Cisco Secure Firewall - Intrusion Events by Threat Activity

Status: production
Severity: low
Group by: _time, dest, signature_id, threat
Author: Bhavin Patel, Nasreddine Bencherchali, Splunk
Source: github.com/splunk/security_content

This analytic detects intrusion events from known threat activity using Cisco Secure Firewall Intrusion Events. It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where one or multiple Snort signatures associated with a known threat or threat actor activity have been triggered within a one-hour time window. The detection uses a lookup table (cisco_snort_ids_to_threat_mapping) to map Snort signature IDs to known threat actors and their techniques. When multiple signatures associated with the same threat actor are triggered within the time window, and the count of unique signatures matches or exceeds the expected number of signatures for that threat technique, an alert is generated. This helps identify potential coordinated threat activity in your network environment by correlating related intrusion events that occur in close temporal proximity. Currently, this detection will alert on the following threat actors or malware families as defined in the cisco_snort_ids_to_threat_mapping lookup: * AgentTesla * Amadey * ArcaneDoor * AsyncRAT * CastleRAT * Chafer * DCRAT * LokiBot * Lumma Stealer * Nobelium * Quasar * Remcos * Snake * Static Tundra * Xworm To add or update threat actors, update the cisco_snort_ids_to_threat_mapping.csv lookup file with new or modified threat names and associated Snort signature IDs.

MITRE ATT&CK coverage

Tactic	Techniques
Command & Control	`T1573.002` Encrypted Channel: Asymmetric Cryptography
Exfiltration	`T1041` Exfiltration Over C2 Channel

Rule body splunk

name: Cisco Secure Firewall - Intrusion Events by Threat Activity
id: b71e57e8-c571-4ff1-ae13-bc4384a9e891
version: 10
creation_date: '2025-05-12'
modification_date: '2026-05-13'
author: Bhavin Patel, Nasreddine Bencherchali, Splunk
status: production
type: Anomaly
description: |
    This analytic detects intrusion events from known threat activity using Cisco Secure Firewall Intrusion Events.
    It leverages Cisco Secure Firewall Threat Defense IntrusionEvent logs to identify cases where one or multiple Snort signatures
    associated with a known threat or threat actor activity have been triggered within a one-hour time window. The detection uses a
    lookup table (cisco_snort_ids_to_threat_mapping) to map Snort signature IDs to known threat actors and their techniques.
    When multiple signatures associated with the same threat actor are triggered within the time window, and the count of
    unique signatures matches or exceeds the expected number of signatures for that threat technique, an alert is generated.
    This helps identify potential coordinated threat activity in your network environment by correlating related intrusion
    events that occur in close temporal proximity.

    Currently, this detection will alert on the following threat actors or malware families as defined in the cisco_snort_ids_to_threat_mapping lookup:

    * AgentTesla
    * Amadey
    * ArcaneDoor
    * AsyncRAT
    * CastleRAT
    * Chafer
    * DCRAT
    * LokiBot
    * Lumma Stealer
    * Nobelium
    * Quasar
    * Remcos
    * Snake
    * Static Tundra
    * Xworm

    To add or update threat actors, update the cisco_snort_ids_to_threat_mapping.csv lookup file with new or modified threat names and associated Snort signature IDs.
data_source:
    - Cisco Secure Firewall Threat Defense Intrusion Event
search: |
    `cisco_secure_firewall` EventType=IntrusionEvent
    | stats count AS total_alerts, dc(signature_id) AS sig_count, values(SnortRuleGroups) AS snort_rule_groups, values(connection_id) AS connection_id, values(rule) AS rule, values(dest_port) AS dest_port, values(transport) AS transport, values(app) AS app, values(signature) AS signature, values(src) AS src BY _time dest signature_id
    | lookup cisco_snort_ids_to_threat_mapping signature_id OUTPUT threat, category, message
    | where isnotnull(threat)
    | bin _time span=1d
    | stats count AS Total_Alerts, dc(signature_id) AS sig_count, values(signature_id) AS signature_id, values(category) AS category, values(message) AS message, values(snort_rule_groups) AS snort_rule_groups, values(connection_id) AS connection_id, values(rule) AS rule, values(dest_port) AS dest_port, values(transport) AS transport, values(app) AS app, values(signature) AS signature, values(src) AS src BY _time dest threat
    | lookup threat_snort_count threat OUTPUT description, distinct_count_snort_ids
    | table _time, dest, src, threat, category, message, description, signature_id, signature, snort_rule_groups, sig_count, distinct_count_snort_ids, connection_id, rule, dest_port, transport, app
    | where sig_count >= distinct_count_snort_ids
    | `cisco_secure_firewall___intrusion_events_by_threat_activity_filter`
how_to_implement: |
    This search requires Cisco Secure Firewall Threat Defense Logs, which
    includes the IntrusionEvent EventType. This search uses an input macro named `cisco_secure_firewall`.
    We strongly recommend that you specify your environment-specific configurations
    (index, source, sourcetype, etc.) for Cisco Secure Firewall Threat Defense logs. Replace the macro definition
    with configurations for your Splunk environment. The search also uses a post-filter
    macro designed to filter out known false positives.
    The logs are to be ingested using the Splunk Add-on for Cisco Security Cloud (https://splunkbase.splunk.com/app/7404).
    The intrusion access policy must also be configured. This detection is based on the cisco_snort_ids_to_threat_mapping.csv mapping file - please update the lookup file with the latest Snort IDs to Threat Actors if you would like to modify the distinct count of Snort IDs needed to trigger the detection or if you would like to add new Snort IDs to Threat Actors.
known_false_positives: False positives may occur due to legitimate security testing or research activities.
references:
    - https://www.cisco.com/c/en/us/products/security/firewalls/index.html
    - https://blog.talosintelligence.com/static-tundra/
drilldown_searches:
    - name: View the detection results for - "$dest$"
      search: '%original_detection_search% | search  dest = "$dest$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$dest$""
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: 7d
      latest_offset: "0"
intermediate_findings:
    entities:
        - field: dest
          type: system
          score: 20
          message: Potential $threat$ activity detected on $dest$ originating from $src$.
threat_objects:
    - field: signature
      type: signature
analytic_story:
    - Cisco Secure Firewall Threat Defense Analytics
    - ArcaneDoor
asset_type: Network
mitre_attack_id:
    - T1041
    - T1573.002
product:
    - Splunk Enterprise
    - Splunk Cloud
    - Splunk Enterprise Security
category: network
security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/cisco_secure_firewall_threat_defense/lumma_stealer/lumma_stealer_events.log
          source: not_applicable
          sourcetype: cisco:sfw:estreamer
      test_type: unit

