Analytics Story: Cisco Secure Firewall Threat Defense Analytics

Date: 2025-04-03 ID: b40110f3-6471-46a6-a6f7-4db817f80a86 Author: Nasreddine Bencherchali, Splunk Product: Splunk Enterprise Security

Description

This analytic story provides a suite of detections built to analyze network traffic logs from Cisco Secure Firewall Threat Defense (FTD) appliances. The included analytics focus on uncovering suspicious and potentially malicious behavior such as data exfiltration, encrypted command and control (C2) activity, unauthorized tool downloads, repeated connection attempts to blocked destinations, and traffic involving suspicious SSL certificates or file sharing services. These detections help security teams identify threats that may be missed by traditional rule-based approaches, offering deeper insight into encrypted sessions, protocol misuse, and adversary abuse of legitimate services.

Why it matters

Cisco Secure Firewall Threat Defense is a next-generation firewall platform that provides deep visibility into network activity, including rich telemetry such as connection metadata, application identification, and encrypted traffic analysis through the Encrypted Visibility Engine (EVE). This analytic story leverages that visibility to detect behaviors commonly associated with advanced threats and adversary techniques across multiple ATT&CK tactics, including Command and Control, Exfiltration, Execution, and Discovery.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Cisco Secure Firewall - Binary File Type Download Exploitation for Client Execution, Command and Scripting Interpreter Anomaly
Cisco Secure Firewall - Bits Network Activity None Anomaly
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint Code Signing Certificates, Digital Certificates, Web Protocols, Asymmetric Cryptography TTP
Cisco Secure Firewall - Blocked Connection Remote System Discovery, Network Service Discovery, Brute Force, Exploitation for Client Execution, Vulnerability Scanning Anomaly
Cisco Secure Firewall - Communication Over Suspicious Ports Remote Services, Process Injection, PowerShell, Ingress Tool Transfer, Remote Access Tools, Non-Standard Port Anomaly
Cisco Secure Firewall - Connection to File Sharing Domain Web Protocols, External Proxy, Ingress Tool Transfer, Exfiltration to Cloud Storage, Tool Anomaly
Cisco Secure Firewall - File Download Over Uncommon Port Ingress Tool Transfer, Non-Standard Port Anomaly
Cisco Secure Firewall - High EVE Threat Confidence Exfiltration Over C2 Channel, Web Protocols, Ingress Tool Transfer, Asymmetric Cryptography Anomaly
Cisco Secure Firewall - High Priority Intrusion Classification Exploitation for Client Execution, OS Credential Dumping, Application Layer Protocol, Exploit Public-Facing Application, Valid Accounts TTP
Cisco Secure Firewall - High Volume of Intrusion Events Per Host Command and Scripting Interpreter, Application Layer Protocol, Vulnerability Scanning Anomaly
Cisco Secure Firewall - Intrusion Events by Threat Activity Exfiltration Over C2 Channel, Asymmetric Cryptography Anomaly
Cisco Secure Firewall - Lumma Stealer Activity Exploit Public-Facing Application, Exploitation of Remote Services, Obfuscated Files or Information, User Execution TTP
Cisco Secure Firewall - Lumma Stealer Download Attempt Exfiltration Over C2 Channel, Asymmetric Cryptography Anomaly
Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt Exfiltration Over C2 Channel, Asymmetric Cryptography Anomaly
Cisco Secure Firewall - Malware File Downloaded Exploitation for Client Execution, Ingress Tool Transfer Anomaly
Cisco Secure Firewall - Possibly Compromised Host Exploitation for Client Execution, Command and Scripting Interpreter, Malware Anomaly
Cisco Secure Firewall - Potential Data Exfiltration Exfiltration Over C2 Channel, Exfiltration to Cloud Storage, Exfiltration Over Unencrypted Non-C2 Protocol Anomaly
Cisco Secure Firewall - Rare Snort Rule Triggered Phishing for Information, Web Services Hunting
Cisco Secure Firewall - Repeated Blocked Connections Remote System Discovery, Network Service Discovery, Brute Force, Exploitation for Client Execution, Vulnerability Scanning Anomaly
Cisco Secure Firewall - Repeated Malware Downloads Ingress Tool Transfer, Obfuscated Files or Information Anomaly
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts Ingress Tool Transfer, Obfuscated Files or Information Anomaly
Cisco Secure Firewall - Veeam CVE-2023-27532 Exploitation Activity Exploit Public-Facing Application, Exploitation of Remote Services, PowerShell, LSASS Memory TTP
Cisco Secure Firewall - Wget or Curl Download Cron, Command and Scripting Interpreter, Web Protocols, Ingress Tool Transfer Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Cisco Secure Firewall Threat Defense Connection Event N/A cisco:sfw:estreamer not_applicable
Cisco Secure Firewall Threat Defense File Event N/A cisco:sfw:estreamer not_applicable
Cisco Secure Firewall Threat Defense Intrusion Event N/A cisco:sfw:estreamer not_applicable

References

Source: GitHub | Version: 1