Name:Cisco Secure Firewall - Malware File Downloaded id:3cc93f52-5aa6-4b7f-83b9-3430b1436813 version:1 date:2025-04-03 author:Nasreddine Bencherchali, Splunk status:production type:Anomaly Description:The following analytic detects file downloads that were classified as malware by Cisco Secure Firewall Threat Defense. It relies on the `SHA_Disposition` field with a value of "Malware" and includes metadata such as file name, file_hash hash, and threat classification. This analytic is critical for surfacing file-based threats that are identified via Cisco's AMP or Threat Grid integrations. If confirmed malicious, this could indicate delivery of malware.
Data_source:
-Cisco Secure Firewall Threat Defense File Event
search:`cisco_secure_firewall` EventType=FileEvent SHA_Disposition="Malware" FileDirection="Download" | lookup cisco_secure_firewall_filetype_lookup Name as FileType OUTPUT Description | stats count min(_time) as firstTime max(_time) as lastTime values(uri) as uri values(ClientApplication) as ClientApplication values(file_hash) as file_hash by FileDirection dest src_ip dest_port FileType app file_name ThreatName Description | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | table firstTime lastTime src_ip dest dest_port FileDirection FileType Description uri file_name file_hash app ClientApplication ThreatName SHA_Disposition | `cisco_secure_firewall___malware_file_downloaded_filter`
how_to_implement:This search requires Cisco Secure Firewall Threat Defense Logs, which
includes the FileEvent EventType. This search uses an input macro named `cisco_secure_firewall`.
We strongly recommend that you specify your environment-specific configurations
(index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
with configurations for your Splunk environment. The search also uses a post-filter
macro designed to filter out known false positives.
The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
The malware & file access policy must also enable logging.
known_false_positives:Malicious verdicts could be outdated or incorrect due to retroactive threat intel. References: -https://www.cisco.com/c/en/us/td/docs/security/firepower/741/api/FQE/secure_firewall_estreamer_fqe_guide_740.pdf drilldown_searches: name:'View the detection results for - "$src_ip$"' search:'%original_detection_search% | search src_ip = "$src_ip$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$src_ip$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Cisco Secure Firewall Threat Defense Analytics' asset_type:Endpoint mitre_attack_id: - 'T1203' - 'T1105' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' security_domain:endpoint
