
Summary
This analytic rule is designed to detect potentially malicious file downloads from a Cisco Secure Firewall Threat Defense system. It focuses on file types commonly associated with malware, such as executables (PE formats), scripts, archives, and testing samples like EICAR. The detection relies on the 'FileEvent' logs which capture file download activities, and it uses a lookup to enrich the logged data with file type descriptions for added context. By monitoring these file downloads, organizations can identify initial infection vectors, malware staging, or abuse of scripts that could harm their systems. The rule is set up to minimize false positives with additional filtering based on the context of the download, particularly within IT and development workflows.
Categories
- Network
- Endpoint
- Web
Data Sources
- File
ATT&CK Techniques
- T1203
- T1059
Created: 2025-04-03