This analytic framework detects blocked connection events that occur in Cisco Secure Firewall Threat Defense environments by evaluating logs specifically for actions labeled "Block" within the action field. It examines logs for blocked connection attempts, which can be indicative of malicious behaviors such as unauthorized access attempts, lateral movement within the network, or data exfiltration. By focusing on blocked connection events, this rule aims to flag potentially suspicious network activities and lend insight into user behavior or application interactions that violate established network security boundaries. With a focus on network zones considered to be either explicitly or implicitly blocked, the detection mechanism seeks to enhance security postures by monitoring these actions closely. The search query utilizes Splunk's capability to analyze events efficiently, leveraging statistical functions to collate relevant information about detected blocked events, categorized by various transaction parameters including source IP, destination, and associated firewall rules.