Stages and Predicates

Stage 1: `search`

`cisco_secure_firewall` EventType=IntrusionEvent

Stage 2: `stats`

| stats count AS total_alerts, dc(signature_id) AS sig_count, values(SnortRuleGroups) AS snort_rule_groups, values(connection_id) AS connection_id, values(rule) AS rule, values(dest_port) AS dest_port, values(transport) AS transport, values(app) AS app, values(signature) AS signature, values(src) AS src BY _time dest signature_id

Stage 3: `lookup`

| lookup cisco_snort_ids_to_threat_mapping signature_id OUTPUT threat, category, message

Lookup table: cisco_snort_ids_to_threat_mapping
Key field: signature_id
Output columns: ['threat', 'threat'], ['category', 'category'], ['message', 'message']

Stage 4: `where`

| where isnotnull(threat)

Stage 5: `bucket`

| bin _time span=1d

Stage 6: `stats`

| stats count AS Total_Alerts, dc(signature_id) AS sig_count, values(signature_id) AS signature_id, values(category) AS category, values(message) AS message, values(snort_rule_groups) AS snort_rule_groups, values(connection_id) AS connection_id, values(rule) AS rule, values(dest_port) AS dest_port, values(transport) AS transport, values(app) AS app, values(signature) AS signature, values(src) AS src BY _time dest threat

Stage 7: `lookup`

| lookup threat_snort_count threat OUTPUT description, distinct_count_snort_ids

Lookup table: threat_snort_count
Key field: threat
Output columns: ['description', 'description'], ['distinct_count_snort_ids', 'distinct_count_snort_ids']

Stage 8: `table`

| table _time, dest, src, threat, category, message, description, signature_id, signature, snort_rule_groups, sig_count, distinct_count_snort_ids, connection_id, rule, dest_port, transport, app

Stage 9: `where`

| where sig_count >= distinct_count_snort_ids

Stage 10: `search`

| `cisco_secure_firewall___intrusion_events_by_threat_activity_filter`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`EventType`	eq	`IntrusionEvent`
`sourcetype`	eq	`cisco:sfw:estreamer`
`threat`	is_not_null	(no value, null check)

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Cisco Secure Firewall - Intrusion Events by Threat Activity

MITRE ATT&CK coverage

Rule body splunk

Stages and Predicates

Stage 1: `search`

Stage 2: `stats`

Stage 3: `lookup`

Stage 4: `where`

Stage 5: `bucket`

Stage 6: `stats`

Stage 7: `lookup`

Stage 8: `table`

Stage 9: `where`

Stage 10: `search`

Indicators

Keyboard shortcuts

Search operators

Cisco Secure Firewall - Intrusion Events by Threat Activity

MITRE ATT&CK coverage

Rule body splunk

Stages and Predicates

Stage 1: search

Stage 2: stats

Stage 3: lookup

Stage 4: where

Stage 5: bucket

Stage 6: stats

Stage 7: lookup

Stage 8: table

Stage 9: where

Stage 10: search

Indicators

Stage 1: `search`

Stage 2: `stats`

Stage 3: `lookup`

Stage 4: `where`

Stage 5: `bucket`

Stage 6: `stats`

Stage 7: `lookup`

Stage 8: `table`

Stage 9: `where`

Stage 10: `search`