heroui logo

Cisco Secure Firewall - Lumma Stealer Outbound Connection Attempt

Splunk Security Content

View Source
Summary
This analytic rule is designed to identify outbound connection attempts associated with Lumma Stealer using Cisco Secure Firewall's Intrusion Events. By analyzing specific IntrusionEvent logs from Cisco Secure Firewall Threat Defense, it leverages a set of predetermined Snort signature IDs to detect potential malicious activity indicative of Lumma Stealer infections. The rule is structured to track instances where these signature IDs (64797, 64798, 64799, 64800, 64801, 64167, 64168, 64169, 62709) are triggered, thereby signaling a potential threat. The provided search query is optimized for extracting pertinent event data from the firewall logs. The rule also indicates a strong emphasis on minimizing false positives, enhancing the reliability of detection. To implement this rule effectively, necessary configurations for the specific environment within the Splunk platform are required, along with setting up appropriate data ingestion processes using the Splunk Add-on for Cisco Security Cloud. Regular review of the responses generated by this rule is advised for maintaining security posture.
Categories
  • Network
Data Sources
  • Cloud Service
  • Network Traffic
  • Application Log
ATT&CK Techniques
  • T1041
  • T1573.002
Created: 2025-04-26