Name:Cisco Secure Firewall - Possibly Compromised Host id:244a77bb-3b2a-46f1-bf2c-b4f7cd29276d version:1 date:2025-04-14 author:Nasreddine Bencherchali, Splunk status:experimental type:Anomaly Description:The following analytic highlights high-impact intrusion events assigned by Cisco Secure Firewall.
This detection leverages Cisco Secure Firewall Threat Defense logs and specifically the IntrusionEvent event type and `Impact` field assigned by Cisco Secure Firewall looking for an impact score of 1 or 2. If confirmed malicious this may indicate a potential compromised host.
Data_source:
search:`cisco_secure_firewall` EventType=IntrusionEvent Impact IN (1,2) | stats count as TotalDetections values(signature_id) as signature_id values(signature) as signature values(rule) as rule min(_time) as firstTime max(_time) as lastTime by src_ip dest dest_port transport Impact app impact_desc class_desc MitreAttackGroups InlineResult InlineResultReason | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `cisco_secure_firewall___possibly_compromised_host_filter`
how_to_implement:This search requires Cisco Secure Firewall Threat Defense Logs, which
includes the IntrusionEvent EventType. This search uses an input macro named `cisco_secure_firewall`.
We strongly recommend that you specify your environment-specific configurations
(index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
with configurations for your Splunk environment. The search also uses a post-filter
macro designed to filter out known false positives.
The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
The intrusion access policy must also be configured.
known_false_positives:False positives are directly related to their snort rules triggering and the firewall scoring. Apply additional filters if the rules are too noisy by disabling them or simply ignoring certain IP ranges that trigger it. References: -https://www.cisco.com/c/en/us/td/docs/security/firepower/741/api/FQE/secure_firewall_estreamer_fqe_guide_740.pdf drilldown_searches: name:'View the detection results for - "$src_ip$"' search:'%original_detection_search% | search src_ip = "$src_ip$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$src_ip$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Cisco Secure Firewall Threat Defense Analytics' asset_type:Network security_domain:network mitre_attack_id: - 'T1203' - 'T1059' - 'T1587.001' product: - 'Splunk Enterprise' - 'Splunk Cloud' - 'Splunk Enterprise Security'
