Analytics Story: Cisco Secure Firewall Threat Defense Analytics
Description
This analytic story provides a suite of detections built to analyze network traffic logs from Cisco Secure Firewall Threat Defense (FTD) appliances.
The included analytics focus on uncovering suspicious and potentially malicious behavior such as data exfiltration, encrypted command and control (C2) activity, unauthorized tool downloads, repeated connection attempts to blocked destinations, and traffic involving suspicious SSL certificates or file sharing services.
These detections help security teams identify threats that may be missed by traditional rule-based approaches, offering deeper insight into encrypted sessions, protocol misuse, and adversary abuse of legitimate services.
Why it matters
Cisco Secure Firewall Threat Defense is a next-generation firewall platform that provides deep visibility into network activity, including rich telemetry such as connection metadata, application identification, and encrypted traffic analysis through the Encrypted Visibility Engine (EVE).
This analytic story leverages that visibility to detect behaviors commonly associated with advanced threats and adversary techniques across multiple ATT&CK tactics, including Command and Control, Exfiltration, Execution, and Discovery.
Detections
Name ▲▼ |
Technique ▲▼ |
Type ▲▼ |
Cisco Secure Firewall - Binary File Type Download |
Exploitation for Client Execution, Command and Scripting Interpreter |
Anomaly |
Cisco Secure Firewall - Bits Network Activity |
None |
Anomaly |
Cisco Secure Firewall - Blacklisted SSL Certificate Fingerprint |
Code Signing Certificates, Digital Certificates, Web Protocols, Asymmetric Cryptography |
TTP |
Cisco Secure Firewall - Blocked Connection |
Remote System Discovery, Network Service Discovery, Brute Force, Exploitation for Client Execution, Vulnerability Scanning |
Anomaly |
Cisco Secure Firewall - Communication Over Suspicious Ports |
Remote Services, Process Injection, PowerShell, Ingress Tool Transfer, Remote Access Tools, Non-Standard Port |
Anomaly |
Cisco Secure Firewall - Connection to File Sharing Domain |
Web Protocols, External Proxy, Ingress Tool Transfer, Exfiltration to Cloud Storage, Tool |
Anomaly |
Cisco Secure Firewall - File Download Over Uncommon Port |
Ingress Tool Transfer, Non-Standard Port |
Anomaly |
Cisco Secure Firewall - High EVE Threat Confidence |
Exfiltration Over C2 Channel, Web Protocols, Ingress Tool Transfer, Asymmetric Cryptography |
Anomaly |
Cisco Secure Firewall - High Volume of Intrusion Events Per Host |
Command and Scripting Interpreter, Application Layer Protocol, Vulnerability Scanning |
Anomaly |
Cisco Secure Firewall - Malware File Downloaded |
Exploitation for Client Execution, Ingress Tool Transfer |
Anomaly |
Cisco Secure Firewall - Possibly Compromised Host |
Exploitation for Client Execution, Command and Scripting Interpreter, Malware |
Anomaly |
Cisco Secure Firewall - Potential Data Exfiltration |
Exfiltration Over C2 Channel, Exfiltration to Cloud Storage, Exfiltration Over Unencrypted Non-C2 Protocol |
Anomaly |
Cisco Secure Firewall - Rare Snort Rule Triggered |
Phishing for Information, Web Services |
Hunting |
Cisco Secure Firewall - Repeated Blocked Connections |
Remote System Discovery, Network Service Discovery, Brute Force, Exploitation for Client Execution, Vulnerability Scanning |
Anomaly |
Cisco Secure Firewall - Repeated Malware Downloads |
Ingress Tool Transfer, Obfuscated Files or Information |
Anomaly |
Cisco Secure Firewall - Snort Rule Triggered Across Multiple Hosts |
Ingress Tool Transfer, Obfuscated Files or Information |
Anomaly |
Cisco Secure Firewall - Wget or Curl Download |
Cron, Command and Scripting Interpreter, Web Protocols, Ingress Tool Transfer |
Anomaly |
Data Sources
References
Source: GitHub | Version: 1