search:`cisco_secure_firewall` EventType=IntrusionEvent signature_id = 65118 | fillnull | stats min(_time) as firstTime max(_time) as lastTime values(signature_id) as signature_id values(signature) as signature values(class_desc) as class_desc values(MitreAttackGroups) as MitreAttackGroups values(InlineResult) as InlineResult values(InlineResultReason) as InlineResultReason values(src_ip) as src_ip values(dest_port) as dest_port values(rule) as rule values(transport) as transport values(app) as app by dest_ip | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_secure_firewall___citrix_netscaler_memory_overread_attempt_filter`
how_to_implement:This search requires Cisco Secure Firewall Threat Defense Logs, which
includes the FileEvent EventType. This search uses an input macro named `cisco_secure_firewall`.
We strongly recommend that you specify your environment-specific configurations
(index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
with configurations for your Splunk environment. The search also uses a post-filter
macro designed to filter out known false positives.
The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
The malware & file access policy must also enable logging.
known_false_positives:Security testing or vulnerability scanners might trigger this. Investigate any potential
matches to determine if they're legitimate.
References: -https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420 -https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420 -https://www.netscaler.com/blog/news/critical-security-updates-for-netscaler-netscaler-gateway-and-netscaler-console/ -https://github.com/mingshenhk/CitrixBleed-2-CVE-2025-5777-PoC- -https://horizon3.ai/attack-research/attack-blogs/cve-2025-5777-citrixbleed-2-write-up-maybe/ -https://labs.watchtowr.com/how-much-more-must-we-bleed-citrix-netscaler-memory-disclosure-citrixbleed-2-cve-2025-5777/ -https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-5777.yaml drilldown_searches: name:'View the detection results for - "$src_ip$" and "$dest_ip$"' search:'%original_detection_search% | search src_ip="$src_ip$" dest_ip="$dest_ip$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$src_ip$" and "$dest_ip$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$", "$dest_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Cisco Secure Firewall Threat Defense Analytics' - 'Citrix NetScaler ADC and NetScaler Gateway CVE-2025-5777' asset_type:Endpoint mitre_attack_id: - 'T1203' - 'T1059' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' security_domain:endpoint
