
Summary
This detection rule identifies potential compromised hosts using Cisco Secure Firewall Threat Defense logs, particularly focusing on high-impact intrusion events labeled with an impact score of 1 or 2. By analyzing the 'IntrusionEvent' event type, the rule aggregates significant detection occurrences through specified Splunk commands that count events, aggregate signatures, and track first and last timestamps of occurrences based on source and destination details. This analytical approach assists in timely threat identification within the network, indicating potentially severe breaches if confirmed malicious. The rule encourages users to customize its settings to fit their specific environments while leveraging an automatic post-filtering mechanism designed to reduce false positives that may arise from the snort rules triggering under unknown conditions.
Categories
- Network
Data Sources
- Pod
- Container
- User Account
- Windows Registry
- Script
- Image
- Web Credential
- Named Pipe
- Certificate
- WMI
- Cloud Storage
- Internet Scan
- Persona
- Group
- Application Log
- Logon Session
- Instance
- Sensor Health
- File
- Drive
- Snapshot
- Command
- Kernel
- Driver
- Volume
- Cloud Service
- Malware Repository
- Network Share
- Network Traffic
- Scheduled Job
- Firmware
- Active Directory
- Service
- Domain Name
- Process
- Firewall
- Module
ATT&CK Techniques
- T1203
- T1059
- T1587.001
Created: 2025-04-14