description

This analytic story provides a suite of detections built to analyze network traffic logs from Cisco Secure Firewall Threat Defense (FTD) appliances. The included analytics focus on uncovering suspicious and potentially malicious behavior such as data exfiltration, encrypted command and control (C2) activity, unauthorized tool downloads, repeated connection attempts to blocked destinations, and traffic involving suspicious SSL certificates or file sharing services. These detections help security teams identify threats that may be missed by traditional rule-based approaches, offering deeper insight into encrypted sessions, protocol misuse, and adversary abuse of legitimate services.

Why it matters

Cisco Secure Firewall Threat Defense is a next-generation firewall platform that provides deep visibility into network activity, including rich telemetry such as connection metadata, application identification, and encrypted traffic analysis through the Encrypted Visibility Engine (EVE). This analytic story leverages that visibility to detect behaviors commonly associated with advanced threats and adversary techniques across multiple ATT&CK tactics, including Command and Control, Exfiltration, Execution, and Discovery.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Cisco Secure Firewall - Binary File Type Download Exploitation for Client Execution, Command and Scripting Interpreter Anomaly
Cisco Secure Firewall - Bits Network Activity None Anomaly
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint Code Signing Certificates, Digital Certificates, Web Protocols, Asymmetric Cryptography TTP
Cisco Secure Firewall - Blocked Connection Remote System Discovery, Network Service Discovery, Brute Force, Exploitation for Client Execution, Vulnerability Scanning Anomaly
Cisco Secure Firewall - Communication Over Suspicious Ports Remote Services, Process Injection, PowerShell, Ingress Tool Transfer, Remote Access Tools, Non-Standard Port Anomaly
Cisco Secure Firewall - Connection to File Sharing Domain Web Protocols, External Proxy, Ingress Tool Transfer, Exfiltration to Cloud Storage, Tool Anomaly
Cisco Secure Firewall - File Download Over Uncommon Port Ingress Tool Transfer, Non-Standard Port Anomaly
Cisco Secure Firewall - High EVE Threat Confidence Exfiltration Over C2 Channel, Web Protocols, Ingress Tool Transfer, Asymmetric Cryptography Anomaly
Cisco Secure Firewall - High Priority Intrusion Classification Exploitation for Client Execution, OS Credential Dumping, Application Layer Protocol, Exploit Public-Facing Application, Valid Accounts TTP
Cisco Secure Firewall - High Volume of Intrusion Events Per Host Command and Scripting Interpreter, Application Layer Protocol, Vulnerability Scanning Anomaly
Cisco Secure Firewall - Intrusion Events by Threat Activity Exfiltration Over C2 Channel, Asymmetric Cryptography Anomaly
Cisco Secure Firewall - Lumma Stealer Activity Exploit Public-Facing Application, Exploitation of Remote Services, Obfuscated Files or Information, User Execution TTP
Cisco Secure Firewall - Lumma Stealer Download Attempt Exfiltration Over C2 Channel, Asymmetric Cryptography Anomaly
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt Exfiltration Over C2 Channel, Asymmetric Cryptography Anomaly
Cisco Secure Firewall - Malware File Downloaded Exploitation for Client Execution, Ingress Tool Transfer Anomaly
Cisco Secure Firewall - Possibly Compromised Host Exploitation for Client Execution, Command and Scripting Interpreter, Malware Anomaly
Cisco Secure Firewall - Potential Data Exfiltration Exfiltration Over C2 Channel, Exfiltration to Cloud Storage, Exfiltration Over Unencrypted Non-C2 Protocol Anomaly
Cisco Secure Firewall - Rare Snort Rule Triggered Phishing for Information, Web Services Hunting
Cisco Secure Firewall - Remote Access Software Usage Traffic Remote Access Tools Anomaly
Cisco Secure Firewall - Repeated Blocked Connections Remote System Discovery, Network Service Discovery, Brute Force, Exploitation for Client Execution, Vulnerability Scanning Anomaly
Cisco Secure Firewall - Repeated Malware Downloads Ingress Tool Transfer, Obfuscated Files or Information Anomaly
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts Ingress Tool Transfer, Obfuscated Files or Information Anomaly
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity Exploit Public-Facing Application, Exploitation of Remote Services, PowerShell, LSASS Memory TTP
Cisco Secure Firewall - Wget or Curl Download Cron, Command and Scripting Interpreter, Web Protocols, Ingress Tool Transfer Anomaly
Detect Outbound LDAP Traffic Exploit Public-Facing Application, Command and Scripting Interpreter Hunting
Detect Outbound SMB Traffic File Transfer Protocols TTP
Internal Horizontal Port Scan Network Service Discovery TTP
Internal Horizontal Port Scan NMAP Top 20 Network Service Discovery TTP
Internal Vertical Port Scan Network Service Discovery TTP
Prohibited Network Traffic Allowed Exfiltration Over Alternative Protocol TTP
Protocol or Port Mismatch Exfiltration Over Unencrypted Non-C2 Protocol Anomaly
Protocols passing authentication in cleartext None Anomaly
TOR Traffic Multi-hop Proxy TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
AWS CloudWatchLogs VPCflow AWS icon AWS aws:cloudwatchlogs:vpcflow aws_cloudwatchlogs_vpcflow
Cisco Secure Firewall Threat Defense Connection Event N/A cisco:sfw:estreamer not_applicable
Cisco Secure Firewall Threat Defense File Event N/A cisco:sfw:estreamer not_applicable
Cisco Secure Firewall Threat Defense Intrusion Event N/A cisco:sfw:estreamer not_applicable
Palo Alto Network Traffic Network icon Network pan:traffic screenconnect_palo_traffic

References

Source: GitHub | Version: 1